At MetricStream’s flagship event, GRC Summit, Clyde Tsai, GRC Lead at Autodesk, shared how MetricStream has helped them implement an integrated framework for IT risk and compliance management programs. Autodesk is a leading provider of software products to architecture, engineering, construction, product design, manufacturing, media, and entertainment industries.
Here are the key takeaways from Clyde’s session at the summit.
Clyde: One of the very special things about Autodesk teaming up with MetricStream is that we're trying to get FedRAMP compliant. We are in the midst of getting the authority to operate in FedRAMP – it is the ability to sell to the federal government. It’s a huge audit and continuous process. That was actually our main driver for choosing MetricStream.
Apart from that we're also doing compliance for a range of frameworks. We’re trying to infuse more of a culture of risk-aware decision-making. We have a small risk team and we’re trying to do as many risk assessments as we can. Automation really helps us with that.
Clyde: We’re two years into it. Specifically, the products – IT and Cyber Risk Management, IT and Cyber Compliance Management, and Policy and Document Management. All of our initial use cases are security use cases – security compliance, security risk, FedRAMP compliance, and security policies.
Clyde: We have this challenge with silos -- we have security, privacy, internal audit, ERM, IT, and legal. The challenge that I see here is understanding and being informed when something is happening in any of these areas that affects me as a GRC implementation person. To address this challenge, we are just learning how to do interdisciplinary working groups.
An example of this is our initiative to put together an information asset inventory, which is a requirement for ISO and other frameworks. This information asset inventory includes all organizational databases, EC2s, containers, and much more. To do it right, one should collect this data from other systems. But the challenge is determining the authoritative sources of truth and what the systems are, what data is in them, and then normalizing them if they're coming from multiple systems.
In such a situation, one should piggyback on other data consolidation efforts. And that's one thing that I've learned while putting together these interdisciplinary groups. I am communicating with these groups, and they have similar initiatives going on. So, I can put my requirements in there as they might have bigger teams for doing these things.
Another challenge is that we have some processes that are mature and some that are immature. MetricStream has a lot of these workflows already as out-of-the-box workflows. Therefore, you have an opportunity to just use that as your process and have the perfect alignment between your technology and your process, which is rare to have.
Clyde: Regarding business value that we have realized:
Going forward, our priorities include end-to-end compliance testing, integrated control framework, automated evidence collection, and security policy management lifecycle.
You can watch the complete session here:
Join us in our upcoming GRC Summit 2024 in Baltimore on June 17-18 to explore other real-world GRC implementation stories. To register, click here.