SureCloud GRC

SureCloud states its strategic objectives as being to provide:

• Automation of compliance and security functions
• Quick, user-accessible modification/management of functionality via a no-code basis for the products
• Improvement of decision-making via predictive analytics
• Superior user experience
• Continuous evaluation of compliance and risk status via Continuous Controls Monitoring (CCM).

Capabilities that serve these objectives are built into the platform (named Dynamic Risk Intelligence) that underpins all the GRC products. Additionally the platform provides reporting and dashboard facilities (which can analyze across organizational structure), definition and management of workflows and processes, task management, and collaboration facilities. It also includes many pre-built integrations, such as with BitSight, SecurityScorecard, RiskRecon, ServiceNow, JIRA, Google Drive, SharePoint, OneDrive, and Dropbox.

Fig 1 – Examples of content types

The platform and products are available on AWS, and customers can opt to access them via infrastructure hosted in the UK or US. Individual SureCloud products support GRC requirements in functional groupings: Third Party Risk Management; Compliance Management; Risk Management; Continuous Control Monitoring (CCM); Data Privacy; Internal Audit; Business Continuity and Resilience; Policy Management; Incident Management; and Threat & Vulnerability Management.

Figure 1 shows examples of the varied types content that can be configured to appear on a user’s dashboard.

Customer Quotes

“Great product that is improving all the time.”
Enterprise FS Client

“…the implementation was one of the simplest I’ve ever been involved with! Management of the implementation has been outstanding. From a client perspective, SureCloud delivered on time, as required with unfailing enthusiasm and support, it’s been a real pleasure working with them.”
Enterprise FS Client

The Third Party Risk Management product enables improved collaboration with vendors, by sharing links to assessments so that vendors can add their data directly into the SureCloud environment, while benefitting from a customized experience. Organizational compliance can be improved due to better consistency being applied.

The SureCloud CCM product allows pre-built or customized controls to be configured to automate collection of evidence (e.g. risk or other metrics). The inherent mapping of controls to compliance requirements translates technical data directly into regulation-level outcomes, and can assure the organization of preparedness for audits.

Data Privacy Management supports a broad range of requirements in this area where organizations’ requirements are expanding and diversifying. It includes processes for managing a data inventory, handling the regulatory needs around data breaches, and for managing and responding to data subject access requests.

The Incident Management product can support multiple types of requirement including handling data breach aftermath, and maintenance of resilience. Accountability and efficiency are promoted via a management structure for incidents, and task assignment capabilities. Pre-built processes are incorporated for incident lifecycle elements including the communication of alerts; identifying, assessing, and identifying incidents’ root causes; and to support post-incident remediation.

The Business Continuity and Resilience product supports management of planning, managing and execution of organizations’ contingencies to cater for disruption. It incorporates guidance on best practices as well as the compliance context of resilience, as aids for documenting business continuity plans, testing strategies, and also integrates with Incident Management to support operational aspects. Formal continuity requirements and arrangements such as critical path analysis, or call tree definition, can be built using the workflows that the SureCloud platform supports. The company states that the product supports continuity elements that arise from leading standards and frameworks including SCF, ISO27001, NIST 800-53, GDPR, PCI DSS, and HIPAA.

The SureCloud platform provides an unusual feature known as Intelligent Reporting & Playback. Its basis is the version history (which is shared across the platform and products) of changes that are made to the customer’s SureCloud implementations. A user can choose to focus their view of this data on a previous version of a data item, and for all views of other data items to correspond to their state at the date/time on which the user’s focus is currently set. This view of event history is described as being like an ‘action replay’ of how events change the risk/compliance program over time, and can be useful in analysis of an incident or breach, or in an audit scenario.

Usage charging for the platform and products is based on the number of unique users per month.

Proven in live use by some impressive customer names, SureCloud’s GRC capabilities should be of interest to organizations looking to minimize complexity and cost in their GRC operations. Amongst its advantages are a very up-to-date technology foundation, with the prospect that AI will thread easily into a number of product areas. With a wide range of GRC use cases covered, and a very busy program of product development delivering over the year upcoming, SureCloud is already gaining some significant customer wins, and we would expect more to follow.