Realising that the technology used for managing IT portfolios is also suited for managing risk, CA is extending its Clarity tool with a new piece aimed at compliance. CA's new IT governance, risk, and compliance (GRC) offering adds new functionality covering risk management and automation of IT governance controls.
In essence, it takes PPM (project portfolio management) a step higher. In place of simply allocating resources to IT project work and maintenance, CA's new tool factors in the kinds of parameters that audit boards request when conducting SOX and similar audits.
That encompasses documenting and managing how IT mitigates risk, exercises controls on the sanctity and access to information, and how robust are its processes for enforcing security, managing recoveries, and managing change and configurations.
"PPM is about operational planning, whereas GRC is about information governance," explained David Hurwitz, CA's chief marketing officer for its Clarity products (that is the product set that came with the Niku acquisition).
Obviously, CA is not the first with a product aimed at automating at the compliance aspects of running IT organisations. Hurwitz claimed that while most tools take document-centric approaches, CA's is unique in that it adapts portfolio management techniques.
When you conduct portfolio management, you juggle a number of factors to determine where you should direct your investment.
That is the approach that CA takes in automating management of compliance and risk.
Not surprisingly, the GRC offering was rooted from several efforts by CA Clarity customers to extend the tool to cover this area.
Out of the box, CA is providing a mapping of roughly 4000 controls to 280 documented regulations and industry standards such as COBIT, COSO, SOX, HIPAA, PCI and NERC. The goal here is to identify where a given control is relevant, so you do not reinvent the wheel in exercising it in compliance with multiple regulations.
And it provides features that should look familiar to PPM users, including portfolio analysis of risk status for specific IT activities; role-based dashboards; cost tracking of compliance remediation; and support of continuous monitoring of mission-critical systems using an XML-based gateway.
CA's GRC Manager is available now.