After researching multiple IT GRC products, the bank chose the MetricStream IT GRC Solution, confident that it would meet their requirements through its tightly integrated data model, scalable platform, and automated capabilities. Since its implementation, the solution has helped the bank manage a wide range of IT GRC requirements in a holistic manner, while accelerating the resolution of IT risks and threats, and strengthening compliance with multiple IT regulations and standards.
The solution supports the unique requirements of multiple stakeholders, including the CRO and Head of Information Security, while simultaneously consolidating and rolling up their reports to provide a comprehensive glimpse into the organization’s risk and compliance profile.
Below are the key capabilities of the MetricStream IT GRC Solution that are supporting the bank:
IT Governance: The solution streamlines and automates a range of IT policy management processes with support for electronic policy creation, distribution, attestation, and exception management. Security policies can be linked to the corresponding assets and controls, as well as international regulations, standards, and technology and security baselines. This integrated data model allows users at the bank to easily measure the impact of changing regulatory and business requirements on the policy framework.
At a larger level, the solution supports an integrated approach to IT governance across the bank’s organizational units. Advanced capabilities for rolebased reporting, as well as analytics, provide an in-depth view of the organization’s IT risk and compliance posture in real time. Powerful dashboards enable the board and senior management to slice and dice the data from various angles, and derive the risk intelligence they need to support decision-making. In addition, role-based access and authorization capabilities, time-stamped audit trails, and robust password controls help maintain information security.
Cyber Risk Management: The solution supports the collection, consolidation, business-driven prioritization, and remediation of information security threats and vulnerabilities. It connects to vulnerability assessment tools in the bank to bring in raw assessment results for rich GRC-based analysis and reporting. It also integrates SOC, SIEM, DLP, IDM, and other security operations.
An in-built risk library helps the bank standardize their risk taxonomy, and link risks to threats, vulnerabilities, agents, and factors. Therefore, users can correlate risk information effectively, and filter the real risks from the simple threats. Additionally, the solution helps automate and rationalize cyber risk management processes. Federated risk assessment capabilities allow business units to assess risks independently, while at the same time, ensuring that data is rolled up to senior management in a consistent and standardized manner.
When it comes to cyber risk assessments, the solution provides configurable scoring algorithms while supporting the inclusion of multiple assessment factors, and enabling risk evaluations from various perspectives. Thus, users at the bank gain a well-rounded and real-time picture of risks.
Through the solution, the bank can configure a risk-rating scale (via the solution’s GRC rules engine) that combines an asset’s vulnerability context and business context into a risk rating to support remediation planning. The combined risk rating is calculated by converting the vulnerability severity number range into business/ human readable values, and then mapping it to the asset business criticality value. Users at the bank can also review incoming vulnerabilities from a business context.
IT Compliance Management: The solution provides a single integrated system for the bank to manage compliance with multiple IT regulations and standards. Users can define a single control assessment to manage several compliance requirements. Additionally, with the help of MongoDB-based connectors, the solution integrates content from the Unified Compliance Framework (UCF), helping the bank harmonize IT controls across multiple regulations, and minimize redundancies in control data.
Compliance requirements can be mapped to controls, assets, asset classes, policies, risks, and other factors (due to the flexible relational data model of the GRC Foundation). This makes it easy to measure the impact of new regulations on the bank’s compliance framework.
Embedded regulatory content helps the bank stay informed on various regulations. Other capabilities provided by the solution include the ability to define quantitative compliance frameworks (for metrics-driven compliance), and measure the drift from recommended technology configuration baselines.
Issue and Remediation Management: If issues are discovered during any IT GRC processes, the MetricStream solution triggers a systematic process of issue recording, investigation, escalation, diagnosis, and closure, leading to remediation and corrective action. The issue management process is centralized and streamlined to enhance visibility and efficiency. Business units across the bank can easily collaborate and share data on issue investigation and remediation, while senior management can track the status of each issue in real time.