What is Isora GRC?

Isora GRC is an information security risk assessment tool. It can be used to conduct targeted risk assessments to assess compliance with specific laws and regulations such as: GLBA 314.4(b), FERPA, HIPAA, SOX, DFARS and GDPR. It can also be used to conduct organization-wide risk assessments against cyber-security frameworks such as: NIST 800-53, NIST 800-171, NIST CSF, ISO/IEC, ITIL and COBIT.

Types of Assessments

Isora GRC supports three different types of assessments- Organizational (also referred to as Internal), App, and Vendor.

Organizational Assessments

Organizational assessments target one or more organizational units along with host inventory assets belonging to those units. The goal of organizational assessments is typically to assess which org units and which hosts have the most potential risk exposure, and/or to determine how well org units are complying with a particular security policy or framework. Organizational assessments consist of a bunch of surveys, where each survey includes a list of questions about the org unit and a list of hosts (belonging to the org unit) to be categorized as part of the assessment.

App Assessments

App assessments target a single app which is owned by one org unit. The app could be any type of application, but usually this type of assessment is used with internally developed applications. App assessments include an overall classification of the app based on how sensitive its data is, and a list of questions about the app.

Vendor Assessments

Vendor assessments usually target a specific product offering from a specific vendor. Each vendor assessment consists of one survey, which is a list of questions about the vendor offering. Vendor assessments are associated with a requesting org unit.

See also: What do assessments consist of?