The university, one of Australia’s largest public research institutions, has been fortifying its IT governance structures across various boards, executive teams, and faculties. Being a premier global research hub, the university is expected to maintain robust information security defenses that can withstand regulatory scrutiny.
A while ago, the institution wanted to renew its ISO 27001 certification, while also ensuring compliance with NIST SP 800-53. However, existing legacy tools no longer served the purpose. They were becoming increasingly fragmented, required significant manual intervention, did not scale well, and did not provide timely visibility into IT compliance and IT risks.
As the focus on information security compliance grew, the university realized it would need a more automated, integrated, and scalable tool to strengthen its IT
The university has multiple directorates that look after the operations of hundreds of faculties or departments. Some departments have mid-sized data centers, while others, specifically in Life Sciences, deal with much larger volumes of personally identifiable information (PII) and protected health information (PHI).
Earlier, each department had its own separate structures and formats to collect, store, and report IT compliance and risk data. This fragmented approach made it challenging to coordinate IT GRC processes, or to gain a unified view of IT risks. In all, there were 45+ IT risks that needed to be assessed and monitored as efficiently as possible.
Most IT GRC processes were handled manually on basic spreadsheets, emails, and ticket management tools. But as more faculty members got involved in IT compliance and risk assessments, it became increasingly difficult to manually gather and consolidate data from hundreds of stakeholders, many of whom had no IT security background. Reporting and decision-making processes slowed down. In addition, the university’s responsiveness to certain IT security crises was impacted.
As a result, the institution turned to MetricStream to help automate and scale up its approach to IT GRC. Stakeholders wanted an integrated system that would strengthen coordination on IT GRC processes, while also improving visibility into ISO 27001 control status and risk assessment results.
Today, MetricStream’s integrated IT GRC solution has enabled the university to streamline, automate, and strengthen collaboration on IT compliance and IT risk management processes. The solution is used across the institution to enhance compliance with ISO 27001 and NIST SP 800-53, as well as to manage vulnerabilities in the IT infrastructure.
The underlying GRC platform maps IT compliance requirements, control tests, processes, assets, risks, and other GRC elements in an integrated framework. This makes it easier for stakeholders to understand how all these data elements interact with and impact each other. Powerful reporting tools offer real-time visibility into the status of IT compliance and IT risks, enabling users to make well-informed decisions.
MetricStream delivered the final solution in production just eight weeks after the project kick-off. That included onboarding the university onto the GRC platform, uploading organizational information, populating the necessary datasets for IT GRC, and developing a handful of the university’s staff into MetricStream champions.
The solution has helped the university strengthen compliance with ISO 27001 and NIST SP 800-53. The tool streamlines IT compliance surveys, certifications, and self-assessments, thereby minimizing redundancies. It also accelerates control testing, enabling users to efficiently score, tabulate, and report the results.
Any IT compliance issues that arise can be systematically and collaboratively addressed through the solution’s inbuilt workflows. Moreover, MetricStream’s integration with the Unified Compliance Framework (UCF) has helped the university harmonize controls across various compliance requirements, thereby saving effort and costs.
With the MetricStream solution, the university is able to much more quickly assess, monitor, and manage 45+ IT risks across hundreds of faculties with thousands of staff members. The solution imports IT risk and vulnerability data from various existing tools, including a vulnerability scanner at the university. This data is then efficiently routed to the risk management team for analysis and action.
The system also strengthens visibility into IT assets that store sensitive data. It generates a combined risk rating across each asset’s vulnerability and business context, thereby allowing the associated risks to be assessed and monitored effectively. It has also enabled a set of rules to automatically assign and mitigate the vulnerabilities identified by the scanning tool. Graphical risk heat maps, reports, and dashboards aggregate IT risk data and metrics for comprehensive visibility.