By using this site you agree to our use of cookies. Please refer to our privacy policy for more information.Close

The Client: Headquartered in North America, the client is a global leader in domain services and internet security

Overview

The client was looking for a unified solution to manage IT risk, IT compliance, security threats and vulnerabilities, policies, and third-party risks. The solution had to be implemented in just eight weeks, and support multiple integrations. MetricStream met these needs by providing a comprehensive IT GRC solution to manage and track IT risks, harmonize IT compliance controls, streamline IT policy management, automate third-party risk assessments, and more. The solution integrates with multiple organizational systems to gather data on IT risks, threats and vulnerabilities. It also maps this data to controls and risk treatment plans. Thus, the client has a full and timely picture of their IT threats and risks which in, turn, helps them respond proactively.

Download a Case Study

The Solution

After evaluating several IT GRC solution providers, the customer chose MetricStream’s integrated IT GRC solution to help them manage various IT risks, third-party risks, controls, regulations, policies, and security requirements in an automated, streamlined, and holistic manner. MetricStream also enabled the client to design their “GRC Journey” based on their unique IT GRC requirements.

Below are the key capabilities of the MetricStream IT GRC Solution leveraged by the client:

IT Governance (IT Policy Management)

The solution enables the client to efficiently manage the complete IT policy lifecycle – ranging from policy creation, to review, approval, distribution, attestation, and exception management. A central repository in the solution makes it easy to manage and maintain multiple types of IT policies. These documents are organized based on various templates and classification criteria with automatic or user-defined numbering schemes. The policies are also mapped to assets and asset classes for optimal transparency.

IT Risk Management

The MetricStream solution has enabled the client to better structure their existing risk library. It helps them logically map IT risks to controls, taking into consideration internal risks, threats and vulnerabilities, and third-party risks. It also supports risk and control assessments based on standards such as ISO 270001/2, NIST 800-53, and NIST 800-30, while providing a flexible risk scoring algorithm that ties back to the NIST framework. Detailed reports, executive dashboards, and color coded heat maps provide a clear view of the organization’s overall IT risk posture.

Apart from these capabilities, the solution provides the ability to confirm the validity of existing IT risks and risk assessments with risk owners. It also helps capture and report changes in the IT risk profile of each organizational unit. Additionally, the client can factor in multiple parameters for IT risk categorization, and track Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs).

IT Compliance Management

Earlier the client’s manual and siloed approach to IT compliance management led to duplication of effort and disconnected compliance activities. MetricStream’s solution has enabled the organization to streamline IT compliance processes, and harmonize controls. With the help of MongoDB-based connectors, the solution connects to the Unified Compliance Framework (UCF), giving the client the freedom to choose the controls that are relevant to their requirements.

Embedded regulatory content and data feeds allow the client to stay informed on various regulations. Other capabilities provided by the solution include the ability to define quantitative compliance frameworks (for metrics-driven compliance), and measure the drift from recommended technology configuration baselines. Compliance scores can be generated to measure the degree of compliance and effectiveness of implemented controls.

In the future, the solution will be extended to manage compliance with other IT regulations, standards, and reporting requirements including SOC 2 and SOC 3.

Third-Party Management

With close to 100 vendors, the client needed a solution that would enable and support end-to-end third-party management. Today, the MetricStream solution helps the client track third parties, manage and automate third-party risk assessments, determine risk ratings, and roll up risk findings. It also supports third-party screening and benchmarking, and enables third parties to be categorized into various segments based on risk tolerance and maturity.

The client periodically conducts onsite assessments on a few third parties to review their security controls. The MetricStream solution helps ensure that the surveys are in the right format and distributed effectively by email. When the surveys are completed, they are uploaded in the solution using a bulk upload capability. To maintain data security, third parties do not have access to the solution.

Security Threat and Vulnerability Management

The MetricStream solution provides a central repository and a data integration engine to connect to multiple threat and vulnerability scanners in the organization. It pulls relevant threats and incidents from these systems, and stores the data in a searchable, central, standardscompliant database for the client. Here, the threat data is associated with assets, risks, compliance, policies and controls - all in one, integrated data model. The solution also automates the process of vulnerability assessments.

The Challenge

Being a large organization with multiple operating divisions, the client faces numerous enterprise risks, ranging from strategic and financial risks, to legal and operational risks. It is imperative that these risks be identified, assessed, and managed effectively, not only at the entity level, but also at the operating division level, project level, and process level. Fraud risks are another key concern that need to be evaluated and monitored frequently.

There were several gaps in the client’s IT GRC ecosystem. For instance, IT compliance was managed using unwieldy spreadsheets and legacy tools which resulted in redundancies and disconnected compliance activities. Meanwhile, threat management processes were largely siloed in nature, making it challenging for the organization to get a comprehensive view of their threat profile.

Visibility into third-party risks was also limited. In fact, the client did not have well-defined, efficient processes to manage IT risks from multiple sources, be it vendors, business units, or external sources. Neither did they have tools to track IT regulatory requirements, or measure gaps in compliance with industry standards or frameworks like ISO 27001/2, FISMA, SOC 1/2/3. They also lacked automated IT policy management workflows, as well as a central policy database.

All these challenges, at a larger level, limited the client’s ability to aggregate IT GRC metrics, and analyze their true risk and compliance posture. The organization needed a way to strengthen compliance with IT regulations and standards, while building a comprehensive enterprise governance and oversight framework with rich IT context and real-time IT risk insights.

Benefits

  • Rationalization of IT GRC Processes
    The MetricStream solution has helped the client set up well-defined, streamlined, and automated workflows for IT GRC. Inefficient, manual processes have been eliminated, while key data has been integrated in a single system for optimal visibility. As the client’s IT GRC requirements evolve, they can be supported with new apps and solutions added to the MetricStream platform.
  • Real-Time IT Risk and Threat Visibility
    The solution’s ability to integrate data from multiple threat and vulnerability scanners gives the client a timely picture of their threat profile. These threats, along with internal IT risks, and third-party IT risks are mapped to the associated controls for added visibility. Meanwhile, powerful dashboards roll up data from across the organization, providing a consolidated view of the organization’s IT GRC profile.
  • Improved Compliance
    Through the solution, the client has been able to strengthen compliance with various IT regulatory requirements, as well as NIST and ISO 27001/2 requirements around IT risk and control assessments. Integration with the UCF enables them to build a concise and consistent set of controls, while regulatory data feeds help them stay updated on multiple regulations.
  • Effective IT Policy Management
    The solution has helped the client simplify IT policy management by integrating all policies in a central, easily accessible repository, and helping users understand the link between each policy and the corresponding IT assets. The solution supports each stage of policy management, eliminating redundancies and gaps, while ensuring consistency in policy related processes and documents.
  • Rapid Deployment
    The MetricStream IT GRC Solution was deployed in just eight weeks with the help of MetricStream’s FastTrak methodology. It provides the scale and scope to manage a range of IT GRC requirements, including IT risks, IT compliance, IT policies, security threats and vulnerabilities, IT policies, and third-party IT risks.

Request a demo Download RFP Template Pricing Contact