With a gold mine of sensitive, confidential, and personally identifiable information (PII), the retailer had to maintain stringent security controls in compliance with requirements such as the Payment Card Industry Data Security Standard (PCI-DSS). One small data breach and the organization stood to lose millions of dollars in financial losses, compliance penalties, customer trust, and more.
Real-time, integrated visibility into cyber risks became increasingly essential for the senior leadership team to understand the organization’s risk profile, and to respond proactively to emerging threats. Their key objectives were to identify priority risks across the organization while ensuring that the business was meeting various compliance objectives and strategic goals. They also needed to determine if sufficient policies and standard operating procedures (SOPs) were available from a governance perspective.
To achieve these objectives, the company set out to build an effective cybersecurity program that would meet their business objectives and customer demands. To enable and support this program, the retailer adopted MetricStream’s integrated IT GRC solution with capabilities for IT risk management, IT compliance management, and third-party risk management.
With MetricStream IT and Cyber Risk Management, the retailer has been able to facilitate a systematic and integrated approach to IT and cyber risk documentation, risk assessments, control management, and issue detection, as well as risk/ threat analysis and reporting. The product enables the senior-most leadership, C-suite members, board members, and external stakeholders to prioritize and align IT and cyber risks to business risks. Advanced reports and dashboards provide a real-time view of the risks, enabling senior stakeholders to make well-informed decisions.
Using the MetricStream IT and Cyber Compliance Management, the retailer can efficiently manage all compliance requirements related to PCI-DSS and the Sarbanes Oxley Act (SOX). It supports the process of harmonizing control sets across multiple IT regulations. It also helps in scheduling assessments and performing control tests.
With a built-in reporting and dashboard engine, the product provides a holistic and enterprise-wide view of IT compliance risks across the retailer’s enterprise. Graphical charts help in tracking the IT compliance status and evaluating levels of compliance with various mandates. Users can also obtain alerts, notifications, and updates on IT regulatory content and actionable insights from various industry standard feeds and online sources.
From a governance perspective, the company plans to use the product to create and align IT policies and standards to specific industry regulations, while also measuring compliance levels and any potential impediments or risks.
Improved efficiency through a centralized approach to cybersecurity risk and compliance management
Fostered a strong culture of cyber risk awareness and accountability across the enterprise
Enhanced visibility into IT compliance risks
The MetricStream Third-Party Risk Management has given the retailer a consolidated system to manage third-party risks. The product supports third-party/ vendor information management, risk assessments, continuous monitoring, and risk mitigation. It also helps monitor vendors in line with internal and external compliance requirements during the pre-qualification process, as well as on a continuous basis.
Users gain real-time visibility into third-party profiles and potential risks. The product auto-recommends the schedule and frequency of vendor risk assessments for critical/material vendors based on the risk insights. Meanwhile, a built-in reporting engine automatically consolidates risk data from across the vendor network, and populates risk reports. This helps the retailer analyze and compare vendor risks and issues at the enterprise level.
The retailer now plans to expand their GRC journey by applying the core capabilities provided by MetricStream towards developing a strong GRC culture that is aligned with their business objectives. This way, they can create a common understanding of GRC within the enterprise, and also deliver better governance, while strengthening security and risk management programs.