Compliance professionals know that governance, risk and compliance efforts don’t often get the appropriate level…
of consideration when it comes to securing investment dollars for software tools and new funding for process improvements. Many organizations instead prioritize technical tools or tools that are directly business-visible when it comes to investments.
This puts compliance professionals in a precarious position. They are already under pressure from the number and complexity of current regulations, and there are also new regulations on the horizon that make accessing the right tools imperative. Yet, the investment dynamics make it challenging for a practitioner to get those tools.
One way to help mitigate this is to use free and open source tools to automate portions of governance, risk and compliance (GRC) activities. Open source GRC tools have advantages from a procurement standpoint.
Nothing completely removes implementation costs — no matter how much the software costs, someone needs to install and configure it — but the initial budget hit is small and requires little or no upfront investment. This can mean that compliance professionals have access to a tool their organization would otherwise have to buy that they can instead use in the short term in parallel to the budget cycle.
There are a few options of open source tools that may help some elements of GRC. Every tool won’t be appropriate for every organization, and there are dozens, if not hundreds, of others. However, let’s focus on six free, open source GRC tools that can have an immediate benefit to GRC efforts in many organizations: audit management, control validation and resources for the cloud.
Low-cost audit management
Audit management systems (AMSes) can be a boon for an organization’s GRC program for a few reasons. Not only do they provide a central repository for internal and external audit findings, but they also can streamline other aspects of the audit process, such as workflow and evidence gathering. But commercial systems are usually pricey.
In a pinch, however, open source project management and bug-tracking tools can fulfill many of the same functions as a commercial AMS.
Some of the open source GRC tools in this category are Redmine and Mantis Bug Tracker (MantisBT), which offer issue tracking, documentation and workflow platforms.
1. Redmine
Redmine’s features include support for multiple simultaneous projects; ticket creation and resolution workflow; wiki and other collaboration capabilities for team coordination; issue tracking; built-in project management features, like Gantt charts; and file management. A bug and feature tracking tool like Redmine — which is included in the default repository of distributions like Debian — can be customized and used for many of the same purposes as an AMS. This includes managing issues; tracking remediation progress; retaining records of work effort, such as audit workpapers; and sharing general internal information.
For example, this screenshot illustrates how you might create a new project within Redmine to track a discrete audit task, such as testing validation activities for an audit of a hybrid cloud virtual environment.
Applying a bit of creativity, compliance professionals can not only manage workflow, but also track management responses to observations, evidence and evidence-gathering procedures, as well as record workpapers in one place as they are produced.
2. MantisBT
MantisBT’s features include ticket creation and resolution workflow, notifications, identification of the specific files causing issues and customizable reporting features.
Redmine and MantisBT are noteworthy because they offer significant flexibility and customization in how issues are tracked and workflow support.
You won’t get all the comprehensive features of a commercial AMS with an approach like this since these are designed around a specific use case. But 80% of the functionality is usually better than 0% when you can’t get traction any other way.
Low-cost control validation
One of the many GRC program challenges, regardless of size, is the ongoing management and validation of the technical controls implemented to enforce policy decisions. Implementing a control as a risk management decision is one thing; being able to prove that it’s working is another.
Some of the tools used for asset management can be co-opted to provide data on technical control operation, similar to functionalities found in IT GRC tools.
A couple of these tools that are worth noting include Open Vulnerability Assessment Scanner (OpenVAS), an open source vulnerability scanning tool, and GLPI, an open source asset management and inventorying tool.
3. OpenVAS
OpenVAS features include parallel scanning, web UI, customizable scan reporting, performance tuning capabilities, an intuitive dashboard and prioritization of issues based on severity.
A tool like OpenVAS can validate the efficacy of system configuration processes, and its patch management controls work intuitively. This ensures that systems are configured in a hardened manner, configuration standards are applied appropriately and software is kept at the anticipated patch level. You can also use asset management-focused tools to help in a similar vein.
4. GLPI
GLPI features include inventorying of virtual or physical hosts, ticket management capabilities, knowledge base creation and project management assistance.
Asset management tools like GLPI also can provide configuration-related details that can support auditing, such as software inventory on the host or other information not available during a vulnerability scan.
Resources for the cloud
These last two examples aren’t software tools, but still can be a useful addition to most organizations’ GRC program.
Cloud Security Alliance provides a suite of related resources that can be useful when it comes to assessing, validating and otherwise ensuring that cloud is employed in a manner commensurate with your organization’s risk tolerances.
The Cloud Controls Matrix (CCM) is a matrix of controls applicable for cloud environments, and the Consensus Assessments Initiative Questionnaire (CAIQ) is a questionnaire that uses CCM for cloud vendor information gathering.
CCM and CAIQ would be good options for organizations focused on improving their GRC program’s effectiveness and maturity.
5. CCM
CCM provides a list of controls that are applicable within a cloud security context, mapped to many of the regulations in an enterprise’s compliance scope. CCM can be directly integrated into cloud providers’ risk management reviews or used to connect organizational compliance with regulatory requirements.
CCM is composed of 197 control objectives that are structured in 17 domains covering key aspects of cloud technology. It can be used to help assess a cloud implementation’s success and provide guidance on which security controls should be implemented by which actor within the cloud supply chain.
6. CAIQ
CAIQ is a standardized information-gathering questionnaire that includes key questions to ask cloud vendors during risk reviews. This questionnaire can be incorporated directly into an organization’s GRC program and used as part of vendor risk reviews and evaluations. This can be done either as a supplement to other information-gathering activities — like organization-specific vendor questionnaires or generic questionnaires, like the Shared Assessments Standardized Information Gathering Questionnaire — or as the sole information-gathering vehicle for cloud providers.
There are plenty of open source tools that can streamline an organization’s GRC program. Employing open source GRC tools to help provide much of the same functionality as commercial tools comes in at a fraction of the cost. It may take some creativity and customization to adapt the tools to your usage, but they can provide just as much value to GRC efforts.