Eramba GRC Software

TechGuy215

Just curious...

Do any of my fellow IT Sec brethren have any experience with Eramba GRC Software?

http://www.eramba.org/

I've been tasked with trying to find an Open Source (Free) GRC Software to implement in our environment.

Yes, our budget is crap this year...

Any insight would be invaluable.

As always, thanks in advance!

jcundiff

When I see GRC software companies make remarks like these

"Then you should foresee approximately 32 days of work a year to keep your PCI-DSS compliance well tracked and monitored. Having that will greatly simplify the audit process and take from you some unnecessary stress"

I start looking elsewhere...true PCI DSS compliance is not a check the box off once a year and be done deal. Target, Home Depot, and most other mega retail breaches we have seen make headlines the last couple of years all had had their QSA check the boxes during their previous assessment! What they failed to do was keep their commitment to security at that same level the other 51 weeks out of the year. If you arent making sure you are secure 365 x24x7, PCI compliance isnt going to mean diddly when the bad guy finds the one vuln you missed and breaches you.

I haven't used this tool (I'm an Archer guy) but in my opinion with all the threats out there today, GRC/Risk/BC&DR/etc tools are not something that you (your company) should be going the open source path on ... just my 2 cents. If it were me, I would be making a business case as to why you need a proper GRC suite and moving it up the chain of command. At least then you have exercised due care and covered your asset If management fails to heed your advice, worst case you will have a paper trail that shows its on them not you