- PCI DSS
Most IT organizations struggle with ensuring visibility into and control over IT risks due to the complexity of IT environments in large corporations. It is a challenge to ensure consistency in measuring and managing IT risk, and assessing its impact on disparate areas of the organization. It is also challenging but critical to link IT risk and compliance life cycles together to interpret control failures within the context of over-all business risks and performance.
MetricStream provides a central IT risk management framework to simplify the identification and analysis of all risks in IT operations. This, in turn, enables informed decision making to support business performance and the overall management of business risks. The solution automates the entire IT risk management process and workflow - from risk identification and assessment scoring, to mitigation and reporting. Powerful dashboards provide timely, actionable information for proactively addressing IT risks against corporate objectives.
Identifying IT Risks: The MetricStream solution supports creating a centralized registry of IT risks, and documenting their source and nature, area of impact, response strategies, key risk indicators, and mitigating controls. The solution also helps classify and map risk events to business risks and compliance requirements to provide a complete context for IT risks. Customers can maintain a library of qualitative and quantitative assessment factors and relate them to the risks. Technology connectors automate the collection of data related to risks, vulnerabilities, and threats via integration with third-party products.
IT Risk Assessment and Analysis: The MetricStream solution supports IT risk assessments and computations based on configurable risk scoring methodologies and flexible what-if analysis functionalities. They enable managers to prioritize their response strategies for optimal risk/reward outcomes. Customers can utilize a library of risk assessment questions for surveys based on control statements and procedures. These questions are mapped to various regulations, standards, and frameworks to drive powerful risk and compliance reporting. IT risk managers can create questionnaires and assessment tasks for periodic risk reviews, fraud assessments, and compliance evaluations across various organizations, processes, assets, facilities, vendors, and applications.
IT Control Design and Evaluations: Once the key IT risks are identified and prioritized, the MetricStream solution enables companies to define a set of controls according to industry standard control frameworks. The solution also allows associated policy and procedure data to be attached for reference. Assessment plans to evaluate the effectiveness of the controls can be designed and assigned according to role-based criteria. The system also supports IT control assessments based on predefined criteria, and has a mechanism for scoring, tabulating, and reporting the results.
Issue Management and Remediation: The findings and issues from IT risk and control assessments can automatically be routed to the appropriate personnel for mitigation. As deficiencies are addressed through corrective actions, the system automatically updates residual risk scores, reflecting the true IT risk profile.
Monitoring IT Risks: The solution provides pre-defined risk reports and risk heat maps for analyzing the IT risk profile of the organization, and reporting IT risk activities and results. Executive dashboards provide clear visibility into key risk indicators and event data. The solution also generates technical and executive reports by collecting data related to technology assets, third-party products, and assessments for various processes to provide a comprehensive view into the organization's IT risk profile.