Download this case study to learn how a financial services major improved IT compliance visibility, maturity, and sustainability using MetricStream’s automated IT compliance management solution
When you’re one of the world’s leading financial services companies, it is imperative to comply with IT regulations that affect enterprise operations. You need to effectively manage IT compliance risks, while tracking and testing all relevant controls. That can be a massive, time-consuming, and complex endeavor, especially when you have millions of assets and thousands of processes for which 1,000+ IT controls across multiple regulatory frameworks need to be tested regularly
The key questions you need to ask are - How do you build and maintain a common IT risk and control taxonomy across the organization? How do you automate the control testing process and subsequent reporting? How do you deliver a real-time view of IT compliance risks to your top management? These were a few of the concerns that the global financial services major faced. Being in a highly regulated line of business with constantly changing customer demands and technologies, the company needed to automate IT control testing as part of their DevOps process. To do that, they needed to define their compliance risk limits, align their first line of defense, and establish a scalable and mature compliance testing process.
Drawbacks of Traditional Approaches: It started in the year 2015 when the Securities and Exchange Commission (SEC) adopted a new regulation on systems compliance and integrity (SCI) which required self-regulatory organizations (SROs) to improve resilience by reducing the occurrence of system issues, and accelerating recovery from technology disruptions.
To comply with the regulation, the company began testing their IT controls based on scripts that ran on a manual basis. However, this approach led to numerous business concerns, as the testing process was resource intensive, time-consuming, and had to be backed by adequate support plans.
Further challenges arose during compliance risk assessments. Given the sheer number of internal controls in place, it became difficult for the company to calculate inherent risks, and then evaluate the strength of the controls to determine residual risks. In addition, risk reporting processes were largely siloed, thus slowing down the overall decision-making process.
Because of these challenges, the company began assessing various IT compliance solutions in the market. They eventually selected the MetricStream solution for IT compliance management that would enable the company to strengthen compliance not only with SCI requirements, but also with a wide range of other IT regulations and associated risks.
Mitigating IT Compliance Risks: With the MetricStream solution, the company has been able to streamline and automate their IT compliance management workflows, while consolidating compliance data in a centralized repository for optimal visibility. Users can also map compliance controls, policies, and assessments in an integrated structure.
The solution simplifies the process of scheduling and conducting automated IT control tests based on pre-defined criteria and checklists. It also accelerates IT compliance risk assessments, enabling the company to efficiently calculate inherent and residual risks in the first line of defense.
Improving Efficiency through Automation: To push the control testing details from the MetricStream solution to an automated testing tool or framework, the solution was configured to integrate with an external testing tool named Selenium. The integration was performed by the MetricStream solution’s data integration engine, Infolets, through a secure file transfer protocol (SFTP) process to ensure the secure transfer of inbound and outbound data.
The implemented solution is automation tool or framework agnostic and can therefore be integrated with any automated testing tool.
Business Benefits: The solution enables the company to continue leveraging existing automation tools without the need to switch to a new one. The underlying MetricStream GRC Platform also provides an enterprise view of the control testing results.
Technology Integration Details: Scripts are executed through a pre-defined algorithm to identify evidence of controls. The Selenium automation server then updates the evidence with all required findings. To keep a track of tasks, the automation server records all the activities, and sends the final attachment as an inbound file to the MetricStream solution. The solution then applies those results to a specific task within a test plan for a test analyst or control tester to view the summary, and to check if the control test results are a pass or fail. Detailed reports are also generated so that different stakeholders within the company can view the results.
Enhancing Visibility into IT Compliance Risk Assessments: The company now has a robust reporting and dashboard engine to gain a 360-degree, real-time view of IT compliance risks across the enterprise. The tool enables them to create user-configurable executive reports and dashboards based on their specific business requirements.
Stakeholders within the company can now make faster decisions based on risks that have a high potential impact on business operations. They can also generate comprehensive reports of self-assessments with visibility into key risk indicators (KRIs), assessment results, and compliance initiatives. All these insights enable the company to maintain sustainable compliance with various IT regulations, while minimizing risks and any other issues that arise.