The Client: A Leading Social Networking Company



As Internet-based businesses build and scale their operations, the need to protect their user’s information and their own IT infrastructure becomes increasingly important. Information security  is a big concern as recent high profile breaches at leading internet companies have demonstrated, and many Internet-based businesses see the value of using technology to build and sustain robust information security and IT risk management programs that protect them from emerging cyber threats.

A leading Internet-based social networking company recently selected the MetricStream IT GRC Solution to improve its overall information security and risk management program. The client’s rapidly growing user-base and large-scale IT infrastructure, which is made up of thousands of servers around the world, makes the organization highly susceptible and vulnerable to cyber threats


After an extensive evaluation of various solutions in the market, the client selected the MetricStream IT-GRC solution to facilitate information security risk analysis and establish a comprehensive risk management program which included automation of vendor security assessments, compliance with regulatory requirements and powerful customizable dashboards and reports as per individual user needs across job levels.

The client chose MetricStream for its robust platform architecture coupled with specific functional applications, all of which enable the organization to manage its regulatory and compliance requirements, and policies while driving forward a culture of proactive IT risk management. The MetricStream IT GRC Solution supports an integrated, organization-wide IT risk, compliance, and policy management program, and is used by information security and internal audit teams across the organization, and around the world.

Various MetricStream applications allow the client to better manage their IT risks and strengthen their security controls, all of which helps to protect the organization’s overall IT infrastructure from constant threats and vulnerabilities.

The MetricStream applications used by the client include:


Threat and Vulnerability Management Application

The MetricStream Threat and Vulnerability Management Application provides a comprehensive framework for managing information security risks. It helps facilitate the aggregation and correlation of large volumes of information security data generated from multiple existing security solutions. Data that has been siloed and provided in a different format makes manual correlation especially difficult. MetricStream Threat and Vulnerability Management Application streamlines the process by integrating with a variety of third party security tools and solutions at the customer site. This capability provides a centralized view of information correlated within established risk and control frameworks, while also adding business context to that information.


  • Aggregates security intelligence from a wide variety of sources such as:
    • Vulnerability Assessment Tools for Applications and Network
    • CMDB
    • SIEM and Log Analysis
    • DLP
    • Vulnerability / Patching Bulletins
    • Threat Advisories
  • Correlates information gathered with enterprise assets, assess relevancy, conduct risk assessments, followed by reporting and remediation management
  • Integrates and correlates security to risk and control frameworks
  • Automates workflows for remediation management
  • Provides bi-directional integration with IT operations
  • Delivers real-time dashboards for threat intelligence from across the organization


Risk Management Application

The MetricStream Risk Management Application provides a centralized risk framework that allows the client to better manage its risks. Configurable methodologies and algorithms provide a clear view of the organization’s risk profile, allowing management to better identify, manage, and ultimately thrive on risk. The client can analyze risks based on configurable scenarios based on historic data, as well as quantitative assessments based on a powerful statistical analysis package. The application also supports leading frameworks like FAIR and COBIT for risk assessment and provides comprehensive workflows for remediation management.


Vendor Security Assessment Application

The MetricStream Vendor Security Assessment Application enables the client to manage and mitigate vendor risks by streamlining the end-to-end vendor management process. The solution also leverages the Consensus Assessments Initiative Questionnaire (CAIQ) from Cloud Security Alliance (CSA) to help manage risks related to cloud-based vendors. The solution also continuously monitors and evaluates each vendor against the client’s policies and controls to ensure compliance at all times.


Compliance Management Application

The MetricStream Compliance Management Application provides a common and integrated framework for managing various compliance requirements including PCI-DSS, ISO 27001/2, and COBIT. The MetricStream solution, through its partnership with Unified Compliance Frameworks (UCF), also provides a library of over 5000 “harmonized” IT control statements mapped to over 800 authority documents. This helps the customer to standardize against the smallest possible set of controls to meet all their regulatory requirements and efficiently manage the whole compliance process.


Issue Management Application

The MetricStream Issue Management Application enables the client to establish a consistent process around issue capture, loss event tracking, task management, and issue status reporting. Powerful analytics and robust issue tracking and reporting functionalities provide real-time visibility into the organization, and reduce the risk of non-compliance.


The client’s information security and risk management processes were siloed, which made gathering information, correlating data, and ensuring a 360 degree risk management program very challenging. The client also needed to manage risks from hundreds of vendors who provide a diverse set of services to the client. With a growing user base, expanding IT infrastructure, and increasing cyber-threats, the client needed a way to scale its information security and risk management processes alongside its operations.

The client was looking for a solution that could help aggregate, correlate, and analyze data from across the organization, help automate workflows around information security, risk management, control assessments, technical control testing, vendor security assessments, and ensure compliance to regulations and standards like PCI DSS and  ISO 27001/2. The solution also needed to help create a more comprehensive data collection and management function, facilitating the reporting and distribution of that data across the organization.


Why the Company Selected MetricStream?

Extensive domain expertise and experience in helping Internet-based companies overcome the entirety of their IT GRC challenges

Provides a robust IT GRC platform with a broad set of functional module applications around IT risk management

Seamlessly integrates with existing IT security and control monitoring tools

Balances sophisticated tools and capabilities with an intuitive and easy-to-use interface



  • Single Platform to Manage Information Security, Risk and Compliance
    The solution drives forward a single unified platform for collecting, analyzing, and sharing security and risk data from across the organization. It also manages information security, risk, and compliance from a single platform using a common data set in order to provide real-time information that supports strategic decision making.
  • Improved Visibility into Risks
    The MetricStream IT GRC Solution works on top of the client’s security tools and solutions, aggregating inputs, and providing actionable risk intelligence that allows stakeholders to proactively identify and assess areas of concern based on qualitative and quantitative factors.
  • Stronger Compliance with Regulatory Requirements and Policies
    The MetricStream solution integrates all regulatory and internal compliance requirements, processes, and responsible entities into a single framework. In doing so, it helps simplify compliance management, eliminate redundancies, and improve compliance accountability.