Being one of Europe’s fastest growing data center service providers, the company has rapidly been expanding its global footprint through mergers and acquisitions. In the process, its compliance and risk landscape has become increasingly complex. Regulations like SOX, technical audits like SOC 2, and an ever-widening range of risks, policies, procedures, and internal audits have resulted in a maze of workflows, documents, and reporting requirements.
For years, these requirements were managed manually. But with the introduction of GDPR and the resulting focus on data security compliance, it soon became evident that without automated, agile, and scalable processes, the company’s approach to GRC would not be able to keep up with its ambitious plans for growth and expansion.
The company has multiple data centers that facilitate the processing, storage, and security of information for thousands of customers. That, in turn, obligates them to comply with data security regulations such as GDPR, as well as audits like SOC 2. There are also SOX compliance requirements. Every month, key stakeholders need to review and certify that compliance controls are working effectively.
Compounding the challenge, numerous IT policies have to be managed, stored, and communicated efficiently; plus, 120+ enterprise risks—including strategic, operational, security, personnel, and environmental risks—must be assessed, monitored, and mitigated in a timely manner.
Earlier, all these requirements were handled manually i.e., using spreadsheets and emails. But as the volume of GRC data swelled, even while IT regulations grew more complex, these tools no longer proved sufficient. The manual effort involved in consolidating, mapping, and reporting GRC data only slowed down the decision-making process, while also hampering the company’s agility and responsiveness.
What was needed was an automated, integrated, and scalable approach to GRC. Stakeholders wanted faster, better reports on metrics such as SOX control status and risk assessment results. With GDPR entering the picture, the impetus to coordinate and improve IT compliance became even greater. That’s when the company turned to MetricStream.
MetricStream implemented an integrated GRC solution that streamlined and automated multiple GRC processes at the company. Today, the solution is used across the company to enhance compliance with GDPR, SOC 2, and SOX, as well as to manage enterprise risks, policies, and—in the near future—audits.
All IT regulations, control tests, processes, policies, risks, and other GRC elements are mapped in a federated and robust data model, so that stakeholders can easily connect the dots, and draw out important insights. In addition, powerful dashboards provide in-depth and real-time visibility into the status of IT compliance and risk processes, enabling decision-makers to quickly identify areas of concern and opportunities for improvement.
The MetricStream solution has strengthened the company’s confidence in its compliance with GDPR and SOC 2. The system strengthens visibility into IT assets that store sensitive data, enabling the associated risks to be assessed and monitored. It also links IT compliance controls to risks, processes, and assets in a central, structured hierarchy for easy monitoring.
Teams can effectively plan, manage, and conduct IT control tests through the solution’s capabilities for surveys and self-assessments. The results can then be scored and reported, with evidence of findings attached. Any IT compliance issues that arise can be investigated and remediated through the solution’s systematic workflows.
Th solution has helped the company simplify SOX compliance monitoring and control testing. Users can assess risks, test controls, manage evidence and other documentation, while also certifying findings, and remediating issues. Graphical reports and dashboards make it easy for finance managers and directors to identify and track the status of controls and tests.
Automated evidence provisioning: As part of the company’s SOX compliance program, MetricStream has configured its solution to automatically publish certain reports with data on access controls, application login history, and other IT compliance metrics. These reports are reviewed every month by key stakeholders to certify that the control evidence provided is sufficient and accurate.
The reports are initially fed into an SFTP site from various systems and data sources in the company. At periodic intervals, the MetricStream solution automatically pulls in the reports and publishes them, triggering workflows for review and approval. In this way, near real-time control evidence is populated in the system.
Using the MetricStream solution, the company can proactively assess, monitor, and mitigate 120+ risks across 12 countries. The solution accelerates risk and control assessments, rolling up key findings and insights to stakeholders for analysis. It also helps the company track key risk and control indicators, while triggering remediation workflows for any issues that are found. Advanced heat maps, reports, and dashboards provide a 360-degree view of risk data, enabling it to be sliced and diced from various parameters.
The solution has given the company an easy, efficient way of dealing with data governance policies and procedures. It simplifies policy creation and communication across the enterprise, while also providing a centralized portal to store, search, and access these policies. In addition, it supports policy attestations and exception management.
The company is in the process of extending the MetricStream solution to manage its audit requirements. Once complete, the solution will accelerate the audit lifecycle, improving risk awareness and audit productivity. It will also enhance audit planning, resource management, audit execution, reporting, and issue management.