Adopt best practices to improve accountability and communication
Organizations have to comply with regulatory requirements and control standards such as NERC, HIPAA, PCI, BASEL II, FISMA, GLBA, SOX, COBIT, FFIEC, ISO27001, and NIST-SP800 as part of their business processes. The IT department has to ensure that IT processes, technology, and people are aware of and able to meet these compliance requirements.
For example,each IT division has to create, measure, and monitor control objectives as per the PCI data security standard. The division's PCI program should follow 12 requirements such as building and maintaining a secure network, and restricting physical access to credit card holder data. Similarly, NERC compliance requires each IT division to implement steps for CIP-002-1 to CIP-009-1.
IT compliance programs are complex in nature and can create inefficiencies due to the repetition of compliance tasks for different regulations and control standards. ISO 27002/COBIT control objectives for user security may overlap with the control objectives of PCI, NERC, SOX, or HIPAA. Organizations can certify each requirement once and show compliance for multiple regulations and standards. However, most of the time they perform this activity in silos, resulting in duplication and complex IT compliance processes.
The MetricStream solution provides a common framework and an integrated approach to manage all IT compliance requirements. It enables companies to efficiently manage IT mandates and regulations by providing a centralized environment for documenting requirements,designing internal controls, evaluating these controls,and systematically responding to issues of non-compliance and deficiencies through the appropriate remediation and corrective actions.
Capabilities of MetricStream IT Compliance Solution
IT Compliance Environment and Process Design: Using MetricStream IT Compliance Management Solution, companies can define and maintain a centralized structure of the overall IT compliance and control hierarchy including processes, asset repositories, risks for the processes and assets, controls to mitigate the risks, and programs to audit and assess the controls. The solution also helps attach various policies and procedures, reporting requirements, and filing templates and schedules for various regulations.
To evaluate and ensure the effectiveness of the controls, IT assessment and audit plans can be designed and assigned to owners based on their roles and responsibilities. The assessment plans can be scheduled periodically or triggered based on the occurrence of certain events, compliance requirements, and the associated risks. Assessment programs and documentation can be seamlessly shared within and across processes for higher efficiency.
MetricStream also delivers the Unified Compliance Framework (UCF) - a comprehensive library that maps and harmonizes more than 2,000 IT control statements to more than 400 regulations, standards and frameworks. The framework is embedded within the solution to contain costs and efficiently manage the overwhelming complexity of IT compliance by standardizing a common set of controls that map to all compliance regulations and policy mandates. The solution also includes support for frameworks such as COBIT, ISO 27002, and ITIL,and covers various compliance requirements including SOX, FFIEC, PCI, GLBA, HIPAA, CMS, NERC,and NIST.
IT Compliance and Control Assessment: IT compliance managers and process owners across the organization can efficiently manage IT compliance assessment programs to ensure the effectiveness of controls and activities designed to meet regulatory requirements. The system supports IT control assessments based on predefined criteria and checklists, and provides mechanisms for scoring, tabulating, and reporting the results.
A centralized repository of all control assessments, with an easy search capability, ensures that IT audit groups can provide the necessary documentation and evidence to external auditors to validate that a specific IT compliance requirement is being met and that effective controls are in place to ensure ongoing compliance.
For IT application controls that can be assessed automatically, tests can be configured and scheduled to determine the completeness, accuracy, validity, authorization, and segregation of duties. The solution also provides the ability to define manual and application controls within a single test.
Technology connectors support automated measurement and reporting of IT controls by integrating with third-party products. This provides the additional advantage of assured compliance related to information confidentiality, integrity, availability, and fraud detection. It also provides a comprehensive view of a company's compliance health.
Automated measurement of general computer controls and application controls is enabled through importing or directly measuring IT asset level configuration settings.The solution seamlessly integrates with specific third-party products for vulnerability assessments, identity and access management, security management, and event monitoring.
Self-assessments and Surveys: The MetricStream solution provides a systematic mechanism for managing IT control self-assessments and surveys in a consistent, reliable, and predictable manner. The solution ensures accountability by enforcing the flow of information and documenting attestations and representations at appropriate stages. It also provides the capability to configure and execute surveys, certifications, and self-assessments based on predefined templates and schedules. It supports electronic sign-offs at departmental and functional levels which, in turn, rollup for executive certifications. It also supports procedures for affirming the strength of IT controls and adherence to policies. This information is routed to the Executive Management who can review and certify overall IT control assessments for the enterprise.
Issue Management and Remediation: Once IT compliance issues and deficiencies are identified and documented, a systematic mechanism of investigation and remediation is triggered by the underlying workflow and collaboration engine. The solution supports the triggering of automatic alerts and notifications to appropriate personnel for investigation and remedial action.
IT Compliance Monitoring: Executive dashboards provide complete visibility into the IT compliance process, and highlight issues that need to be addressed. The solution also provides the ability to track IT compliance status, process ownership, assessment plans, etc. on graphical charts to evaluate levels of compliance with various IT mandates. Data at finer levels of detail can be accessed through drill-down capabilities. Integrated reporting of self-assessments, manual assessments, and automated controls provides clear visibility into key IT risk indicators, assessment results, and compliance initiatives. Automated alerts for events such as exceptions and failures eliminate any surprises and make the IT compliance process predictable.