1. 1Info-Tech Research Group Vendor Landscape: eGRC Solutions Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2013 Info-Tech Research Group Inc. Vendor Landscape: eGRC Solutions Ad-hoc measures will not be sufficient enough to track compliance and measure risk in the world of growing corporate data. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2013 Info-Tech Research Group

2. 2Info-Tech Research Group Vendor Landscape: eGRC Solutions Increasing amounts of corporate data will necessitate eGRC solutions to help ensure compliance with internal and regulatory requirements. Introduction Enterprises seeking to select a solution for governance, risk, and compliance (GRC). Their GRC use case may include: Ensuring corporate processes remain compliant with regulatory requirements. Performing internal assessments to ensure compliance with industry best practices. Establishing accountability over various layers of IT and business architecture and infrastructure. Conducting risk assessments and prioritizing responses for remediation. This Research Is Designed For:This Research Will Help You: Understand what’s new in the eGRC market. Evaluate eGRC vendors and products for your enterprise needs. Determine which products are most appropriate for particular use cases and scenarios.

3. 3Info-Tech Research Group Vendor Landscape: eGRC Solutions Executive Summary Info-Tech evaluated seven competitors in the eGRC market, including the following notable performers: Champions: RSA Archer, a security veteran owned by EMC with a robust advanced feature set and deep list of GRC module offerings. NASDAQ OMX BWise, owned by NASDAQ OMX, is a fully configurable system with strong features around GRC and an excellent workflow engine. MetricStream, a strong player in the GRC space with strong integration and risk capabilities. Value Award: RSA Archer has robust advanced features with an attractive costing model for mid to large-sized companies. Trend Setter Award: RSA Archer segments the GRC market by compliance and risk persona as opposed to company size (revenues, employee counts, etc.), enabling it to offer a large list of module offerings that different clients can take advantage of. 1.Work with the business around GRC. IT must be a Steward for GRC and work with the business to ensure that the most appropriate GRC software and modules are purchased, thereby optimizing the investment. Establish a committee with leaders for all user groups to ensure that the required use cases are known and will be supported. 2.Architecture, price, and product focus are the major differentiators. Most vendors have similar functionality and depth within the advanced features. The main differentiators on this Vendor Landscape TM are architecture, price, product focus, and scope of the GRC tool (i.e. only IT-GRC vs. enterprise-wide GRC, and module offerings). 3.Plan GRC purchases around future needs. Many of these vendors have multiple different GRC modules. Always keep these in mind as you may want to spin these up in the future. They will be much easier to deploy from the same platform. Info-Tech Insight

4. 4Info-Tech Research Group Vendor Landscape: eGRC Solutions Market Overview Ensuring compliance with regulatory or internal requirements has typically been performed and tracked ad hoc, using unsophisticated tools such as Microsoft Excel. Such systems need to be constantly updated to reflect changing requirements which is very tedious. In 2005, the Unified Compliance Framework (UCF) was established, which is an industry-vetted compliance database containing information of requirements such as PCI, HIPPA, and SOX. The UCF has been adopted by many eGRC vendors to give their clients access to the compliance database so that requirements don’t have to be programmed individually. In addition, these solutions can also ensure compliance with best practices for business and IT processes (such as COBIT and ITIL). These solutions can now be used for business process compliance with best practices, not just compliance of IT and corporate data. With Big Data on the horizon and increasing cloud uptake, eGRC solutions will become more prevalent to help ensure compliance of corporate data with regulatory and internal standards. Organizations will have to scale up their GRC processes to keep up with growing data feeds and scale out to ensure vendors are also compliant with regulatory controls. Other disruptive technologies such as social media and mobility will open more avenues for opportunities, as well as risks – so solutions that can help manage this risk will become more and more attractive. There are many smaller and specialized GRC vendors focusing on specific verticals such as healthcare, finance, or government. Consolidation will likely happen over the next few years as these niche vendors get swallowed up by the big ones. How it got here Where it’s going As the market evolves, capabilities that were once cutting edge become default and new functionality becomes differentiating. Compliance and risk tracking and reporting have become Table Stakes capabilities and should no longer be used to differentiate solutions. Instead focus on risk management, workflow engines, and solution architecture to get the best fit for your requirements.

5. 5Info-Tech Research Group Vendor Landscape: eGRC Solutions eGRC Vendor selection / knock-out criteria: market share, mind share, and platform coverage NASDAQ OMX BWise. Owned by exchange powerhouse NASDAQ OMX, this fully configurable solution offers multiple role-based solutions for GRC. eGestalt. A smaller player in the space with a strong focus on IT-GRC and a dedication to SMEs as well as organizations with limited in-house compliance expertise. IBM OpenPages. GRC application with multiple use cases across IT and the business, and reinforced by the strong customer support arm of IBM. LockPath Keylight. A strong up-and-comer in the industry that focuses on security management and IT-GRC. Lumension Risk Manager. Software focusing on compliance and risk management with an IT-GRC and enterprise- GRC module. MetricStream GRC Platform. Fully functional software with a breadth of module offerings across the GRC space and a robust analytics and reporting engine. RSA Archer. Owned by The EMC Corporation, a long-term player in the security space with a strong GRC tool and a breadth of module offerings. Included in this Vendor Landscape: More and more eGRC vendors are partnering with the Unified Compliance Framework (UCF). All vendors in this report are UCF partners, which grants their users access to the industry-vetted compliance database. For this Vendor Landscape, Info-Tech focused on those vendors that offer broad capabilities across multiple platforms and that have a strong market presence and/or reputational presence among mid and large-sized enterprises.

6. 6Info-Tech Research Group Vendor Landscape: eGRC Solutions Criteria Weighting: eGRC criteria & weighting factors Vendor is committed to the space and has a future product and portfolio roadmap. Strategy Vendor offers global coverage and is able to sell and provide post-sales support. Reach Vendor is profitable, knowledgeable, and will be around for the long-term. Viability Vendor channel strategy is appropriate and the channels themselves are strong. Channel The three year TCO of the solution is economical. Affordability The delivery method of the solution aligns with what is expected within the space. Architecture The solution’s dashboard and reporting tools are intuitive and easy to use. Usability The solution provides basic and advanced feature/functionality. Features Usability Architecture Affordability Product Vendor ViabilityStrategy Channel Reach Product Evaluation Criteria Vendor Evaluation Criteria

7. 7Info-Tech Research Group Vendor Landscape: eGRC Solutions Table Stakes represent the minimum standard; without these, a product doesn’t even get reviewed If Table Stakes are all you need from your eGRC solution, the only true differentiator for the organization is price. Otherwise, dig deeper to find the best price to value for your needs. The products assessed in this Vendor Landscape TM meet, at the very least, the requirements outlined as Table Stakes. Many of the vendors go above and beyond the outlined Table Stakes, some even do so in multiple categories. This section aims to highlight the products’ capabilities in excess of the criteria listed here. The Table StakesWhat Does This Mean? Ability to track whether processes are compliant with internal or regulatory requirements. Compliance Tracking Assign qualitative-based risks to compliance structures and assets and monitor them. Risk Tracking The vendor is a UCF partner and is therefore able to include quarterly updates into their database. UCF Partnership Built-in taxonomy of compliance controls based on the UCF. Compliance Database High level summary statistics of compliant/non- compliant processes with associated risk levels. Reporting What it is: Feature

8. 8Info-Tech Research Group Vendor Landscape: eGRC Solutions Advanced Features are the capabilities that allow for granular market differentiation Info-Tech scored each vendor’s features offering as a summation of their individual scores across the listed advanced features. Vendors were given 1 point for each feature the product inherently provided. Some categories were scored on a more granular scale with vendors receiving half points. Assign risks based on best practices or through qualitative or quantitative surveys, and tying these back to compliance structures. Risk Management Customizable, interactive dashboards and reports as well as user dependent views for risk and compliance KPIs. Advanced reporting Manage the compliance process from tracking, analyzing, and prioritizing responses for non- compliant processes or assets. Compliance Management Develop fully searchable policies based on regulatory and/or industry best practices with built-in templates and recommendations. Internal Controls Ensure that remediation and surveying efforts are assigned and completed by the right people through prebuilt and customizable workflows. Workflow Management Notifying all relevant parties when a change in policy is made and tracking of policy acceptance. Compliance Awareness and Engagement What we looked for: Feature Advanced FeaturesScoring Methodology For an explanation of how Advanced Features are determined, see Information Presentation – Feature Ranks (Stop Lights) in the Appendix.Information Presentation – Feature Ranks (Stop Lights)

9. 9Info-Tech Research Group Vendor Landscape: eGRC Solutions The Info-Tech eGRC Software Vendor Shortlist Tool is designed to generate a customized shortlist of vendors based on your key priorities.eGRC Software Vendor Shortlist Tool Identify leading candidates with the eGRC Software Vendor Shortlist Tool Overall Vendor vs. Product Weightings Individual product criteria weightings: Features Usability Affordability Architecture Individual vendor criteria weightings: Viability Strategy Reach Channel This tool offers the ability to modify:

10. 10Info-Tech Research Group Vendor Landscape: eGRC Solutions Appendix 1.Module and system offering methodology 2.Vendor Landscape Methodology: Overview 3.Vendor Landscape Methodology: Product Selection & Information Gathering 4.Vendor Landscape Methodology: Scoring 5.Vendor Landscape Methodology: Information Presentation 6.Vendor Landscape Methodology: Fact Check & Publication 7.Product Pricing Scenario

11. 11Info-Tech Research Group Vendor Landscape: eGRC Solutions Module and system offering methodology Policy Management Corporate Governance Threat Management Risk Management Compliance Management Incident Management Vendor Management Business Continuity Management Audit Management Legal GRC IT-GRC or Governance Financial Control Management Vendors differ in scope of GRC coverage. Follow this key to understand dedicated or present functionality of the below functions A generic list of dedicated modules are provided. The key below defines if and at what level this functionality is present in the tool. Module dedicated to the function. Module not dedicated, but functionality present in other modules. Module or functionality not present in the tool.

12. 12Info-Tech Research Group Vendor Landscape: eGRC Solutions Info-Tech Research Group Helps IT Professionals To: Sign up for free trial membership to get practical solutions for your IT challenges www.infotech.com Quickly get up to speed with new technologies Make the right technology purchasing decisions – fast Deliver critical IT projects, on time and within budget Manage business expectations Justify IT spending and prove the value of IT Train IT staff and effectively manage an IT department “Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment. - ARCS Commercial Mortgage Co., LP Toll Free: 1-888-670-8889