It started in the year 2015 when the Securities and Exchange Commission (SEC) adopted a new regulation on systems compliance and integrity (SCI) which required self-regulatory organizations (SROs) to improve resilience by reducing the occurrence of system issues, and accelerating recovery from technology disruptions.
To comply with the regulation, the company began testing their IT controls based on scripts that ran on a manual basis. However, this approach led to numerous business concerns, as the testing process was resource-intensive, time-consuming, and had to be backed by adequate support plans.
Further challenges arose during compliance risk assessments. Given the sheer number of internal controls in place, it became difficult for the company to calculate inherent risks, and then evaluate the strength of the controls to determine residual risks. In addition, risk reporting processes were largely siloed, thus slowing down the overall decision-making process.
Because of these challenges, the company began assessing various IT compliance solutions in the market. They eventually selected the MetricStream product for IT compliance management that would enable the company to strengthen compliance not only with SCI requirements but also with a wide range of other IT regulations and associated risks.
With the MetricStream IT and Cyber Risk Compliance the company has been able to streamline and automate their IT compliance management workflows, while consolidating compliance data in a centralized repository for optimal visibility.
Users can also map compliance controls, policies, and assessments in an integrated structure. The product simplifies the process of scheduling and conducting automated IT control tests based on pre-defined criteria and checklists. It also accelerates IT compliance risk assessments, enabling the company to efficiently calculate inherent and residual risks in the first line of defense.
Improved IT compliance maturity and sustainability
Reduced compliance costs due to automated control testing
Increased effectiveness of the internal control environment
Enhanced visibility into IT compliance risks
The implemented product is automation tool or framework agnostic and can therefore be integrated with any automated testing tool
The product enables the company to continue leveraging existing automation tools without the need to switch to a new one. The underlying MetricStream Platform also provides an enterprise view of the control testing results.
Scripts are executed through a pre-defined algorithm to identify evidence of controls. The Selenium automation server then updates the evidence with all required findings. To keep a track of tasks, the automation server records all the activities and sends the final attachment as an inbound file to the MetricStream product.
Then those results are applied to a specific task within a test plan for a test analyst or control tester to view the summary, and to check if the control test results are a pass or fail. Detailed reports are also generated so that different stakeholders within the company can view the results.
The company now has a robust reporting and dashboard engine to gain a 360-degree, real-time view of IT and Cyber compliance risks across the enterprise. The tool enables them to create user-configurable executive reports and dashboards based on their specific business requirements.
Stakeholders within the company can now make faster decisions based on risks that have a high potential impact on business operations. They can also generate comprehensive reports of self-assessments with visibility into key risk indicators (KRIs), assessment results, and compliance initiatives. All these insights enable the company to maintain sustainable compliance with various IT regulations, while minimizing risks and any other issues that arise.