IT Risk and Compliance Tool Requirements vs. WCK-L
I will go through the imposed requirements one by one to show if and how well each requirement is satisfied.
Needless to say that qualitative analysis always derive from a subjective opinion.
I consistently make use of the male form, please understand that ladies are explicitely included.
WCK-L seems to have been designed grounds up for intuitive use. Of course usability varies differing on the role you have in the tool. It is "fool-proof" for e.g. a role which just needs to fill e.g. a "risk assessment" and is as easy as it gets for an administrator who has access to all features.
My measure here is that people who do not need to use it often and only use a small subset of features need to be able to do this without training and administrators having access to all features and using this potentially on a daily basis should be able to pass by with one day of training.
WCK-L definetely reaches this one, please find an example (in form of a picture) on a reviewers options which have been limited to only what he needs.
From the viewpoint "time on market" it is not mature yet, well the market for "collaborative" IT Risk Management Software itself is not that old itself. The market for IT-GRC software, where WCK-L places itself, was created mid 2007.
The inventory, as described in the following picture is fully handled besides that you cannot record events at the given moment.
On the right hand side you can find a picture of the business process designer where you can map systems and components to the business process.
The differentiation is made between:
Assets
The question base is very large. Questions from "High Level" standards through to "Detailed standards" are available out of the box.
On the right hand side you find an example Cobit question and its weight associated by default.
The following standards are considered by default:
Besides the given question base you can also introduce your own questions. As mentioned in the previous article questions need to be assigned a "weight". This weight is taken into account in the automated risk calculation.
I like examples so let's go through a possible WCK-L workflow. This should show that even complex workflows, with clear segregation of duties, are realisable. Each workflow step is marked with a new line.
On the right hand side you find the view of e.g. a risk manager on his assessments, including completion (percentage) and type.
In my opinion the workflow capabilities are great!
Needless to say that qualitative analysis always derive from a subjective opinion.
I consistently make use of the male form, please understand that ladies are explicitely included.
Usability
WCK-L seems to have been designed grounds up for intuitive use. Of course usability varies differing on the role you have in the tool. It is "fool-proof" for e.g. a role which just needs to fill e.g. a "risk assessment" and is as easy as it gets for an administrator who has access to all features. My measure here is that people who do not need to use it often and only use a small subset of features need to be able to do this without training and administrators having access to all features and using this potentially on a daily basis should be able to pass by with one day of training.
WCK-L definetely reaches this one, please find an example (in form of a picture) on a reviewers options which have been limited to only what he needs.
Maturity
The solution is mature when it comes to technical stability and featureset.From the viewpoint "time on market" it is not mature yet, well the market for "collaborative" IT Risk Management Software itself is not that old itself. The market for IT-GRC software, where WCK-L places itself, was created mid 2007.
Inventory
The inventory, as described in the following picture is fully handled besides that you cannot record events at the given moment. On the right hand side you can find a picture of the business process designer where you can map systems and components to the business process.
The differentiation is made between:
Assets
- OUs (Organisational Units); possible relationship to Business processes, Systems and Components
- Components (e.g. Servers, Applications)
- Systems; possible relationship to components
- Business processes; possible relationship to OUs, systems and components
- Mitigations (having a possible relationship to all types of assets)
Question base
The question base is very large. Questions from "High Level" standards through to "Detailed standards" are available out of the box.On the right hand side you find an example Cobit question and its weight associated by default.
The following standards are considered by default:
- COBIT
- ISO 27001
- NIST
- FISMA
- Vendor supplied questions (e.g. from Microsoft)
Besides the given question base you can also introduce your own questions. As mentioned in the previous article questions need to be assigned a "weight". This weight is taken into account in the automated risk calculation.
Workflows
I like examples so let's go through a possible WCK-L workflow. This should show that even complex workflows, with clear segregation of duties, are realisable. Each workflow step is marked with a new line.On the right hand side you find the view of e.g. a risk manager on his assessments, including completion (percentage) and type.
- Risk Manager puts together questions for an assessment
- Risk Manager assigns assessment to e.g. IT system administrator
- Risk Manager assigns the right to colleague to act as a deputy in case he is on leave.
- An e-mail is being automatically send to IT system administrator
- IT system administrator completes questions and gives ok in the tool that he is finished (Risk Manager can follow the progress on assessment completion)
- Assessment now appears on the Risk managers assessments to approve dashboard
- Risk Manager approves after he crosschecked, however there was one answer which identified a critical risk
- Critical risk automatically gets into Mitigations Management and Risk Manager assigns remediation to IT system administrator
- IT system administrator can put in comments e.g. an mitigation plan
- Risk Manager can follow up through the tool on the progress of the mitigation plan by the IT system sdministrator updating it on progress
- IT system administrator marks mitigation plan as followed through
- Risk Manager approves.
In my opinion the workflow capabilities are great!