For any retailer, data security is a major concern. But when one has hundreds of retail outlets, as well as thousands of customers and third-party vendors, the security risks are considerably amplified, as the retailer in this case study realized. To effectively secure their data, the company needed a real-time, unified view of cybersecurity risks and compliance.
With a gold mine of sensitive, confidential, and personally identifiable information (PII), the retailer had to maintain stringent security controls in compliance with requirements such as the Payment Card Industry Data Security Standard (PCI-DSS). One small data breach and the organization stood to lose millions of dollars in financial losses, compliance penalties, customer trust, and more.
Real-time, integrated visibility into cyber risks became increasingly essential for the senior leadership team to understand the organization’s risk profile, and to respond proactively to emerging threats. Their key objectives were to identify priority risks across the organization while ensuring that the business was meeting various compliance objectives and strategic goals. They also needed to determine if sufficient policies and standard operating procedures (SOPs) were available from a governance perspective.
To achieve these objectives, the company set out to build an effective cybersecurity program that would meet their business objectives and customer demands. To enable and support this program, the retailer adopted MetricStream’s integrated IT GRC solution with capabilities for IT risk management, IT compliance management, and third-party risk management.
With MetricStream IT and Cyber Risk Management, the retailer has been able to facilitate a systematic and integrated approach to IT and cyber risk documentation, risk assessments, control management, and issue detection, as well as risk/ threat analysis and reporting. The product enables the senior-most leadership, C-suite members, board members, and external stakeholders to prioritize and align IT and cyber risks to business risks. Advanced reports and dashboards provide a real-time view of the risks, enabling senior stakeholders to make well-informed decisions.
Using the MetricStream IT and Cyber Compliance Management, the retailer can efficiently manage all compliance requirements related to PCI-DSS and the Sarbanes Oxley Act (SOX). It supports the process of harmonizing control sets across multiple IT regulations. It also helps in scheduling assessments and performing control tests.
With a built-in reporting and dashboard engine, the product provides a holistic and enterprise-wide view of IT compliance risks across the retailer’s enterprise. Graphical charts help in tracking the IT compliance status and evaluating levels of compliance with various mandates. Users can also obtain alerts, notifications, and updates on IT regulatory content and actionable insights from various industry standard feeds and online sources.
From a governance perspective, the company plans to use the product to create and align IT policies and standards to specific industry regulations, while also measuring compliance levels and any potential impediments or risks.
• Protect employee, customer, and third-party data
• Deliver a real-time view of cybersecurity compliance and risks
• Improved efficiency through a centralized approach to cybersecurity risk and compliance management
• Enhanced visibility into IT compliance risks
• Fostered a strong culture of cyber risk awareness and accountability across the enterprise
The MetricStream Third-Party Risk Management has given the retailer a consolidated system to manage third-party risks. The product supports third-party/ vendor information management, risk assessments, continuous monitoring, and risk mitigation. It also helps monitor vendors in line with internal and external compliance requirements during the pre-qualification process, as well as on a continuous basis.
Users gain real-time visibility into third-party profiles and potential risks. The product auto-recommends the schedule and frequency of vendor risk assessments for critical/material vendors based on the risk insights. Meanwhile, a built-in reporting engine automatically consolidates risk data from across the vendor network, and populates risk reports. This helps the retailer analyze and compare vendor risks and issues at the enterprise level.
The retailer now plans to expand their GRC journey by applying the core capabilities provided by MetricStream towards developing a strong GRC culture that is aligned with their business objectives. This way, they can create a common understanding of GRC within the enterprise, and also deliver better governance, while strengthening security and risk management programs.