- Strengths: Great visualization, links risk to elements.
- Weaknesses: Delivers a lot, but at a high price.
The tool is delivered either as a cloud-based SaaS offering or as an on-premise solution. The SaaS model simply requires a modern browser and internet access. The on-premise offering is built on the Microsoft platform, using .Net and C# with SQL as the backend database. We were told that a typical deployment can be installed and configured for use in 30 days.
Keylight's Risk Manager provides a comprehensive set of tools to identify, assess and prioritize the most relevant risks for an organization. Risks are captured from multiple sources, including user entry, compliance, policy and risk assessments, and integration to network and security devices. Keylight has a substantial list of built-in connectors for plugging into network and security products. The Threat Manager provides vulnerability remediation, and it also has the ability to integrate with several vulnerability scanners, including products from Qualys, Nessus and Rapid7. Once risks are captured, Keylight includes a configurable workflow engine that can move risks between individuals and groups. This is configured through a menu-driven wizard and requires no custom code. The same workflow tool is integrated through the entire product suite. The Dynamic Content Framework allows users to customize all the risk elements and to even create custom risk types. Users also have the ability to cross-relate objects from all applications, such as policy to a risk, or a risk to a business continuity plan.
The offering has a questionnaire-driven compliance module. These templates are easy to create and customize right down to custom scoring with the ability to flag questions and route them through additional workflow steps, such as a mandated review process, etc. Keylight also includes a full policy management suite, which offers the ability to import or build policies, move policies through a configurable workflow process, and relate policies to regulations within a content library. Another module, Incident Management, is also fully integrated and uses the same email-driven workflow described above. We were not provided with a lot of detail on the Business Continuity Manager, but wanted to mention that it offers the ability to generate, test and report on business continuity planning (BCP) readiness. There is also a Vendor Management module for extending assessments to vendor partners.
The reporting capabilities of Keylight are strong. All the reports are created through a simple, drag-and-drop interface. Everything is available to report on: risk objects, policy exceptions, tying of a risk to a policy exception, etc. The heap map view is one of the better visuals we saw in our Group Test review process this month.
Support is included in the license price, but there is only one option: eight-hours-a-day/five-days-a-week. Users can contact assistance via phone, web or email. Documentation is built in as online help, which is well done. - ML
Keylight has what is needed to manage risk and compliance.