•Manage the Organizational Structure: Offers a structured repository that supports a representation of the organization and all types of assets relevant to GRC (equipment, operating systems, applications, people, processes, sites, etc.). The organizational structure can be managed through spreadsheets or online, where perimeters, assets, and asset components can be created and updated. Technology assets, users, and groups can be imported automatically from an LDAP server, technology assets can be imported from inventories in Qualys or NeXpose, and assets can also be imported from XML files.
•Attributes for Organizational Objects: New fields to describe and organize perimeters, assets, business components, people, and groups of people can be created - information that can then be used to filter the results of queries. For example, an attribute can be created for serial numbers and applied only to technology assets. All technology assets will then display a new field for serial numbers allowing values to be specified for each. In addition, Relationship attributes can be created to associate organizational objects with other system objects.
•Georeferenced Perimeters and Assets: The coordinates for perimeters and assets can be specified and viewed on a map. This information later allows the results of certain queries to be displayed on maps.
•Vulnerabilities: Information on vulnerabilities detected by scanners that were integrated with the system or imported manually can be displayed for assets, and consolidated information on these vulnerabilities can be displayed for perimeters. In addition, vulnerabilities identified by unsupported scanners can be imported through integration tasks or through a spreadsheet in the Knowledge module.
•Manage Business Components: Business components are also managed through the Organization module. These are classified into levels (strategic or tactical) and types, which can be customized in the Administration module. Attributes can be created for one or more types of business components, and associations between business components and assets can also be established.
•Integrated Overview: The associations between the organization’s business components and assets can be filtered and generated for viewing. This overview also displays the latest results from risk and compliance analyses for assets. These results are consolidated upwards towards the associated business components, allowing investments to be prioritized according to the relevance of each. The Compliance Index for assets consolidated upwards for the business components can be displayed here, as well as the consolidated Compliance Index for each individual object. The integrated overview itself can also be generated through the results of organizational and risk queries consolidated by asset. Once generated, the overview can be exported to Microsoft Visio for editing.
•People and Groups of People: In addition to features to manage people, the system also supports groups of people. These groups are used to make it easier to manage role assignments and grant privileges to system features. Both people and groups of people can be created manually, created offline through a spreadsheet, or imported from an external directory.
•Interviews to Update Inventory: Through projects, interviews can be sent to people from the organization. Based on the responses provided and according to pre-established rules, the properties and attributes of assets or business components can be updated automatically.
•Projects: Information from the organization can be collected through projects and used to automatically update the properties and attributes of assets and business components. The information is collected through interviews that may contain object rules, which are created in the Knowledge module. These rules indicate which fields must be updated, according to the answers provided by the interviewees.
•Queries: Queries can be generated to display information on assets, asset components, perimeters, and business components in the organizational structure. They can also show statistics on interviews from organizational projects and consolidated risk metrics from various risk projects for different objects (assets, asset components, business components, perimeters, and others). The system provides a wizard to help create queries, and results can be displayed through tables, maps, or through the integrated overview. Each query can be copied so that its configurations can be reused in new queries. People and groups of people can be included in the audience or list of editors for each query so that they can view or edit it.
•Organizational Reports: Reports can be generated to show consolidated information from the latest risk assessments. In addition, blank reports can be created from scratch using system queries or custom SQL queries as data sources. These reports can be customized, they can be filtered to show only specific results before they are generated, and, once generated, can be e-mailed or exported to various formats. Schedules can also be created for them so that they are generated and sent at a certain frequency to certain recipients.