Compliance professionals know that governance, risk and compliance efforts don't often get the appropriate level...
of consideration when it comes to securing money for new software tools. Many organizations instead prioritize technical tools or ones that are directly visible to the business for software investments.
This puts compliance professionals in a precarious position. They're already under pressure from the number and complexity of current government regulations, and there are new regulations on the horizon that further make having access to the right GRC tools imperative. Yet the IT investment dynamics can make it challenging for compliance and risk management practitioners to get those tools.
One way to help mitigate this is to use free and open source tools to automate portions of GRC activities. Because of their nature, open source GRC tools offer clear advantages from a procurement standpoint.
Nothing completely removes implementation costs -- no matter how much the software costs, someone needs to install and configure it. But with open source tools, the initial budget hit is small and requires little or no upfront investment. This means that compliance and risk management professionals can use a GRC tool without their organization having to buy one, either on an ongoing basis or in the short term in parallel to the IT budget cycle if a purchase of GRC software is being considered.
While every tool won't be appropriate for every organization, various open source options that aim to help with some elements of GRC are available to use. Here, we'll focus on six tools and related resources that can benefit GRC efforts in three areas: audit management, control validation and securing cloud environments.
Low-cost audit management
Audit management software (AMS) can be a boon for an organization's GRC program for a few reasons. Not only do AMS tools provide a central repository for internal and external audit findings, but they also can streamline other aspects of the audit process, such as workflow and evidence gathering. But commercial systems are usually pricey.
In a pinch, however, open source project management and bug-tracking tools can fulfill many of the same functions as a commercial AMS tool.
Two of the open source GRC tools in this category are Redmine and Mantis Bug Tracker (MantisBT), which offer issue tracking, documentation and workflow platforms.
Redmine's features include support for multiple simultaneous projects; ticket creation and resolution workflows; wikis and other collaboration capabilities for team coordination; issue tracking; built-in project management features, such as Gantt charts; and file management. A bug and feature tracking tool like Redmine, which is included in the default repository of Debian and other Linux distributions, can be customized and used for many of the same purposes as an AMS tool. This includes managing issues; tracking remediation progress; retaining records of work effort, such as audit workpapers; and sharing general internal information.
For example, the screenshot below illustrates how you might create a new project within Redmine to track a discrete audit task, such as testing validation activities for an audit of a hybrid cloud environment.
This article is part of
By applying a bit of creativity in using Redmine, compliance professionals can manage audit workflows and track management responses to observations, evidence and evidence-gathering procedures, as well as record workpapers in one place as they're produced.
MantisBT's features include ticket creation and resolution workflow, notifications, identification of the specific files causing issues and customizable reporting features.
Redmine and MantisBT are noteworthy because they both offer significant flexibility and customization in how issues are tracked and workflow support.
You won't get all the comprehensive features of a commercial AMS platform with an approach like this since these tools are designed around a specific use case. But 80% of the functionality is better than 0% when you can't get traction any other way.
Low-cost control validation
One of the many GRC program challenges, regardless of size, is the ongoing management and validation of the technical controls implemented to enforce policy decisions. Implementing a control as a risk management decision is one thing; being able to prove that it's working is another.
Some vulnerability or asset management tools can be co-opted to provide data on the operation of technical controls, similar to the functionality found in GRC tools for IT professionals.
A couple of these open source tools that are worth noting are OpenVAS (short for Open Vulnerability Assessment Scanner), a vulnerability scanning tool, and GLPI, an asset management and inventorying tool.
OpenVAS is primarily developed by software vendor Greenbone. Its features include parallel scanning, customizable scan reporting, performance tuning capabilities, an intuitive dashboard and prioritization of issues based on severity. It's part of a broader suite of open source tools that also includes Greenbone Security Assistant, a web UI shown in the screenshot below that's used to control the scans done by OpenVAS and then access information about identified vulnerabilities.
A tool like OpenVAS can validate the efficacy of system configuration processes, and its patch management controls work intuitively. This ensures that systems are configured in a hardened manner, configuration standards are applied appropriately and software is kept at the anticipated patch level.
You can also use tools that focus on asset management to help in a similar vein. Development of GLPI is led by software vendor Teclib. Its features include inventorying of virtual or physical hosts, help desk ticket management capabilities, knowledge base creation and project management assistance.
GLPI and other asset management tools can also provide configuration-related details to auditing, such as the software inventory on a host system or other information that isn't available from a vulnerability scan.
Securing cloud environments
These last two examples aren't software tools but can be a useful addition to GRC programs for managing cybersecurity risks in cloud deployments.
The Cloud Security Alliance (CSA) provides an open suite of informational tools and resources that can be used to assess and validate security practices in the cloud and help ensure that cloud systems are deployed in a manner commensurate with an organization's risk appetite and risk tolerance. That includes the Cloud Controls Matrix (CCM) and the Consensus Assessments Initiative Questionnaire (CAIQ), which is now a component of the matrix.
The CCM provides a list of applicable cloud security controls that are mapped to many of the security standards, regulations and frameworks in a typical enterprise's compliance scope. It can be directly integrated into risk management reviews of cloud service providers or used to connect organizational compliance efforts to regulatory requirements.
The matrix includes 197 control objectives across 17 domains that cover various aspects of cloud technology. CCM users can assess a cloud implementation's security controls and get guidance on their own security responsibilities and the controls that should be implemented by different could providers.
The CAIQ was originally developed as a separate assessment tool before being combined into the CCM in 2021. It's a standardized information-gathering questionnaire that includes key questions to ask cloud vendors about their security controls. The questionnaire can be used as the sole vehicle for collecting info from cloud providers or as a supplement to organization-specific questionnaires and other generic ones, such as the Shared Assessments Standardized Information Gathering Questionnaire. Cloud vendors can also use CAIQ to submit security self-assessments to a registry maintained by the CSA.
Together, the CCM and the CAIQ are good options for organizations focused on improving the effectiveness and maturity of their GRC program.
There are plenty of other open source tools that can help streamline GRC programs and aid in managing IT, security and other business risks. Open source GRC tools offer much of the same functionality as commercial software at a fraction of the cost. It may take some creativity and customization to adapt the tools to your organization's usage needs, but they can provide just as much value to GRC efforts as more expensive technologies.