This is a young product, v1.0 shipped in August 2010. The beta version we were shown is due to be released soon. It focuses on the assessment portion of the risk effort. We were told that the final version will also support remediation through the integration of support for threat and vulnerability data.
The combined security monitoring and IT-GRC solution provides automation and integration of security and policy controls in a ready-to-use automation framework. SecureGRC currently comes with prepopulated content and support for PCI DSS 1.2 and HIPAA.
On the remediation options front, SecureGRC provides real-time status on the current state of security and compliance and then offers a checklist of questions that guides the process along, asking for proof of documentation to fulfill the compliance request. No prior knowledge of any particular compliance regulation is necessary in order to use SecureGRC. Users simply follow the application's list of instructions and upload the required documents, and the system will generate a report that can be presented to auditors to prove compliance.
The hosted model was developed with multitenant security in mind and includes security at all transmit and service levels. There is an option in the hosted pricing to pay as you use this tool, i.e., per assessment. Subscription is $750 per year (MSRP) for SecureGRC SB and $9,100 per year (MSRP) for full SecureGRC. It is SaaS only, with no on-premise software.
The product takes an interesting approach to risk management, and we believe the final version - which includes more in-depth reporting and compliance content, and delivers on the remediation front - will be worth a look.