After evaluating multiple IT GRC solution providers, the client chose MetricStream to provide a single, integrated solution that would help them manage a range of IT GRC needs, including security, policy management, IT risk and IT control frameworks, compliance assessments, continuous monitoring, certifications, and reporting.
Using the MetricStream Solution, the client has been able to streamline, automate, and standardize their IT GRC processes and controls, thereby improving productivity, and saving both costs and time. The Solution scales across the enterprise, integrating fragmented IT GRC activities and data in a single point of reference. This holistic approach facilitates efficient utilization of IT resources, and minimizes redundancies in effort. It also helps ensure that the company’s resources are focused on the IT risk and compliance issues that have the most urgency and potentially, the greatest impact on the business.
Below are the key capabilities of the IT GRC Solution that are benefiting the client:
Centralized IT GRC Information Repository
The MetricStream Solution offers a central repository to maintain all IT risk and control assessments, as well as IT controls, standards, policies, and documents. The underlying flexible data model helps in mapping these data entities together in a many-to-many fashion. Integrated across the enterprise, the web-based repository makes it easy for users across locations to quickly browse, locate, and compare IT GRC information through intuitive data search and access tools.
Mapping of IT Compliance and Controls
The Solution enables the client to define and maintain a centralized, highly mapped structure of their IT compliance and control hierarchy, including IT assets and processes, associated risks, controls to mitigate the risks, and programs to assess the controls. The Solution also links associated policies, procedures, reporting requirements, and regulatory filing templates and schedules. This flexible relational data model enables the client to better understand the relationships between various IT GRC data elements and the way they all tie together to impact the business.
Integration with Unified Compliance Framework
The Solution integrates with the Unified Compliance Framework (UCF) – a comprehensive library that maps more than 9,000 IT control statements to more than 1,200 regulations, standards, and frameworks, including PCI DSS, COBIT, and SOX. Through the UCF integration, the client has been able to harmonize IT controls, minimize redundancies, and simplify compliance with regulations and standards.
The UCF content Includes: 9,300+ Control Statements, Audit Guidelines, Citations, Configurable Items (CIs), Policy Statement Content, Research Sites List, Authority Documents List, Metrics, Roles Definitions, Monitored Events, and Compliance Document Templates.
Control Surveys and Self-Assessments
The Solution facilitates a systematic and consistent approach to IT control surveys and self-assessments. Users can easily create survey questionnaires using the intuitive forms and workflows in the Solution. The surveys are then distributed to the relevant personnel with the help of automated alerts and notifications sent out by the Solution. Once the respondents fill in the survey, the data is routed by the Solution for review and approval.
Certifications and Issue Tracking
Through the MetricStream Solution, certification and sub-certification tasks can be triggered to various control owners. Users can select multiple controls while setting up the certification plans. During the certification process, compliance managers can view the tasks and test results across the enterprise in real time. They can also track all open and outstanding control issues, as well as planned corrective actions.
The MetricStream Solution is equipped with powerful dashboards, heat maps, and scorecards which provide a comprehensive, real-time view of the client’s IT GRC program. Drill-down capabilities enable the client to view data at finer levels of detail, and identify areas of concern and opportunity. The Solution also generates IT compliance and risk status reports for multiple regulations and frameworks at the departmental level, business division level, and organizational level.