Finally, an IT governance, risk and compliance solution that any company can deploy

Traditional IT governance, risk and compliance (GRC) platforms help large enterprises gain insight to and mitigate risks in their IT environments. Now there is a new cloud-based GRC solution from TraceSecurity designed to help any size organization manage its risk and compliance posture.

A CISO has an especially tough job today. It seems that new threats emerge every day, making it difficult for the CISO to understand the real and ongoing risks his company faces. Regardless of the size of the company, every company has risks it must mitigate, usually with a limited budget and limited set of resources. Like I said, it's a tough job.

Proactive companies implement a range of IT security measures intended to mitigate their unique set of risks. These measures often include various point solutions like vulnerability scanners, risk managers, audit managers and so on. While it's prudent to deploy these tools, implementing them individually creates another challenge: Point solutions are disjointed and managed in silos, making it difficult to manage a holistic IT security program. It's practically impossible to tell how well the collection of security solutions actually addresses the specific risks an organization faces.

IN PICTURES: Who holds IT security power?

IT governance, risk and compliance (GRC) systems are designed to address this problem. An IT GRC solution is typically an overarching platform that ties together the insight coming from disparate security products around risk, policy, training, audit, ticketing, etc., and determines how well the company is addressing its risk. And as the name implies, an IT GRC platform helps determine how well a company is meeting compliance requirements for all sorts of internal policies and external regulations.

Most current IT GRC solutions are designed to support large enterprises that have a substantial IT security staff. Many solutions are on-premise which increases overhead; companies need hardware, software and skilled people to implement and manage the comprehensive platform. Unfortunately, this leaves small to midsize business out in the cold.

TraceSecurity hopes to rectify that with its newly announced TraceCSO, a cloud-based IT GRC solution. TraceCSO provides a unified approach to ensure that risk and compliance requirements relative to a specific organization are met and delivered efficiently through the cloud. TraceCSO is said to be able to accommodate any size organization, varying technical skill levels and support any industry. It is said to simplify the process of evaluating, creating, implementing and managing a holistic risk-based information security program.

TraceCSO fully integrates all of the functional areas that are traditionally part of a GRC or a security program: risk, process, policy, vulnerability, training, vendor, audit and compliance management. The end-to-end solution doesn't require any third party software. This integration allows controls established during the risk assessment process to automatically link to other functional areas within TraceCSO.

The product uses wizards where possible to lead users of any skill level through setup and usage. The initial setup process guides the user through setting up departments, roles, users, network scanning and authority documents. TraceCSO has full support for Microsoft Active Directory to simplify adding users to the system.

Once setup is complete, TraceCSO performs a holistic risk assessment of the environment to identify assets and threats. The risk assessment is the cornerstone of the product; it's where all the information is gathered and populated across all the functional areas of TraceCSO.

When the risk assessment is completed, TraceCSO establishes a risk score for each asset and for the IT environment overall. It shows the areas of highest risk and identifies the most effective controls, along with existing controls, in order to make recommendations to help organizations put the right controls in place. It may very well be that the existing controls (i.e., security measures) are ineffective and are, essentially, a waste of time and money.

The risk score allows the organization to measure its mitigation effectiveness over time. The idea is to help the company reach the goal of getting a "best practice"-based risk decision optimized in a way where the company can make the best use of its information security budget.

The controls from the risk assessment are mapped to a database of authorities, citations and regulations known as the Unified Compliance Framework (UCF). In the setup process, the organization identifies which regulations it must meet. All of the technical controls from the TraceCSO vulnerability scans and audit results automatically update the company's compliance status. TraceCSO helps a company to implement a best practice, risk-based information security program that leads to compliance and saves substantial time when reporting compliance.

To ensure a closed loop on this risk-based approach, TraceCSO's audit process validates the implementation of controls. As users continue to manage the program, the results from all the different areas -- policy, training, vulnerability scanning, etc. -- are tracked automatically and communicated back to the audit function to facilitate automated and seamless audits as much as possible. The outcome is a much more streamlined audit program as well as a compliance review program.

Dashboards are used to get quick visibility to the current status of the overall program. There are also detailed dashboards for each of the functional areas.

TraceCSO operates in the cloud. The only on-premise component required is a vulnerability scanner. There are APIs that allow the scanner to pull configurations from various systems to determine their risk posture.

TraceCSO is available via a yearly subscription fee, making GRC tools available to even small companies.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT