PricewaterhouseCoopers' spin-off tackles governance, risk and compliance

PricewaterhouseCoopers' spin-off Brabeion Software this week upgraded its compliance management platform to provide customers with more than 6,000 control tests on ISO and other standards.

Brabeion, founded in 2005, commercialized a software platform developed at PricewaterhouseCoopers around 2000. The technology, dubbed Enterprise Security Architecture System (ESAS) at PricewaterhouseCoopers, was originally designed to let large companies create information security programs by unifying security efforts through policies and controls, rather that just technology, Brabeion executives say.

Brabeion spun two products from the technology, the IT Risk & Compliance Center (ITRCC) and IT Risk & Compliance Manager (ITRCM). The former product offers customers a control portal through which they can view enterprise-wide policies and compliance with standards such as the Health Insurance Portability and Accountability Act (HIPAA) and the  Sarbanes-Oxley Act, among others. And the latter provides customers with an automated means to rationalize their policies and controls against those required by regulatory or business standards.

Updated to Version 3.0 this week, ITRCM taps a library of content that details the controls IT managers are required to prove to Sarbox auditors, for instance, and it also includes comprehensive information on control frameworks such as COBIT (Control Objectives for Information and related Technology). The company added with this release the ability to define role-based dashboards that provide comprehensive metrics, track user policy acceptance and remediation efforts, among other things.

"Compliance is about more than technology. It requires people, processes and technology. We have integrated those three facets to provide unified policy management across large companies," says Steve Schlarman, chief compliance strategist at Brabeion, who previously served as a director in PricewaterhouseCoopers' Advisory Practice focusing on information security consulting and auditing. "Brabeion creates reference models based on control frameworks such as ISO and also provides reference modules for major regulations such as HIPAA."

The core policy software requires no client agent to be installed, sits on a Web server and includes a database server. The software uses APIs, or a universal agent, to collect compliance-related data from existing systems such as databases, assessment technologies and third-party software. The interface is Web-based and features role-based dashboards that can be used by various different staff members based on their access rights within the organization. For instance, security managers can log in to the product to see how assets are being protected and if the means of protection complies with regulatory standards.

The company, which says clients include Chevron, Estee Lauder and Guardian Life, runs into competition from internal security audit processes. Schlarman says Brabeion, which has about 30 employees in the United States and another 24 working as an offshore development team, could consider Archer Technologies, NetIQ (now part of Attachmate) and Symantec as competitors, but its software integrates with others and offers the view into people and processes not often available in other products.