Organizations today face a multitude of IT risks, ranging from data breaches and IT hacks, to IT asset failures due to technical issues. The adoption of mobile and cloud-based technologies has further amplified the complexity of the IT environment by increasing threat surface areas and vulnerabilities. To protect organizations, IT and information security teams need to be able to identify critical assets, and adopt a risk-based approach towards analyzing and resolving potential threats.

The key is to establish a robust and automated approach to IT risk management, as well as threat and vulnerability management by leveraging industry standards, best practices, and technology. This approach enables decision-makers to contextualize and manage IT risks effectively based on their business impact.

Download Fact Sheet

MetricStream IT Risk Management App

The industry-leading MetricStream IT Risk Management (ITRM) App enables you to manage a wide range of IT risk related activities, as well as information security threats and vulnerabilities in a systematic and integrated manner. The app streamlines IT risk documentation, control definition and management, multi-dimensional risk assessments, issue identification, and implementation of recommendations and remediation plans, along with risk and threat analysis and reporting.

A built-in integration engine imports and consolidates threat and vulnerability information from various sources, thereby providing a unified view of the data. In addition, a centralized repository helps map threat and vulnerability data to assets and other business entities, enabling you to clearly visualize your information security program library (assets, asset classes, areas of compliance, and their relationships).

Through a centralized approach, the app simplifies the identification and analysis of multiple risks in IT operations. It also helps contextualize these risks based on the associated processes, business units, and IT assets. Users receive integrated risk and threat reports which help them prioritize risks for effective mitigation. Powerful dashboards provide timely, actionable information for stakeholders to proactively address the top IT risks and threats. The app is also certified for conformance with global accessibility standards and best practices as defined by WCAG 2.1 Level AA and Section 508.

Why MetricStream IT Risk Management App

  • Facilitates Access to Multiple IT Risk Management Frameworks

    Offers one-point access to multiple risk frameworks and standards, along with applicable risk management procedures,templates, and controls; enables you to pick and choose the frameworks and templates that best suit your organization’s requirements

  • Aligns IT Risks to Business Risks

    Helps align IT risks to business scenarios based on the results of qualitative and quantitative risk assessments and multi-perspective risk scoring

  • Integrates with Vulnerability Scanning Tools

    Provides a built-in integration engine to import vulnerability data from multiple third-party tools such as QualysGuard and Nessus; delivers comprehensive visibility into vulnerabilities across the enterprise

  • Helps Prioritize Vulnerabilities

    Combines an asset’s vulnerability severity rating with its business criticality rating to provide a consolidated risk rating; delivers a comprehensive view of the top vulnerabilities and related risks

  • Supports Configurable Risk Scoring Algorithms

    Provides configurable risk scoring algorithms while supporting the inclusion of multiple risk assessment factors; facilitates IT risk assessments from multiple perspectives, thus providing a holistic risk view

  • Provides “Early Warnings” or Notifications from Threat Advisories

    Leverages threat advisories to provide comprehensive details on each threat, including the CVE ID, source, affected technologies, available controls, and possible remediation; enables users to respond effectively to contain the threat

  • Aggregates IT Risks

    Consolidates IT risk assessment and vulnerability data from across organizational levels into pre-defined risk reports, user-configurable risk heat maps, and role-based executive dashboards; offers a comprehensive, real-time view of your organization’s IT risk and threat profile

Set Up the IT Risk Register

M7 Platform Highlights

  • 1

    Engaging and Personalized User Experience
    Makes the process for IT risk, threat, and vulnerability management simple, context-sensitive, and personalized for each user; facilitates an intuitive and engaging user experience

  • 2

    Supports app configurations and extensions in an upgrade-safe and scalable manner through the MetricStream AppStudio configuration framework; helps the organization adapt to change quickly

  • 3

    Reporting and Analytics
    Delivers powerful visualization tools and analytics to manage and monitor IT risk trends, data relationships, and actions in real time across the extended enterprise

  • 4

    Lean and Robust Architecture
    Is built on a lean, modern, scalable, and extensible architecture that enables the global digital enterprises of today to seamlessly scale up and support new users, while also adding new apps and solutions to meet changing organizational needs

Perform Risk Assessments


  • Centralized Repository for Assets, Processes, Threats, and Vulnerabilities

    Define, maintain, and map IT risks, assets, asset classes, controls, areas of compliance, and other business entities in a central database. Document IT risk management data in a risk register that includes risk description, severity, impact, consequences, risk rating, mitigation plans, and related emerging issues for each IT asset, asset class, and group. Configure IT risk perspectives, quantitative or qualitative risk factors, and IT risk scoring methodologies. Export or extract data from the risk register at any time in various industry standard formats.

    Create a threat and vulnerability repository by consolidating assets in a common library leveraging out-of-the-box connectors with Configuration Management Databases (CMDBs) such as BMC Atrium and ServiceNow. Map IT assets and business entities to the associated threats and vulnerabilities. Manage and view the relationships between these data elements easily using the data browser or data explorer.

  • Consolidation of Threat Intelligence

    Stay on top of threats and vulnerabilities before they are discovered in business assets by creating and subscribing to RSS or email-based threat alerts or channels from leading industry sources. Filter the alerts by keywords, and trigger remediation workflows for the prioritized threats.

  • Vulnerability Consolidation and Prioritization

    Import vulnerability data from multiple third-party vulnerability scanning tools such as QualysGuard and Nessus. Configure risk-rating rules (via. the GRC Rules Engine) to combine an asset’s vulnerability severity rating with its business criticality rating. Generate a Combined Risk Rating (CRR), thereby providing a rich business and vulnerability context for vulnerability prioritization.

    Based on the combined risk rating, prioritize and trigger vulnerability remediation strategies. Leverage predefined templates and rules to automate vulnerability remediation.

  • It Risk Assessments

    Set up IT risk assessment plans easily. Define the scope and schedule for each assessment based on your unique requirements or industry standard frameworks such as ISO 27001, FAIR, and IRAM2. Identify, quantify, monitor, and manage IT risks in an integrated manner.

    In a single system, bring together all IT risk assessment related data, including a reusable library of risks and their corresponding controls, as well as results from individual assessments, key risk indicators, issues, and remediation plans. Streamline the risk assessment process through the app’s workflow capabilities. Prioritize risk response strategies with the help of graphical risk heat maps.

    • IT Risk Scoring

      Calculate and report IT risk scores by leveraging the app’s configurable scoring methodologies, calculation engines, and algorithms. Enhance risk scoring using built-in best practice templates and workflows. Perform risk assessments and computations based on industry standard risk methodologies (such as DREAD and STRIDE). Ensure that each risk assessment takes into account risk impact, likelihood, and other determinants, as well as weight-based assessments of risk criteria values for use in combined valuations.

  • Issue Management and Remediation

    Identify issues arising from risk assessments, and trigger a systematic mechanism of remediation and disclosure by leveraging the underlying workflow and collaboration engine. Assign resources for issue investigation and remediation. Define an action plan, (capturing the required details), send it to the owner, and track it to closure. Set up automatic alerts and notifications to ensure timely completion of the tasks. Monitor the status and progress of issue remediation across the enterprise, and enable cross-functional collaboration and communication on issue investigation and remediation tasks.

    To manage issues raised from threat and vulnerability management, define rules to auto-detect vulnerability patterns among assets and to auto-trigger remediation of issues or incidents. Automatically route incidents from the app into BMC Remedy and ServiceNow.

  • It Risk Monitoring and Reporting

    Aggregate data on IT risks, threats, and vulnerabilities into pre-defined risk reports, user-configurable risk heat maps, and role-based executive dashboards for a comprehensive risk view. Deliver a hierarchical tree-view of risk assessment factors and sub-factors. Gain enterprise-wide visibility into the processes for IT risk, threat, and vulnerability management by leveraging executive dashboards and risk heat maps that highlight high-priority issues.

    Track risk profiles, control ownership, assessment plans, and the status of remediation on real-time graphical charts that can be accessed globally. Use key metric cards and issue or incident status charts to quickly view the current status of your threat and vulnerability management program.

Track IT Risk Issues and Action Plans

Monitor Vulnerabilities and Issues

Get a demo Download RFP Template Pricing Contact