Organizations today face a multitude of IT risks, ranging from data breaches and IT hacks, to IT asset failures due to technical issues. The adoption of mobile and cloud-based technologies has further ampliﬁed the complexity of the IT environment by increasing threat surface areas and vulnerabilities. To protect organizations, IT and information security teams need to be able to identify critical assets, and adopt a risk-based approach towards analyzing and resolving potential threats.
The key is to establish a robust and automated approach to IT risk management, as well as threat and vulnerability management by leveraging industry standards, best practices, and technology. This approach enables decision-makers to contextualize and manage IT risks eﬀectively based on their business impact.Download Fact Sheet
MetricStream IT Risk Management App
The industry-leading MetricStream IT Risk Management (ITRM) App enables you to manage a wide range of IT risk related activities, as well as information security threats and vulnerabilities in a systematic and integrated manner. The app streamlines IT risk documentation, control deﬁnition and management, multi-dimensional risk assessments, issue identiﬁcation, and implementation of recommendations and remediation plans, along with risk and threat analysis and reporting.
A built-in integration engine imports and consolidates threat and vulnerability information from various sources, thereby providing a uniﬁed view of the data. In addition, a centralized repository helps map threat and vulnerability data to assets and other business entities, enabling you to clearly visualize your information security program library (assets, asset classes, areas of compliance, and their relationships).
Through a centralized approach, the app simpliﬁes the identiﬁcation and analysis of multiple risks in IT operations. It also helps contextualize these risks based on the associated processes, business units, and IT assets. Users receive integrated risk and threat reports which help them prioritize risks for eﬀective mitigation. Powerful dashboards provide timely, actionable information for stakeholders to proactively address the top IT risks and threats. The app is also certiﬁed for conformance with global accessibility standards and best practices as deﬁned by WCAG 2.1 Level AA and Section 508.
Why MetricStream IT Risk Management App
Facilitates Access to Multiple IT Risk Management Frameworks
Oﬀers one-point access to multiple risk frameworks and standards, along with applicable risk management procedures,templates, and controls; enables you to pick and choose the frameworks and templates that best suit your organization’s requirements
Aligns IT Risks to Business Risks
Helps align IT risks to business scenarios based on the results of qualitative and quantitative risk assessments and multi-perspective risk scoring
Integrates with Vulnerability Scanning Tools
Provides a built-in integration engine to import vulnerability data from multiple third-party tools such as QualysGuard and Nessus; delivers comprehensive visibility into vulnerabilities across the enterprise
Helps Prioritize Vulnerabilities
Combines an asset’s vulnerability severity rating with its business criticality rating to provide a consolidated risk rating; delivers a comprehensive view of the top vulnerabilities and related risks
Supports Configurable Risk Scoring Algorithms
Provides conﬁgurable risk scoring algorithms while supporting the inclusion of multiple risk assessment factors; facilitates IT risk assessments from multiple perspectives, thus providing a holistic risk view
Provides “Early Warnings” or Notifications from Threat Advisories
Leverages threat advisories to provide comprehensive details on each threat, including the CVE ID, source, aﬀected technologies, available controls, and possible remediation; enables users to respond eﬀectively to contain the threat
Aggregates IT Risks
Consolidates IT risk assessment and vulnerability data from across organizational levels into pre-deﬁned risk reports, user-conﬁgurable risk heat maps, and role-based executive dashboards; oﬀers a comprehensive, real-time view of your organization’s IT risk and threat proﬁle
M7 Platform Highlights
Engaging and Personalized User Experience
Makes the process for IT risk, threat, and vulnerability management simple, context-sensitive, and personalized for each user; facilitates an intuitive and engaging user experience
Supports app conﬁgurations and extensions in an upgrade-safe and scalable manner through the MetricStream AppStudio conﬁguration framework; helps the organization adapt to change quickly
Reporting and Analytics
Delivers powerful visualization tools and analytics to manage and monitor IT risk trends, data relationships, and actions in real time across the extended enterprise
Lean and Robust Architecture
Is built on a lean, modern, scalable, and extensible architecture that enables the global digital enterprises of today to seamlessly scale up and support new users, while also adding new apps and solutions to meet changing organizational needs
Centralized Repository for Assets, Processes, Threats, and Vulnerabilities
Deﬁne, maintain, and map IT risks, assets, asset classes, controls, areas of compliance, and other business entities in a central database. Document IT risk management data in a risk register that includes risk description, severity, impact, consequences, risk rating, mitigation plans, and related emerging issues for each IT asset, asset class, and group. Conﬁgure IT risk perspectives, quantitative or qualitative risk factors, and IT risk scoring methodologies. Export or extract data from the risk register at any time in various industry standard formats.
Create a threat and vulnerability repository by consolidating assets in a common library leveraging out-of-the-box connectors with Conﬁguration Management Databases (CMDBs) such as BMC Atrium and ServiceNow. Map IT assets and business entities to the associated threats and vulnerabilities. Manage and view the relationships between these data elements easily using the data browser or data explorer.
Consolidation of Threat Intelligence
Stay on top of threats and vulnerabilities before they are discovered in business assets by creating and subscribing to RSS or email-based threat alerts or channels from leading industry sources. Filter the alerts by keywords, and trigger remediation workﬂows for the prioritized threats.
Vulnerability Consolidation and Prioritization
Import vulnerability data from multiple third-party vulnerability scanning tools such as QualysGuard and Nessus. Conﬁgure risk-rating rules (via. the GRC Rules Engine) to combine an asset’s vulnerability severity rating with its business criticality rating. Generate a Combined Risk Rating (CRR), thereby providing a rich business and vulnerability context for vulnerability prioritization.
Based on the combined risk rating, prioritize and trigger vulnerability remediation strategies. Leverage predeﬁned templates and rules to automate vulnerability remediation.
It Risk Assessments
Set up IT risk assessment plans easily. Deﬁne the scope and schedule for each assessment based on your unique requirements or industry standard frameworks such as ISO 27001, FAIR, and IRAM2. Identify, quantify, monitor, and manage IT risks in an integrated manner.
In a single system, bring together all IT risk assessment related data, including a reusable library of risks and their corresponding controls, as well as results from individual assessments, key risk indicators, issues, and remediation plans. Streamline the risk assessment process through the app’s workﬂow capabilities. Prioritize risk response strategies with the help of graphical risk heat maps.
IT Risk Scoring
Calculate and report IT risk scores by leveraging the app’s conﬁgurable scoring methodologies, calculation engines, and algorithms. Enhance risk scoring using built-in best practice templates and workﬂows. Perform risk assessments and computations based on industry standard risk methodologies (such as DREAD and STRIDE). Ensure that each risk assessment takes into account risk impact, likelihood, and other determinants, as well as weight-based assessments of risk criteria values for use in combined valuations.
Issue Management and Remediation
Identify issues arising from risk assessments, and trigger a systematic mechanism of remediation and disclosure by leveraging the underlying workﬂow and collaboration engine. Assign resources for issue investigation and remediation. Deﬁne an action plan, (capturing the required details), send it to the owner, and track it to closure. Set up automatic alerts and notiﬁcations to ensure timely completion of the tasks. Monitor the status and progress of issue remediation across the enterprise, and enable cross-functional collaboration and communication on issue investigation and remediation tasks.
To manage issues raised from threat and vulnerability management, deﬁne rules to auto-detect vulnerability patterns among assets and to auto-trigger remediation of issues or incidents. Automatically route incidents from the app into BMC Remedy and ServiceNow.
It Risk Monitoring and Reporting
Aggregate data on IT risks, threats, and vulnerabilities into pre-deﬁned risk reports, user-conﬁgurable risk heat maps, and role-based executive dashboards for a comprehensive risk view. Deliver a hierarchical tree-view of risk assessment factors and sub-factors. Gain enterprise-wide visibility into the processes for IT risk, threat, and vulnerability management by leveraging executive dashboards and risk heat maps that highlight high-priority issues.
Track risk proﬁles, control ownership, assessment plans, and the status of remediation on real-time graphical charts that can be accessed globally. Use key metric cards and issue or incident status charts to quickly view the current status of your threat and vulnerability management program.