Rsam GRC Review

We have built our own modules using their application-building features.

GRC & IRM (integrated risk management). We use it for Assessments, Vendor Risk, and Threat and Vuln Management.

We have far more visibility into our compliance, risks and controls, etc. over the areas we are managing vs accepting risk.

Rsam has also been extremely helpful with the annual audits we receive from our regulators.

We used another tool before (Archer) but it was too cumbersome to manage. Rsam just requires a single administrator and is far easier to integrate.

We have used Rsam's out-of-the-box modules for:

• Vendor Risk Management
• Application Assessments
• Vulnerability Management
• Control Testing
• Incident Response
• Policy Management

We have also built our own modules using their slick application-building features for:

• Access Provisioning
• Advanced Threat Detection
• Custom Surveys

The most valuable feature is the management of risk & compliance data across the application. Searching, dashboarding, reporting and metrics (KRI / KPI) are quick and easy. Workflow and decision support is very clean and very dynamic.

Last time I said "Multilingual would be nice, and an update to their questionnaire interface.".. looks like in 9.2 they have this now. I have yet to try it.

We have encountered occasional stability issues, though they are quick to patch.

We have not encountered any scalability issues. That was an issue with our Archer implementation (about the 2 million record mark). Rsam with its indexing feature has us at 10 million with no issues.

Customer Service:

Customer service is excellent.

Technical Support:

Technical support is excellent.

We previously used Archer... but we had a lot of trouble with maintenance (required three administrators and lots of consulting to manage). We also ran into performance issues when we hit the 1-2 million record mark. We still have Archer for one group (because they spent millions on services and don't want to lose that effort), but everyone else is now Rsam.

GRC does require some planning / attention to detail. I would say Rsam was far easier than our Archer implementation... but it still had some complexities in deciding on organizational structure and workflow.

An Rsam team helped us with our first two modules, and we did the rest (including our own custom modules).

We went from three admins down to one... and millions in consulting down to about 60K.

For us, we found end-of-quarter motivation was helpful in negotiations. They are already reasonable compared to others because it doesn't require a lot of services. Some of the other products were cheaper for the software, but the total cost-of-ownership is very high.

• Archer (Our tool we were replacing.)
• MetricStream (They are COMPLETELY CUSTOM builds for everything... not manageable.)
• LockPath (Company is too small / not easy to deal with. They have like four developers in the entire company.)

Rsam is a good solution... but make sure you have a good admin as well... A good admin is key to making a GRC solution work well (and you cant have ours). :)