SimpleRisk Free and Open Source vs. Fully Featured Platform

SR Logo

SimpleRisk offers several flexible deployment models to ensure that we are able to meet your organization’s specific requirements. Let’s take a minute to dive into each of our product offerings in more detail so that you’re aware of our capabilities and can determine which is the best fit for your organization’s current GRC needs.

SimpleRisk Core
SimpleRisk Core is our free and open source platform that includes all of the basic GRC capabilities needed when an organization is first launching a GRC program. From 2013 to date, SimpleRisk Core has been downloaded over 60,000 times by organizations looking for an intuitive, yet simple, product that proves far more efficient than Excel spreadsheets. Core is the foundation upon which both of our On-Premise and Hosted product offerings are built and can be downloaded and installed in minutes.

SimpleRisk Core includes the following functionality:

  • Governance - SimpleRisk Core includes the ability to define your own frameworks and controls. As your risk management program matures, these can be used later on to associate controls with risks under Risk Management or to validate for control effectiveness under Compliance.
  • Risk Management - SimpleRisk Core includes the ability to submit new risks, keep a registry to track all of the risks for your organization, and plan mitigations for each submitted risk.
  • Compliance - SimpleRisk Core includes the ability to define unlimited tests across all of the frameworks and controls that you've defined in Governance. Audits can then be initiated at the framework, control, or test level.
  • Reporting - SimpleRisk Core includes a wide variety of reports designed to help you make the most out of your risk management program, including graphical dashboards and dynamic custom reporting.
  • Configuration - SimpleRisk Core is highly configurable and enables you to configure a risk management process that is tailored to your organization. You can change the values in the various dropdowns, edit the risk formulas and manage the risk catalog. You can define an unlimited number of users, map them to roles and make fine-grained changes to their permissions.
  • Assessments - SimpleRisk Core includes the ability to take one of our pre-configured risk assessments by answering a series of Yes / No answers for the CIS Critical Security Controls, HIPAA, NIST 800-171 or PCI DSS 3.2. Those answers are then used to generate pending risks which you can elect to have added into your risk registry with the click of a button.
  • Asset Management - SimpleRisk Core includes the ability to do a basic automated discovery of assets in your organization. Assets can also be added manually with the ability to assign valuation to assets and associate them with different teams and locations. Assets can be logically grouped together and associated with risks.

Many customers begin using SimpleRisk Core and as their organization matures, realize they could benefit from enhanced functionality. Enter SimpleRisk “Extras”…

SimpleRisk “Extras” are plug-and-play modules that provide functionality above and beyond what is included in our SimpleRisk Core offering and are available with both our On-Premise and Hosted packages.

SimpleRisk On-Premise
SimpleRisk On-Premise enables you to run our award-winning SimpleRisk software on your servers inside of your own datacenter environment. With SimpleRisk On-Prem, you’re able to:

  • Leverage your own internal security controls with the platform.
  • Maintain all monitoring, backups, and upgrades.
  • License SimpleRisk Extras to extend functionality beyond the free version of SimpleRisk Core.

SimpleRisk Hosted
SimpleRisk Hosted removes the administrative burden of On-Premise deployments and packaged bundles are available to meet your GRC requirements. SimpleRisk Hosted has many benefits, including:

  • Eliminates the need for ongoing administration to perform backups, upgrades, and monitoring.
  • Prevents interruptions to processes when there is staff turnover, unexpected sick leave, or vacations.
  • Allows you to focus your key resources on the end game, which is managing your GRC program.

Below is a full listing of the current Extras available in our Hosted and On-Prem packages. You can click each link for additional information about why the Extra was created, how it’s used, and common users that benefit from its purpose.

  • Advanced Search – Supports more targeted search criteria by enabling users to enter free form text and/or numeric data.
  • API – Use RESTful API to create scripted interactions with other applications to gain advanced automation and leverage existing infrastructure.
  • Custom Authentication – Provides support for Active Directory and SAML Authentication as well as Duo Security as a second factor of authentication.
  • Customization – Add and remove different field types and dynamically create custom page templates to match your internal workflows and naming conventions.
  • Email Notification – Send action-based email notifications when risks are submitted, modified, or otherwise acted on or scheduled reminders when risks are ready for a management review.
  • Encrypted Database – Generates a random AES-256 bit encryption key and then uses that to encrypt sensitive text prior to it being inserted into the SimpleRisk database.
  • Import-Export – Allows users to import risk data and assets from a CSV file, and export risks, mitigations, and reviews to a CSV file, eliminating manual entry.
  • Incident Management – Provides incident management capabilities from within the SimpleRisk system based on the NIST 800-61 Computer Security Incident Handling Guide.
  • Jira Integration – Enables two-way synchronization of risk, mitigation, and review data between a Jira instance and SimpleRisk.
  • Organizational Hierarchy – Define multiple Business Units to include any number of teams preventing users from accessing teams, users, and assets to which they are not associated.
  • Risk Assessment – Define contacts, create questionnaires to email to contacts, view results, and add risks based on the results. Ideal for internal and 3rd party risk assessments.
  • Team-Based Separation – Restricts access to risk information by discrete teams, making only those risks relevant to team members visible.
  • Unified Compliance Framework (UCF) – Provides an API-level integration between the Unified Compliance Framework and SimpleRisk. Enabling it allows you to import selected frameworks and control mappings directly from UCF.
  • Vulnerability Management - Provides customers with the ability to integrate their SimpleRisk instance with or Rapid7 Nexpose/InsightVM and import both asset and vulnerability data into SimpleRisk.

You can view a full listing of our On-Premise and Hosted plans and pricing to learn more about which packages include the Extras that would be most beneficial to your organization. Although our packages provide the most cost-effective way to purchase Extras, for those customers that choose a SimpleRisk On-Premise deployment model, we do offer an A La Carte option if you are interested in customizing which Extras you would like to purchase.

If you’re interested in trying out our complete suite of Extras, SimpleRisk offers a free, no credit card required, 30 day hosted trial.

If you’re not ready to register for a trial but would like to learn more, you can schedule a live demonstration of our platform with an industry expert. During a demo, we provide a thorough overview of SimpleRisk's functionality, answer any questions you have regarding specific use cases, workflows, customization, and integrations, and can offer recommendations on optimizing your GRC strategy.

We hope this blog has provided some helpful insight into SimpleRisk’s deployment models and capabilities. If you have any additional questions about any of our packages or available functionality, please don’t hesitate to reach out

about capability deployment extras features free GRC hosted information model on-prem on-premise open pricing SimpleRisk