When I released the original free and open source version of SimpleRisk back in March 2013, I can honestly say that I had no idea it would become what it is today. I was simply tasked with starting a risk management program for National Instruments and they couldn't prioritize purchasing a GRC solution, so I ended up putting some of my secure coding skills to use. In its initial iteration, SimpleRisk was nothing more than a page to submit a risk, a page to edit risks, and a page to view all of the risks submitted. Just a simple risk registry. However, as our customer base has grown, we've been working with them to rapidly expand the product to become the simplest, most feature-rich, risk management tool available. But, there were some major pieces of the "GRC" toolset that we were missing...until now.
The brand new, SimpleRisk 20180104-001 release, is undoubtedly the single biggest update to SimpleRisk in the almost five years it's been around. It has taken us just over five months to get it across the finish line, but I'm extremely confident that our customers are going to love it. Here is just a sample of the major changes that went live with this new release:
- Governance: When you install or upgrade to the new release, all admin users will, by default, be granted access to a new "Governance" menu at the top of SimpleRisk. This new functionality gives you the ability to define all of the control frameworks that your program uses. You can even create nested frameworks and define controls that span multiple control frameworks. You can grant additional users access to this menu by going to Configure -> User Management, viewing the details for the users, checking Governance permission, and selecting "Update".
- Risk Mitigation Controls: One of the single most-requested features for SimpleRisk has been the ability to define controls for the mitigation of risks in addition to the text-based requirements, recommendations, and current solutions that has existed in SimpleRisk since the early days. With the addition of the new Governance section, and the ability to define your controls, the new release introduces the ability to now select any number of existing mitigating controls for your risks.
- Residual Risk Scoring: The other most-requested feature for SimpleRisk has been the ability to easily see the affect a mitigation has for a given risk. The new release updates the old risk score name to "Inherent Risk" and adds a "Residual Risk" value that automatically calculates the reduction in risk based on the value of the mitigation percent field.
- Compliance: When you install or upgrade to the new release, all admin users will, by default, be granted access to a new "Compliance" menu at the top of SimpleRisk. This new functionality gives you the ability to define tests for all of your controls. Once you've defined your tests, you can then initiate an audit at the framework, control, or individual test level. From there, you can track the ongoing testing progress, as well as view the results of each test performed in the past. You can grant additional users access to this menu by going to Configure -> User Management, viewing the details for the users, checking Compliance permission, and selecting "Update".
- Risk Assessments: In order to help you to most efficiently determine some of the risks for your organization, the new SimpleRisk release added risk assessment questionnaires for NIST 800-171, PCI DSS 3.2, and HIPAA.
Exciting, isn't it? Even better...everything that I mentioned above is now a part of our open source "SimpleRisk Core" product available to download for free in a tar bundle, VirtualBox OVA, or VMWare OVF format.
While I don't want to undermine the significance of the SimpleRisk 20180104-001 release, I do want to take a moment to talk about a couple of exciting features we are working on for a near-future release of SimpleRisk:
- Residual Risk for Controls: While this new release added the ability to utilize the mitigation percent field to calculate residual risk, we recognize that many of our customers would like to be able to utilize a mitigation percent for their selected controls in much the same way. Expect to have this functionality soon.
- Pre-Defined Frameworks and Controls: SimpleRisk has established a partnership with ComplianceForge and is integrating their Digital Security Program (DSP) into SimpleRisk as a newly available SimpleRisk Extra. The ComplianceForge DSP will allow our customers to populate SimpleRisk with a multitude of controls including ISO 27002, NIST 800-53, NIST 800-171, PCI DSS, COBIT, HIPAA, GDPR, and many more. Please contact us if you'd like to discuss this functionality in more detail.
So, there you have it! The SimpleRisk 20180104-001 release takes SimpleRisk from being a simple risk management tool, to an incredible, still free and open source, tool to manage your organization's Governance, Risk, and Compliance initiatives from a single place. We look forward to working with you in 2018!