IT Compliance

Favorites

More Topics Datasheets Webinars Solution Briefs

Organizations have to comply with regulatory requirements and control standards such as NERC, HIPAA, PCI, BASEL II, FISMA, GLBA , SOX, Cobit, FFIEC, ISO27001, NIST-SP800 as part of their business processes. IT department has to ensure that IT processes, technology and people are aware and meet compliance requirement.

For example - IT divisions have to create, measure, and monitor control objectives as per PCI data security standard. IT division's PCI program should follow 12 requirements of the standard such as build and maintain a secure network, restricting physical access to credit card holder data etc. Similarly, NERC compliance requires IT divisions to implement steps for CIP-002-1 to CIP-009-1.

IT Compliance programs are complex in nature and can result in inefficiency due to repetition of compliance tasks for different regulations and control standards. ISO 27002/Cobit control objectives for user security may overlap with control objectives of PCI, NERC, SOX or HIPAA. An organization can certify this requirement once and show compliance for multiple regulations and standards. However most of the times organizations perform this activity in silos and it results duplication and complexity in the IT Compliance process.

MetricStream provides a common framework and an integrated approach to manage all IT compliance requirements faced by an organization. It enables companies to manage industry mandates and regulations by providing a centralized environment for documenting requirements and evaluating the internal controls that satisfy compliance mandates though effective design and operation of IT controls and systematic response to issues of non-compliance and deficiencies with remediation and corrective actions.

Key Benefits of MetricStream IT Compliance Solution

IT Compliance Environment and Process Design: Using MetricStream IT Compliance solution, companies can define and maintain a centralized structure of the overall IT compliance and control hierarchy including processes, asset repositories, risks for the processes and assets, controls to mitigate the risks and programs to audit and assess the controls. It includes associated policies and procedures, reporting requirements and filing templates and schedules for various regulations.

Assessment and audit plans to evaluate and ensure the effectiveness of the controls can be designed and assigned to owners based on roles and responsibilities. Based on the compliance requirements and associated risk, the assessment plans can be scheduled periodically or triggered based occurrence of certain events. Assessment programs and documentation can be shared within and across processes for higher efficiency.

MetricStream delivers the Unified Compliance Framework (UCF) - a comprehensive library that maps and harmonizes more than 2,000 IT control statements to more than 400 regulations, standards and frameworks - embedded with its solution to contain the cost and manage the overwhelming complexity of IT compliance by standardizing on a common set of controls that map to all the regulations and policy mandates they need to comply with. This includes support for frameworks such as COBIT, ISO 27002 and ITIL for implementing best practices and cover various compliance requirements including SOX, FFIEC, PCI, GLBA, HIPAA, CMS, NERC NIST and other federal and state mandates.

Assessing Compliance and Controls: IT compliance managers and process owners across the organization can manage compliance assessment programs to ensure the effectiveness of controls and activities designed to meet regulatory requirements. The system supports assessments based on predefined criteria and checklists and has a mechanism for scoring, tabulating and reporting results.

The centralized repository of all assessments, with an easy search capability, ensures that the IT audit groups can support a request by external auditors to provide documentation and evidence to validate that a specific compliance requirement is being met and control are in place to ensure ongoing compliance.

For IT application controls that can be assessed automatically, tests related to completeness, accuracy, validity, authorization and segregation of duties can be configured and scheduled with the ability to define process-level manual and application controls within a single test.

Technology connectors to support automated measurement and reporting of IT controls via integration with third-party products provides the additional advantage of assured compliance related confidentiality, integrity, availability and fraud detection giving a comprehensive status of a company's compliance health.

Automated measurement of general computer controls and application controls through importing or directly measuring IT asset level configuration settings, vulnerability and identity auditing information is enabled based on seamless integration with specific third-party products for vulnerability assessment configuration auditing, identity and access management, security management and event monitoring.

Self-assessments and Surveys: MetricStream solutions provide a systematic mechanism for managing self-assessments and surveys related to IT controls in a consistent, reliable and predictable manner. It ensures accountability by enforcing the flow of information and documenting attestations and representations at appropriate stages. The system provides the capability to configure and execute surveys, certifications and self-assessments based on predefined templates and schedules for designated executives. It supports electronic signoffs at departmental and functional levels that roll-up for executive certifications. The solution supports procedures for affirming the strength of the IT controls and adherence to policies. This information rolls up to executive management who can review and certify overall IT control assessment for the enterprise for meeting compliance requirements.

Issue Management and Remediation: Once issues and deficiencies are identified and documented, a systematic mechanism of investigation and remediation is triggered by the underlying workflow and collaboration engine. The solution supports triggering automatic alerts and notifications to appropriate personnel for task assignments for investigation and remedial action.

Monitoring IT Compliance: Executive dashboards provide enterprise wide visibility into the IT compliance process and highlight issues that need to be addressed. The solution has the ability to track IT compliance status, process ownership, assessment plans, etc. on graphical charts to evaluate levels of compliance with various mandates. Ability to drill-down provides an easy way to access the data at finer levels of detail. Integrated reporting of self-assessment, manual assessments and automated controls provides a clear visibility into key risk indicators, assessment results and compliance initiatives. Automated alerts for events such as exceptions and failures eliminate any surprises and make the IT compliance process predictable.