Solution Brief

IT GRC SOLUTION
Eectively Manage Cyber Risks, Threats, and Vulnerabilities in Digital Enterprises

Overview
In todays digital enterprises, CISOs and CIOs have a pivotal role to play in protecting their organizations
against the growing multitude of IT risks and threats, while also sustaining compliance with IT regulations,
standards, and policies.
Cybersecurity is a top priority on every CISOs agenda. As organizations increasingly adopt cloud-based IT
ecosystems and mobility solutions, the risks to data security are greater than ever. All it takes is one
cyberattack to bring the strongest companies to their knees. Sometimes, these risks may lie in a vendors IT
systems -- which means that organizations have to not only monitor their own IT risks, but also that of their
vendors or partners. In addition, organizations are under constant pressure to comply with regulatory
requirements like SOX, FFIEC, PCI-DSS, GLBA, HIPAA, and NERC-CIP, as well as IT governance standards and
popular frameworks such as COBIT, ITIL, NIST, and ISO 27001/2.
Managing all these requirements the traditional way, using siloed systems and manual processes, is no
longer eective or ecient -- especially as IT risks, regulations, controls, and related data grow more
complex and intertwined. Therefore, organizations are increasingly opting for a more integrated
Governance, Risk, and Compliance (GRC) management approach that enables them to bring together all
their IT GRC processes under one umbrella.

MetricStream IT GRC Solution

The MetricStream IT GRC Solution provides a single point of reference to manage multiple IT GRC activities,
including IT risk management, IT compliance management, threat and vulnerability management, IT audit
management, IT vendor risk management, and policy management.
Built on a scalable GRC platform, the solution cuts across enterprise siloes, aggregating and mapping
together risk, threat, compliance, and control data in one system for complete transparency. The solution
also streamlines and automates multiple IT GRC workows, enhancing eciency.
Centralized IT risk and control libraries help establish consistent risk taxonomies across the enterprise,
thereby strengthening risk analysis and reporting. In addition, powerful reports and dashboards provide a
360-degree, real-time view of IT risk and compliance proles, enabling you to anticipate and mitigate
emerging risks and issues in a timely manner.

Value Proposition
The MetricStream IT GRC Solution oers the following benets:
Simplies IT GRC through an integrated, streamlined approach
Consolidates IT GRC processes and data on a single platform for greater visibility
Integrates with multiple external systems to import and aggregate risk, compliance, threat,
and vulnerability data
Establishes a consistent IT risk and control language across the enterprise
Harmonizes IT controls, thereby minimizing redundancies
Strengthens decision-making by providing actionable IT risk intelligence aligned with
business risks and objectives
Enables real-time tracking of IT GRC processes with early warnings of issues or threats

Features and Functionalities

The MetricStream IT GRC Solution provides the following core functionalities:

IT Risk Management
The solution enables a systematic and consistent
approach to IT risk management processes, ranging
from IT risk documentation and assessments, to
control management, risk monitoring, and issue
remediation. IT risk data is consolidated in a central
risk library, and mapped to business risks to
enhance reporting.
The solution supports IT risk assessments from
multiple perspectives across the enterprise, and
provides congurable risk scoring algorithms. You
gain access to DREAD and STRIDE frameworks, as
well as risk management best practices,
methodologies, templates, and controls.
Sophisticated analytics, reports, risk heat maps,
and dashboards aggregate IT risks across the
enterprise, and provide real-time IT risk
intelligence, enabling CIOs and CISOs to make
informed decisions.

IT Compliance Management
The MetricStream solution provides a single
window to manage compliance with multiple IT
requirements. It streamlines the entire process of
designing a compliance framework, mapping it to
the appropriate controls, linking the controls to
policies, and conducting compliance assessments,
surveys, and certications. The solution also
integrates with the Unied Compliance Framework
(UCF), helping you establish a common,
harmonized set of IT compliance controls by
mapping 9,300+ IT control statements to 1,200+
regulations.

MetricStreams GRC Intelligence.com helps you

source and integrate compliance content in
real-time from multiple sources such as LexisNexis
and Complinet. In addition, executive dashboards
and risk heat maps oer enterprise-wide visibility
into compliance management, highlighting issues
that need to be addressed on priority.

Threat and Vulnerability Management

The MetricStream solution integrates with multiple
vulnerability scanners (e.g. Qualys, Nessus), threat
advisory feeds, and other security tools to
automatically capture and aggregate threat and
vulnerability data in one system. It also maps this
data to assets, areas of compliance, and related
business processes to identify risk exposures from
a business impact perspective.
Advanced risk assessment capabilities enable you
to assess, score, and prioritize business functions
and processes based on risk and criticality. The
solution combines the vulnerability severity rating
of each asset with the business criticality rating of
that asset into a combined risk rating. Based on this
process of vulnerability prioritization, you can
identify risk issues, prioritize them based on impact
and likelihood, and trigger remedial action in a
timely manner.
The solution provides the ability to congure
automatic notications or early warnings by
leveraging threat advisories from dierent vendors
with the complete details of each threat. It also
provides executive dashboards and reports with
graphical views of threats and vulnerabilities and
the ability to drill down to view the nest level of
detail.

Highlights
Below are the key highlights of the MetricStream IT GRC Solution:
Role-based security access and authorization controls

One-point access to multiple IT risk frameworks

Congurable IT risk scoring methodologies based on DREAD and STRIDE

A centralized IT risk-control library linked to threats and vulnerabilities

Ability to integrate with multiple external systems to capture information such as regulatory updates,
compliance content, and threat and vulnerability data
Executive role-based dashboards, reports, risk heat maps, and charts with real-time IT GRC data

IT Audit Management

IT Policy Management

The MetricStream solution facilitates a consistent,

closed-loop approach to the IT audit lifecycle,
including audit planning and scheduling, work-paper
management, audit execution, review and approval
of audit ndings, audit reporting, and issue
management. Intelligence for risk-based auditing
enables auditors to eciently prioritize audit plans
based on key risk areas. With built-in best practices,
the solution drives ecient utilization of IT audit
resources, and strengthens collaboration across
cross-functional auditors. It also enhances
productivity with support for oine and mobile IT
audits. At the click of a button, audit managers can
easily track the audit process, data, history, and
results.

The MetricStream solution enables a federated

approach to IT policy management at the
department, local, regional, and corporate levels. It
supports the entire process of policy creation,
review and approval, distribution, acceptance, and
exception management. It also cuts across the
enterprise, strengthening policy communication
and collaboration. Policies are maintained in a
central, web-based repository, simplifying search
and discovery. The policies are also mapped to
regulations
and
controls,
strengthening
compliance, while exposing potential risks and
gaps.

IT Vendor Risk Management

The MetricStream solution provides a common
point of reference to manage, monitor, and
mitigate IT vendor risks across the enterprise. It
supports vendor onboarding, risk proling, and
due-diligence, as well as ongoing vendor risk
assessments, monitoring, and oversight. The
solution also maintains a central vendor
information repository to eciently log and track
all IT vendors. Vendor risk transparency is
improved through a centralized, tightly mapped
structure of the risk hierarchy, including risks,
controls, KRIs, processes, and related regulations
linked to IT vendors and sub-vendors. Risk
assessments can be triggered at any level of this
hierarchy, and issues that arise can be routed
through a systematic process of investigation and
remediation.

MetricStream is the market leader in enterprise-wide Governance, Risk, Compliance (GRC) and Quality
Management Solutions. MetricStream solutions are used by leading global corporations in diverse
industries such as Financial Services, Healthcare, Life Sciences, Energy and Utilities, Food, Retail, CPG,
Government, Hi-tech and Manufacturing to manage their risk management programs, quality management
processes, regulatory and industry- mandated compliance and other corporate governance initiatives.

Email: info@metricstream.com
US: +1-650-620-2955

Europe: +41-615-880-111

UK: +44-203-318-8554

India: +91-80-4962-8000

UAE: +971-50-7217139

Australia: +61-870-708-014

2016 Copyright MetricStream. All Rights Reserved

www.metricstream.com