> Solution Briefs

IT GRC - Enhancing Technology Capabilities

Coordinating all IT governance, risk and compliance activities

Favorites

Download

Technology has transformed the face of the corporate world – opening doors to new business models, new markets, and new ways to connect. At the same time, it poses a ubiquitous challenge for businesses. As IT environments become increasingly complex and business reliance on technology increases, organizations face a wide array of risks. While the accessibility to technology is critical to corporate success today, a vulnerable IT system can expose you to irrevocable damage. In a recent study by Cisco on Security and Data Leakage, seven out of ten IT professionals held that access of unauthorized websites and applications resulted in almost half of their company’s data loss incidents; while two out of five IT managers confirmed that they have dealt with employees accessing unauthorized parts of a network in the past two years; and almost half of the employees surveyed admitted sharing work devices with others without supervision.

Most organizations today are looking beyond the perfunctorily planned IT approaches of quickly getting applications built to support the business. Access controls that give everyone, in the organization, the same access rights are no longer considered "adequate" security controls. Organizations realize that any substantial weakness in controls or existing IT systems can be subject to auditing and adverse reporting, and can lead to huge losses and hefty fines and/ or punishment. CIOs are asked not only to deal with ever-increasing and multifaceted threats, but are also challenged to provide increased capabilities within their businesses. This means better returns on IT investments, tighter controls, complete visibility into IT rocesses, clear lines of responsibility and accountability, consistent benchmarks to measure success or failure, predictable customer service, and a better business performance. This has forced organizations to look for an integrated platform that manages multiple regulations, supports governance, and streamlines their entire risk management process within IT infrastructure; so that they can successfully adapt to changing business needs and enhance technology capabilities while guarding against adversity.

IT GRC is emerging as an integral part of security landscape today - managing the lifecycle of IT policies, assessing and responding to IT risks, and measuring and reporting compliance with IT controls and regulatory requirements. Implementing an IT GRC solution, however, requires organizations to streamline their IT Governance, Risk and Compliance process; enable visibility and control for multiple stakeholders; and provide a single system of record for IT management. MetricStream, a leading provider of Governance, Risk, Compliance and Quality solutions, offers the industry’s most advanced and comprehensive solution designed to meet IT GRC requirements. The solution is based on an integrated Enterprise Compliance Platform (ECP) for successfully managing risk and meeting regulatory requirements. ECP, a proven infrastructure for building GRC application, provides core modules and services to automate and streamline GRC processes within the IT infrastructure of an organization. This paper details out components specific to IT GRC, and describes the MetricStream framework for managing IT GRC process.

Integrating IT Governance, IT Risk Management, and IT Compliance
As businesses depend more and more on IT systems, most IT leaders struggle with questions like, “Is our data secure enough?” “Are we compliant with IT policies and regulations?” “Have we implemented adequate internal controls and processes?” “Do we run the risk of having our systems going down?” Failure to address these issues in an organized fashion and in a secured environment can lead to disastrous consequences. Before we embark upon how organizations can effectively manage and mitigate increasing IT risks, let us discuss the distinct functions of IT GRC in detail:

IT Governance: Establishing Leadership, Decision Structures & Tracking Mechanisms
The IT governance process within an organization defines and communicates key IT policies, control standards, and technical configuration procedures for its business-critical assets. It includes providing assurance on the IT objectives to the board by assigning committees to steer technology adoption, architectural reviews, and project analysis; and setting up appropriate processes to ensure transparency and visibility in the processes like proposals for new projects, approvals of new IT investments and prioritizing of IT projects. This ensures improved business awareness within the IT team, and enhanced IT awareness across the organization. IT Governance assesses the success or the failure of key IT decisions of the organization through balanced scorecards, risk scorecards, and operational dashboards. Although many organizations have some form of IT governance in place, the governance processes are ad hoc, siloed and informal.

IT Risk Management: Managing IT Risks & Ensuring Better Business Performance
Risks are omnipresent in IT- arising from multiple sources like inadequate business processes, internet and extranet connectivity, unforeseen business interruptions, and so on. As enterprises open and extend their networks to accommodate the growing demands of business, threats and vulnerabilities increase. These threats target the key assets of business; consumers, brands, Web sites, and internal networks being the primary targets. Growing regulatory mandates and increasingly activist shareholders have sensitized many organizations to identify and manage IT risks in their business. They are being challenged to not only identify and mitigate potential vulnerabilities and threats, but also to provide increased capabilities within their businesses. IT Risk Management assesses, measures, and monitors IT operational and security risks in relation to strategic goals and objectives of the organization.

IT Compliance: Using Standardized Methods & Procedures for Managing Change
In recent years, there has been a dramatic growth in compliance and regulatory requirements for the IT industry. International regulations such as SOX, COSO/COBIT, ITIL and ISO 17799 have added to the pressure on organizations engaged in the competitive globalized IT landscape. Most organizations acknowledge that a streamlined process of managing compliance is critical, or else the risk of noncompliance increases; costing organizations millions in fines, litigation, opportunity costs and production delays. Many organizations are moving towards a common control framework that can meet multiple regulatory, legal and audit requirements simultaneously. IT Compliance Management ensures appropriate actions are taken to execute governance objectives based on stated risk tolerance for the business.

Organizations no longer see the above discussed three components as siloed, one-time projects handled in separate parts of an organization. They now are looking effectively to break down the glass walls, and create a centralized approach to managing IT risk and compliance while simultaneously ensuring good IT governance. With new definitions, requirements and standards emerging from both internal and external sources, boards and managers are forced to adopt an integrated approach to IT GRC as a business enabler and value driver. Innovative companies are employing a variety of tools and strategies to succeed in the marketplace. An effective IT GRC process continuously provides executive management visibility into the relationship between risk and compliance across geographies, business units and functional departments; striking an appropriate balance between business reward and risk.

Many software vendors have jumped onto the IT GRC "bandwagon," touting comprehensive solutions. However, most fail to provide a unified IT GRC platform with top-down, risk-based approach for effective IT compliance. MetricStream has emerged as the leading provider of enterprise software for managing IT governance, risk, and compliance at a unified platform. The section below discusses the MetricStream’s industry leading solution for IT GRC.

MetricStream's Industry-Leading IT GRC Framework
The MetricStream solution is uniquely designed to support the integrated Governance, Risk, and Compliance framework for the IT infrastructure of an organization. The MetricStream Compliance Platform serves as the nucleus of an IT corporate governance ecosystem, coordinating all IT governance, risk and compliance activities throughout the enterprise via a single management system. It represents an integrative approach to address risk and compliance issues from an enterprise perspective, leveraging common risk-management and compliance objectives, and employing a common control framework with automated controls and controls-based testing/monitoring. MetricStream delivers the most comprehensive mapping of the IT GRC framework within the industry with the following unique capabilities:

IT Policy and Procedure Management: The MetricStream solution provides an automated approach to communicating and implementing IT policies across the enterprise. Following a top-down, risk-based approach, the solution enables an organization to define the procedures, guidelines, and practices for configuring and managing IT environment. Going forward, the organization can then formulate a set of specific technical controls on individual components of the organization’s IT infrastructure. For instance, company’s password policies, as well as the secure configuration and protection of system servers. Once policies and controls are documented, the solution allows for continuous IT infrastructure assessment, validation, and monitoring.

IT Compliance Management: The MetricStream Compliance Management solution manages IT regulations based on proven best practices embedded in the solution. It enables companies to comply with industry focused regulatory guidelines, such as OCC, GBLA, FFIC (for Banking) and cross industry mandates, such as Sarbanes Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), SAS 70, etc.

IT Audit Management: The MetricStream solution enables organizations to standardize, automate and manage key aspects of the IT audit process. It provides a single system of record for IT audits by integrating with various solutions that have already been implemented to automate the testing of various controls. The solution contains a vast library of standard templates that provide the framework needed to drive a repeatable and consistent IT audit process. Further the solution stores documents in a centralized database, providing visibility and accuracy of audit data throughout the organization and making review process easy for internal and external auditors. The solution enables sharing of audit findings, key risk areas and recommendations across the organization - reducing redundant moving and copying of information, automating audit testing process, and sharing risks- and risk assessment data.

IT Risk & Control Self Assessment: Risk Control Self Assessment (RCSA) forms a core part of the MetricStream solution. The MetricStream solution provides powerful control assessment capabilities such as threshold-based notifications and alerts, surveys and certifications, attestation mechanisms, selfassessments and third-party testing workflows. The integrated issue and remediation management capability enables companies to improve IT operations by resolving system-identified and useridentified exceptions and deficiencies, and implementing corrective action plans.

IT Asset & Inventory Management: The MetricStream solution gathers detailed information on a company's PCs, notebooks, peripherals, and network equipment, including components, operating systems, software, configuration and identification information, location, and personal settings. The solution undertakes the full lifecycle management of an organization's IT assets, from point of acquisition or procurement through disposition. It is designed to manage the security, and physical, contractual and financial aspects of critical IT assets. Maintaining an accurate, up-to-date view of owned hardware and software assets, the solution automatically updates the inventory data to keep up with the changes and upgrades. The data is stored in a single central data repository, and can be used for generating analysis and integrating with other corporate applications.

IT Incident Management: The MetricStream Incident Management solution provides for IT incident detection and recording, loss event tracking, investigation, escalation, diagnosis, and closure of incident - leading to an elaborate remediation or corrective action process. The solution improves the communication and the teamwork on exception cases across departments and functional areas; and helps the top management gain enterprise-wide visibility into the status of issues and incidents, and track related process metrics.

Disaster Recovery Management: The MetricStream solution provides an integrated and flexible framework that embeds Business Continuity Planning (BCP) and Disaster Recovery Management into the risk management model of an organization. It automates the BCP lifecycle from planning to implementation, management and maintenance. Further, the solution identifies and quantifies business risks in IT; assesses the impact of unexpected disruptions; prioritizes risks and recovery alternatives according to the Business Impact Analysis; formally defines, documents, and communicates the recovery plan as a part of the goals of Business Continuity Management; and facilitates plan maintenance, progress and documentation. It also ensures that the Business Continuity plan is continually tested, exercised, and updated.

Software License Management: The MetricStream's Software License Management solution ensures software license compliance by centralizing the administration of software licenses, automating the software license compliance process, auditing current license deployments, and eliminating the threat of piracy. The solution optimizes utilization of software licenses, owned by the enterprise, by automating license reclamation, tracking unused licenses, and optimizing license purchase decisions.

Security Configuration Management: The MetricStream's Security configuration tool gives you robust configuration reporting and real-time security information to help you manage your systems, update your configuration management database, and address security configuration and vulnerability issues in a timely manner. The solution automatically maps security policies to technical controls, enabling organizations to standardize and secure endpoint configurations and demonstrate compliance with regulatory policies and industry standards. It audits system configurations and aligns them to corporate policies, processes and controls, and other systems.

Exception & Remediation Management: The MetricStream Remediation Management solution provides end-to-end exception management capabilities to help companies capture remediation data from anywhere in their IT infrastructure, conduct investigation to determine the root cause, manage the entire preventive and corrective process, implement changes, and ensure that the issue is resolved effectively. Powerful analytics and reporting capability with graphical dashboards to track each case from initiation to closure gives managers complete real-time visibility into the remediation process.

Change Management: The MetricStream Change Management solution provides real-time visibility to the organizations so that they follow a structured methodology for each change request, and track it through its lifecycle from initiation through verification to closure. It also ensures that the change is disseminated to all concerned entities and leads to the intended outcome.

Reporting: The MetricStream solution enables organizations to report on critical IT policy communication and acceptance, identify control gaps and policy exceptions across the enterprise; gain clear visibility into key risk indicators, assessment efforts and the overall risk profile of an organization’s critical technology infrastructure; understand the status of IT compliance initiatives; and increase visibility into the results of these efforts among company stakeholders and auditors. The solution features executive dashboards for enterprise-wide visibility into the compliance process, and underscores issues that need to be addressed. The system reports real time control status and remediation status on graphical charts that can be accessed globally. The ability to drill-down provides an easy access to data at finer levels of detail. In addition to the pre-configured standard reports, the system provides tremendous flexibility by enabling stakeholders to configure ad-hoc or scheduled reports to view metrics by a variety of parameters such as by process, by business units, and by status. Automated alerts for events such as exceptions and failures eliminate any surprises and make the process predictable. In addition to the standard reports available in the solution, end-users can build custom reports using the simple Reports Wizard without any programming. The solution also provides a systematic mechanism for managing regulatory reporting and filings as well as surveys and certifications in a consistent, reliable and predictable manner. It ensures accountability by enforcing the flow of information and records and documenting attestations and representations at appropriate stages.

Business Benefits

Organizations today need a systematic approach to defining and managing IT GRC initiatives. The MetricStream solution has enabled leading corporations in diverse industries to make the shift from isolated IT compliance initiatives and departmental silos of IT risk-related information to integrated enterprise-wide strategy for IT GRC management. Providing the industry best solution, MetricStream:

Identifies, Assesses, and Mitigates Key Business Risks in IT: The MetricStream’s holistic IT GRC model enables an organization to identify, measure, monitor, and control its exposures to inherent business risks in its IT infrastructure. Establishing a proactive IT security and risk framework, the solution provides a systematized process for anticipating and controlling IT risks resulting in reduced downtimes, system failures, and performance variability.

Delivers Value to the Business: With the MetricStream's IT GRC model, organizations can streamline and standardize end-to-end IT processes and controls, leading to enhanced productivity and increased savings in terms of cost and time. Enforcing best-practice segregation of duties, IT configuration, and change management procedures, the solution monitors an organization’s key application and network controls - safeguarding its critical internal applications and highly sensitive data. The solution ensures that the organization’s resources are focusing on the issues that have the greatest urgency and potentially the greatest impact on the business; and that the investment in IT is really meeting its objectives.

Ensures Transparency and Visibility: The MetricStream solution improves visibility across the organization, providing the basis for sound strategic decisions. The solution promotes the analytical and data management efforts of risk managers to develop reporting protocols that serve both the individual business and the central management team. Tracking policy violations and deficient compliance scores, the MetricStream's reporting protocol ensures real time visibility into the organization’s IT infrastructure.

Clarifies Personal Roles and Accountabilities: Enforcing clear cut segregation of roles and duties, the MetricStream solution prevents security violations from occurring. The moment there is a security violation, the solution alerts and reports the matter to management in real-time. The solution helps organizations to better incorporate accountability into the work culture of the organization.

Automates Compliance: Implementing automation for compliance, the MetricStream’s IT GRC solution makes it easy and cost-effective for the organization to incorporate efficient and effective IT compliance practices within the organization. In addition, the solution uniquely combines software and content for effective and sustainable compliance with embedded best practices templates, access to training content from an expert community, and integration of business processes with regulatory notifications or industry alerts.

Enables Process and Resource Utilization: The MetricStream solution integrates fragmented IT Governance, Risk, and Compliance activities within an organization, enabling greater utilization of IT processes and resources, and reducing wasted time and money associated with redundant efforts and technical resources.

Ensures Best Practices Sharing Across Similar Business Processes: The MetricStream solution facilitates continuous risk management learning by enabling business units to share their experience and best practices - internally and across organizations. This supports innovation, capacity building and continuous improvement - fostering an environment that motivates people to learn.

Benefits

Quick Implementation

Seamless Integration

User-friendly

Built in reporting

Robust Security

Conclusion
Taken separately, IT governance, IT risk management, and IT compliance are not new concepts; however, when viewed as an integrated model and expanded to include compliance with the overall strategic objectives of the company, IT GRC has the potential to become a value-adding principle that is integral to a company’s competitiveness and, ultimately, its success. Says the Chairman and CEO of a noted company, “By its very existence, IT GRC is a value driven approach that allows organizations to make sure that IT is not just in compliance with regulations but is in sync with the overall corporate objectives as well." Most organizations have recognized the need, have deepened their IT GRC domain expertise, and are investing in solutions that will enable them to achieve the goal of managing these activities on a unified platform. These solutions work together to automate end-to-end IT GRC activities, including IT governance and oversight; IT risk management; control testing and remediation case management; and user access and authorization. MetricStream is the leading provider of enterprise software for managing the disciplines of IT governance, risk, and compliance on a centralized platform. It enables businesses to develop a holistic view of their IT risk and compliance posture in order to align IT infrastructure with broad corporate goals, have an insight into the entire infrastructure, and make better business decisions.