Designed around a MSSP/vCISO model, our solution enables the delivery of GRC-as-a-Service on top of the SimpleRisk GRC and Incident Management Platform.
Start a free (no credit card required!), 30 day hosted trial for unlimited access to your own dedicated instance of SimpleRisk and all of our available functionality.
In 2020, we determined there was an emerging market segment geared toward adopting an affordable, simple to use, comprehensive GRC-as-a-Service platform. SimpleRisk GRCaaS is designed around a MSSP/vCISO model, and it enables the delivery of GRC-as-a-Service on top of the SimpleRisk GRC and Incident Management Platform. From there, MSSPs can white label the product to extend their brand and help create a unique competitive advantage.
For our GRCaaS platform offering, SimpleRisk provisions a dedicated Kubernetes cluster for each MSSP, which utilizes Docker to provide security and scalability for each new customer that the MSSP onboards. While the MSSP must commit to a 36-month term on the platform with a minimum of 3 customer instances, there is no limit to the number of instances that can be included, and instances can be swapped in and out with different customers as necessary.
SimpleRisk GRCaaS is a functional equivalent to our SimpleRisk Hosted Large Enterprise Plan, which includes all of our plug-and-play modules, deemed "Extras," except for Incident Management and Organizational Hierarchy, which are priced separately. In addition, the platform includes:
The Advanced Search Extra expands the functionality of the top bar's search box to be able to find risks by doing textual search in risk data.
The API Extra allows customers to use a RESTful API to create scripted interactions with other applications to gain advanced automation and leverage existing infrastructure.
The Secure Controls Framework (SCF) Extra is a direct integration between the Secure Controls Framework (SCF) and SimpleRisk. Enabling it allows you to select from 190 different frameworks that have been mapped to 1,057 security and privacy related common controls. This includes many frameworks heavily used by organizations today, such as ISO 27001, NIST CSF, PCI DSS, GDPR, COBIT, COSO and more!
The Custom Authentication Extra provides support for Active Directory and SAML Authentication as well as Duo Security as a second factor of authentication. In the SimpleRisk Core product, without this Extra, the only option is to create new users in the SimpleRisk identity repository.
The Customization Extra enables the ability to add and remove different types of fields and dynamically create custom page templates.
The Email Notification Extra enables SimpleRisk to send e-mail notifications when risks are submitted, modified, or otherwise actioned upon. This extra can also be added as a scheduled script to send routine reminders when risks are ready for a management review. In the SimpleRisk Core product, without this Extra, no notifications are communicated outside of the tool itself.
The Encrypted Database Extra generates a random AES-256 bit encryption key and then uses that to encrypt sensitive text prior to it being inserted into the SimpleRisk database. This prevents anyone from being able to view or modify the data without using the SimpleRisk application directly.
The Import-Export Extra provides the ability to import data into SimpleRisk by mapping fields in a CSV file to fields in the SimpleRisk database. It can be used to import audit results from a 3rd party spreadsheet, vulnerability scan results from another tool, assets from your CMDB and more. The Extra also provides the ability to export CSV files from SimpleRisk containing Risks, Mitigations, Reviews, or a Combination report of all three.
The Incident Management Extra is based on the NIST 800-61 Computer Security Incident Handling Guide and provides incident management capabilities from within the SimpleRisk system.
The Jira Integration Extra provides users with the ability to integrate bi-directionally with a Jira instance. It enables connecting risks to Jira issues, as well as syncing their data, status and comments.
The Organizational Hierarchy Extra enables the ability to define multiple Business Units which can include any number of teams. Users can then be assigned across one or more teams under various Business Units. This affects a user's ability to see and use the teams, users, and assets which they are not associated with.
The Risk Assessment Extra provides users with the ability to define contacts, create questions (including logic), assemble multiple questions with a questionnaire template, create questionnaires and send them to contacts, view the questionnaire results, add risks based on those results, and compare the results over time, import and export externally customized assessments, and review the risk assessment audit trail.
The Team-Based Separation Extra restricts risk viewing to only the users who are members of the team that the risk is assigned to. In the SimpleRisk Core product, without this Extra, every user can see every risk.
The Unified Compliance Framework (UCF) Extra is an API-level integration between the Unified Compliance Framework and SimpleRisk. Enabling it allows you to import selected frameworks and control mappings directly from UCF.
The Vulnerability Management Extra provides customers with the ability to integrate their SimpleRisk instance with Tenable.io or Rapid7 Nexpose/InsightVM and import both asset and vulnerability data into SimpleRisk. From there, you can select which sites you want to cover, determine which vulnerability scores should be imported and triage which vulnerabilities are turned into risks to track them.
SimpleRisk GRCaaS includes the same functionality as our Hosted Large Enterprise plan but is sold at a discounted rate of $1,000 USD per instance, charged via credit card on a monthly basis. To receive this 40% discount, we require a minimum of three active instances as well as a 36-month commitment. Typically, our GRCaaS customers will utilize one of the three active instances for internal development, and the remaining instances can be deployed for different customers as needed. In addition, our Incident Management functionality can be added to any instance for an additional $500 USD per month. Below are pricing examples based on the number of instances provisioned:
|Instances||Cost per Month||Annual Savings||Cost per
To learn more about SimpleRisk GRCaaS, you can schedule a demo by accessing our online calendar and choosing any one hour time slot that works for you. We also offer a free 30-day Hosted trial where you can try out the fully-featured version of SimpleRisk firsthand. Should you need any assistance, please don’t hesitate to contact us – we’re here to help!