Research Request: Governance, Risk Management and Compliance


As part of your membership benefits, the Alliance staff provide research services for local government member submitted requests. Topics can range from pressing issues to emerging trends. This benefit is made possible through our partnership with Arizona State University Marvins Andrews Fellowship

Request Prompt:

" I am looking for a mid to small enterprise GRC (governance, risk management, and compliance) tool (software), where I can manage PCI, CJIS, and HIPAA compliance. Understanding that one GRC will likely not have all of those compliance systems out of the box. It would be more important to have it be easily customizable but we would want it to come with at least one (PCI or CJIS) framework "pre-loaded" Additionally it would need to be able to handle the gathering of evidence and assignment of tasks to perform policy and compliance driven tasks."

Summary of Findings: 

The following GRC software have the potential for PCI, CJIS, and HIPAA compliance: 

  • Continuum 

  • KnowBe4 

  • Infosight 

  • Silent Sector 

  • Netwrix Auditor 

  • ADAAudit Plus 


*A brief summary of each software and its capability for your needs is below. However, none of these vendors is found in any top GRC lists. 



Continuum GRC provides proactive cyber security solutions, including the #1 ranked solution for PCI-DSS and CJIS. Continuum is independently assessed verifying compliance with HIPAA and HITECH. The PCI Security Standards Council approved Continuum’s PCI DSS audit standard. 



The KCM GRC is supposedly quick, easy to use and affordable. KCM GRC has pre-built compliance requirement templates for PCI-DSS, CJSI, and HIPAA. Customers can also build or import their own custom template. In addition to compliance management, KCM offers a centralized process for policy distribution and tracking attestation. 



InfoSight’s GRC provides a comprehensive, enterprise cloud platform or on-premise solution that integrates, standardizes, and enhances existing governance, risk, and compliance processes. Infosight offers security solutions for PCI-DSS, CJIS, and HIPAA according to specific risks, needs, budget, and resource constraints. 


Silent Sector 

Silent Sector provides the technical and compliance expertise to simplify GRC so you can get back to your core business objectives. Silent Sector offers PCFI Force Multiplier which arms you with the best practices and proprietary tools. As well as, compliance frameworks for CJIS and HIPAA. 



Netwrix Auditor bridges the visibility gap by delivering security intelligence about critical changes, data access, and configurations in hybrid IT environments. The platform identifies users with the most anomalous activity, alerts on behavior patterns that indicate a possible threat, and makes it easy to investigate any suspicious action or security policy violation so you can quickly determine the best response. Netwrix offers easy access to reports required for passing PCI-DSS, CJIS, and HPAA. 


ADAAudit Plus 

ManageEngine ADAudit Plus is an IT security and compliance solution. With over 200 reports and real-time alerts, it provides knowledge about changes made to the content and configuration of Active Directory, Azure AD, and Windows servers. ADAAudit Plus offers data protection, security, and standards to meet PCI-DSS, CJIS, and HIPAA compliance. 



General Information:  


For more information about the top GRC providers, the following sources offer overviews or comparison opportunities: 



You may also be interested in