After evaluating several IT GRC solution providers, the customer chose MetricStream’s integrated IT GRC solution to help them manage various IT risks, third-party risks, controls, regulations, policies, and security requirements in an automated, streamlined, and holistic manner. MetricStream also enabled the client to design their “GRC Journey” based on their unique IT GRC requirements.
Below are the key capabilities of the MetricStream IT GRC Solution leveraged by the client:
IT Governance (IT Policy Management)
The solution enables the client to efficiently manage the complete IT policy lifecycle – ranging from policy creation, to review, approval, distribution, attestation, and exception management. A central repository in the solution makes it easy to manage and maintain multiple types of IT policies. These documents are organized based on various templates and classification criteria with automatic or user-defined numbering schemes. The policies are also mapped to assets and asset classes for optimal transparency.
IT Risk Management
The MetricStream solution has enabled the client to better structure their existing risk library. It helps them logically map IT risks to controls, taking into consideration internal risks, threats and vulnerabilities, and third-party risks. It also supports risk and control assessments based on standards such as ISO 270001/2, NIST 800-53, and NIST 800-30, while providing a flexible risk scoring algorithm that ties back to the NIST framework. Detailed reports, executive dashboards, and color coded heat maps provide a clear view of the organization’s overall IT risk posture.
Apart from these capabilities, the solution provides the ability to confirm the validity of existing IT risks and risk assessments with risk owners. It also helps capture and report changes in the IT risk profile of each organizational unit. Additionally, the client can factor in multiple parameters for IT risk categorization, and track Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs).
IT Compliance Management
Earlier the client’s manual and siloed approach to IT compliance management led to duplication of effort and disconnected compliance activities. MetricStream’s solution has enabled the organization to streamline IT compliance processes, and harmonize controls. With the help of MongoDB-based connectors, the solution connects to the Unified Compliance Framework (UCF), giving the client the freedom to choose the controls that are relevant to their requirements.
Embedded regulatory content and data feeds allow the client to stay informed on various regulations. Other capabilities provided by the solution include the ability to define quantitative compliance frameworks (for metrics-driven compliance), and measure the drift from recommended technology configuration baselines. Compliance scores can be generated to measure the degree of compliance and effectiveness of implemented controls.
In the future, the solution will be extended to manage compliance with other IT regulations, standards, and reporting requirements including SOC 2 and SOC 3.
With close to 100 vendors, the client needed a solution that would enable and support end-to-end third-party management. Today, the MetricStream solution helps the client track third parties, manage and automate third-party risk assessments, determine risk ratings, and roll up risk findings. It also supports third-party screening and benchmarking, and enables third parties to be categorized into various segments based on risk tolerance and maturity.
The client periodically conducts onsite assessments on a few third parties to review their security controls. The MetricStream solution helps ensure that the surveys are in the right format and distributed effectively by email. When the surveys are completed, they are uploaded in the solution using a bulk upload capability. To maintain data security, third parties do not have access to the solution.
Security Threat and Vulnerability Management
The MetricStream solution provides a central repository and a data integration engine to connect to multiple threat and vulnerability scanners in the organization. It pulls relevant threats and incidents from these systems, and stores the data in a searchable, central, standardscompliant database for the client. Here, the threat data is associated with assets, risks, compliance, policies and controls - all in one, integrated data model. The solution also automates the process of vulnerability assessments.