The Client: A Leading Social Networking Company
As Internet-based businesses build and scale their operations, the need to protect their user’s information and their own IT infrastructure becomes increasingly important. Information security is a big concern as recent high profile breaches at leading internet companies have demonstrated, and many Internet-based businesses see the value of using technology to build and sustain robust information security and IT risk management programs that protect them from emerging cyber threats.
A leading Internet-based social networking company recently selected the MetricStream IT GRC Solution to improve its overall information security and risk management program. The client’s rapidly growing user-base and large-scale IT infrastructure, which is made up of thousands of servers around the world, makes the organization highly susceptible and vulnerable to cyber threats
After an extensive evaluation of various solutions in the market, the client selected the MetricStream IT-GRC solution to facilitate information security risk analysis and establish a comprehensive risk management program which included automation of vendor security assessments, compliance with regulatory requirements and powerful customizable dashboards and reports as per individual user needs across job levels.
The client chose MetricStream for its robust platform architecture coupled with specific functional applications, all of which enable the organization to manage its regulatory and compliance requirements, and policies while driving forward a culture of proactive IT risk management. The MetricStream IT GRC Solution supports an integrated, organization-wide IT risk, compliance, and policy management program, and is used by information security and internal audit teams across the organization, and around the world.
Various MetricStream applications allow the client to better manage their IT risks and strengthen their security controls, all of which helps to protect the organization’s overall IT infrastructure from constant threats and vulnerabilities.
The MetricStream applications used by the client include:
The MetricStream Threat and Vulnerability Management Application provides a comprehensive framework for managing information security risks. It helps facilitate the aggregation and correlation of large volumes of information security data generated from multiple existing security solutions. Data that has been siloed and provided in a different format makes manual correlation especially difficult. MetricStream Threat and Vulnerability Management Application streamlines the process by integrating with a variety of third party security tools and solutions at the customer site. This capability provides a centralized view of information correlated within established risk and control frameworks, while also adding business context to that information.
The MetricStream Risk Management Application provides a centralized risk framework that allows the client to better manage its risks. Configurable methodologies and algorithms provide a clear view of the organization’s risk profile, allowing management to better identify, manage, and ultimately thrive on risk. The client can analyze risks based on configurable scenarios based on historic data, as well as quantitative assessments based on a powerful statistical analysis package. The application also supports leading frameworks like FAIR and COBIT for risk assessment and provides comprehensive workflows for remediation management.
The MetricStream Vendor Security Assessment Application enables the client to manage and mitigate vendor risks by streamlining the end-to-end vendor management process. The solution also leverages the Consensus Assessments Initiative Questionnaire (CAIQ) from Cloud Security Alliance (CSA) to help manage risks related to cloud-based vendors. The solution also continuously monitors and evaluates each vendor against the client’s policies and controls to ensure compliance at all times.
The MetricStream Compliance Management Application provides a common and integrated framework for managing various compliance requirements including PCI-DSS, ISO 27001/2, and COBIT. The MetricStream solution, through its partnership with Unified Compliance Frameworks (UCF), also provides a library of over 5000 “harmonized” IT control statements mapped to over 800 authority documents. This helps the customer to standardize against the smallest possible set of controls to meet all their regulatory requirements and efficiently manage the whole compliance process.
The MetricStream Issue Management Application enables the client to establish a consistent process around issue capture, loss event tracking, task management, and issue status reporting. Powerful analytics and robust issue tracking and reporting functionalities provide real-time visibility into the organization, and reduce the risk of non-compliance.
The client’s information security and risk management processes were siloed, which made gathering information, correlating data, and ensuring a 360 degree risk management program very challenging. The client also needed to manage risks from hundreds of vendors who provide a diverse set of services to the client. With a growing user base, expanding IT infrastructure, and increasing cyber-threats, the client needed a way to scale its information security and risk management processes alongside its operations.
The client was looking for a solution that could help aggregate, correlate, and analyze data from across the organization, help automate workflows around information security, risk management, control assessments, technical control testing, vendor security assessments, and ensure compliance to regulations and standards like PCI DSS and ISO 27001/2. The solution also needed to help create a more comprehensive data collection and management function, facilitating the reporting and distribution of that data across the organization.
Extensive domain expertise and experience in helping Internet-based companies overcome the entirety of their IT GRC challenges
Provides a robust IT GRC platform with a broad set of functional module applications around IT risk management
Seamlessly integrates with existing IT security and control monitoring tools
Balances sophisticated tools and capabilities with an intuitive and easy-to-use interface