It is a developing market that is becoming more and more mature: vulnerability scanning and IT Policy Management. These are systems that monitor your IT assets (servers, switches, routers and firewall and the likes) and alert you whenever there is an exception to a policy. Policies contain guidelines with regard to best practice security settings, or other settings that should be enabled/disabled according to several best practices or in-house corporate policies. There might be old versions of software or windows hotfixes that are not appropriately applied or configuration settings of routers/switches that are incorrectly set.
The overall management of exceptions that come out of these systems is typically an IT responsibility. However, it is interesting for IT governance (considered part of GRC) as well and thus might have logical integration points with BWise GRC as well. Let's explore a bit...
The outcomes of vulnerability scanning software are exceptions of machines/IP addresses that somehow do not correspond to a set policy. You can imagine that starting to implement vulnerability scanning solution will at first generate a lot of exceptions that can take years to clean (due to backlog). Where do you put priority? What risks do we run and how do these impact our ORM, SOX and other GRC efforts overall quality? In other words, the results of such scanning engines need to be put in an overall risk perspective to know where to start. This is where GRC solutions can help.
For many existing customers, BWise already contains a framework for ORM or SOX in which risks, controls and processes are tied back to information systems which in turn sometimes are linked to it infrastructure components. An integration of vulnerability scanning solutions would allow monitoring, trending and appropriate follow-up of exceptions per system where you can directly see what the risks are from that system, in which processes they occur and thus might cause efficiency problems and operational losses. The ORM risk assessment results can be used to determine high risk areas which can then tie back to outstanding vulnerability issues which helps you to take a risk based approach when prioritizing the resolution of outstanding vulnerabilities.
It can also help to perform a threats and vulnerabilities analysis that provide insights in which systems integrity, confidentiality and availability is most critical for your organization for which the ISF framework can be used.
There are many other areas where the two might complement each other, but for now it suffices to say that an integration of some kind between the two different types of GRC systems seems like a logical next step to take...