Press Release

Brabeion Software Announces Next-Generation IT Governance, Risk & Compliance Management Platform

Brabeion IT Risk & Compliance Manager 3.0 Furthers IT GRC Vision by Enabling IT Risk and Compliance to be Strategically Managed as a Business Risk

Reston, VA — October 3, 2007 — Brabeion Software, a leader in IT Governance, Risk and Compliance (IT GRC) Management, today announced the next generation of its groundbreaking IT GRC software platform, Brabeion IT Risk & Compliance Manager 3.0 (ITRCM). Brabeion was first to market with a complete IT GRC suite that helps organizations achieve and sustain compliance and optimally manage risks while lowering assessment costs. Brabeion’s solutions have been successfully deployed in Global F1000 with dramatic returns on investment. With today’s new 3.0 release, Brabeion furthers the IT GRC industry vision by enabling compliance to be managed more strategically as a business risk. New role-based dashboards elevate Brabeion into the industry’s first single solution to deliver a unified view of risks across people, processes and technologies tied to regulations, standards and company policies - eliminating the need to cobble together manual surveys and disparate tools. Brabeion also introduces the industry’s first “compliance risk scoring” for assets that factors in the likelihood of IT control failures — addressing a major gap in today’s traditional risk equation that can result in misleading data. New document workflow and repository management features that reduce cycle time and redundancies round out this mature IT GRC offering.

“What's missing today in IT risk and compliance are ways to link risk factors with measures the business can understand and support. Without this critical support, risk and compliance programs die on the vine. Risk scoring based on business processes, information assets, and supporting technologies is therefore vital to making the risk and compliance puzzle work, and it’s also essential to making intelligent decisions and mitigation strategies,” commented Scott Crawford, Research Director for analyst firm Enterprise Management Associates. “Solutions that link compliance and risk in this way are building a foundation for more strategic IT GRC programs.”

As enterprises struggle to gain control over compliance with numerous regulatory mandates and in face of complex and continually changing IT environments, they are seeing their compliance focus evolve from the mitigation of negative security threats toward the philosophy that it is part of a comprehensive risk management program — and are now focusing on the getting their risk management programs in place. IT GRC is emerging as an important new market category to give this strategic view toward managing business that is needed in highly regulated environments. According to AMR, thirty percent of the $30 billion IT compliance spend is going to GRC platforms.

Industry analysts and experts agree that the key to this risk-based approach is adopting a disciplined system for defining, measuring and monitoring IT controls, both technical and non-technical. “We are entering into the age of controls enlightenment. Today, there is a major disconnect between policy, procedures and controls measurement, which ultimately creates more holes and more risk. Controls health is an essential element of the risk equation and without it you don’t have a total IT GRC view,” said Steve Schlarman, Chief Compliance Strategist for Brabeion. “Brabeion aims to solve this disconnect. Everything we do stems from our belief that ‘it all begins and ends with auditable policies measured against relevant controls.’”

In the Gartner Hype Cycle for Compliance Technologies 2007, Gartner writes, "The good news is that companies and agencies that are taking a top-down approach to operational risk - organizations that are making the discovery, control and documentation of risk a priority for all managers and staff - are, indeed, experiencing business benefits. They have a better understanding of their risks, they are able to take a more proactive approach to risk reduction, and they are finding that external audits are going more smoothly. Such organizations are able to make selective and productive use of compliance technology, thereby improving their ability to conduct business and reducing the potential for losses. For these organizations, regulatory compliance is not their primary goal, but it becomes just one of the many benefits of risk management. Such companies are usually well-positioned to make good choices about technology." ¹

Brabeion IT Risk & Compliance Manager 3.0

Brabeion’s suite consists of the Brabeion IT Risk and Compliance Manager (ITRCM) and the Brabeion IT Risk and Compliance Center (ITRCC). Brabeion ITRCM is a web-based risk and compliance program management solution that scales across a global, diverse environment. When combined with the Brabeion ITRCC knowledgebase, it is the only solution to automate policy, procedure, standards and controls lifecycle management; perform automated assessments with bi-directional traceability from policies to controls; and offer a deep knowledgebase of proven, audit-ready content (policies, standards and controls) developed with partners including PricewaterhouseCoopers and IT Governance Institute and mapped to frameworks and regulations.

With release 3.0, Brabeion eliminates critical exposures in governance, compliance and security programs with:

• A clearly articulated compliance view of people, process and technology with an integrated approach to measuring control implementations through automated and manual assessments
• A flexible, user-defined, formula-based model to calculate risk scores based on control compliance, control impacts and the business value of assets
• Role-based dashboards that provide comprehensive metrics, track user policy acceptance, control exceptions, and remediation efforts
• Automated testing for multiple platforms with integration to assessment and systems management technologies from Microsoft, Symantec and NetIQ as well as commercial and proprietary asset data sources and change management solutions
• An integrated web based survey and questionnaire engine with online and offline capabilities for distributed assessments
• Risk and compliance assessments based on more than 6000 control tests by integration into Brabeion ITRCC’s extensive controls knowledgebase. This content contains:
  • Over 600 ISO based standards cross-referenced to international frameworks such as ISO and COBIT and over 30 Legislative and regulatory requirements
  • Detailed control information for over 90 technologies

To serve the needs of customers in specific markets, Brabeion provides out of the box content to support for over 30 frameworks and regulations including FFIEC, GLBA and SOX for financial services; FERC and NERC for power and energy; PCI requirements for retail; FISMA for the federal market; and HIPAA for the healthcare market.

Pricing and Availability

Brabeion ITRCM and ITRCC are available immediately directly from Brabeion Software. For more information please contact sales@brabeion.com.

About Brabeion Software

Brabeion helps organizations achieve and sustain compliance and optimally manage risks through full policy, procedure and controls lifecycle management powered by comprehensive information risk and audit content developed and maintained by our team of domain experts, in collaboration with strategic partners including PricewaterhouseCoopers LLP, IT Governance Institute, Microsoft Corp, Oracle Corp and others. Brabeion's IT Risk and Compliance Management platform dramatically reduces risk and improves compliance while lowering assessment costs by leveraging the reuse of tests across all audit requirements through integration with assessment technology and manual surveys. Brabeion is a member of the Information Security Forum (ISF), the PCI Security Standard Council and the PCI Security Vendor Council (PCI SVC). Brabeion solutions are successfully deployed across a wide range of vertical markets including Financial Services, Retail, Energy, Healthcare, and Government. Customers include Chevron, CIT Group, DirecTV and Guardian Life Insurance.

For more information, visit www.brabeion.com.

1) Gartner, Inc., "Hype Cycle for Compliance Technologies, 2007" by Jay Heiser et al, July 11, 2007

Press inquiries:
Yo Delmar, Brabeion Software, tel: 866 710 8118; email: yo.delmar@brabeion.com or Leslie Kesselring, Kesselring Communications, LLC tel: 503 358 1012; email leslie@kesselring.net

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.