The Client: The bank is one of the largest financial institutions in the Middle East with a strong corporate and retail banking franchise and has branches and offices in Europe, U.S.A and Asia.
With IT GRC being managed in silos, the bank found it increasingly challenging to measure IT risk and compliance profile. Using the MetricStream IT GRC solution, the bank was able to integrate IT GRC processes on a common platform, while also mapping their data and automating workflows.
After researching multiple IT GRC products, the bank chose the MetricStream IT GRC Solution, confident that it would meet their requirements through its tightly integrated data model, scalable platform, and automated capabilities. Since its implementation, the solution has helped the bank manage a wide range of IT GRC requirements in a holistic manner, while accelerating the resolution of IT risks and threats, and strengthening compliance with multiple IT regulations and standards.
The solution supports the unique requirements of multiple stakeholders, including the CRO and Head of Information Security, while simultaneously consolidating and rolling up their reports to provide a comprehensive glimpse into the organization’s risk and compliance profile.
IT Governance: The solution streamlines and automates a range of IT policy management processes with support for electronic policy creation, distribution, attestation, and exception management. Security policies can be linked to the corresponding assets and controls, as well as international regulations, standards, and technology and security baselines. This integrated data model allows users at the bank to easily measure the impact of changing regulatory and business requirements on the policy framework.
At a larger level, the solution supports an integrated approach to IT governance across the bank’s organizational units. Advanced capabilities for rolebased reporting, as well as analytics, provide an in-depth view of the organization’s IT risk and compliance posture in real time. Powerful dashboards enable the board and senior management to slice and dice the data from various angles, and derive the risk intelligence they need to support decision-making. In addition, role-based access and authorization capabilities, time-stamped audit trails, and robust password controls help maintain information security.
Cyber Risk Management: The solution supports the collection, consolidation, business-driven prioritization, and remediation of information security threats and vulnerabilities. It connects to vulnerability assessment tools in the bank to bring in raw assessment results for rich GRC-based analysis and reporting. It also integrates SOC, SIEM, DLP, IDM, and other security operations.
An in-built risk library helps the bank standardize their risk taxonomy, and link risks to threats, vulnerabilities, agents, and factors. Therefore, users can correlate risk information effectively, and filter the real risks from the simple threats. Additionally, the solution helps automate and rationalize cyber risk management processes. Federated risk assessment capabilities allow business units to assess risks independently, while at the same time, ensuring that data is rolled up to senior management in a consistent and standardized manner.
When it comes to cyber risk assessments, the solution provides configurable scoring algorithms while supporting the inclusion of multiple assessment factors, and enabling risk evaluations from various perspectives. Thus, users at the bank gain a well-rounded and real-time picture of risks.
Through the solution, the bank can configure a risk-rating scale (via the solution’s GRC rules engine) that combines an asset’s vulnerability context and business context into a risk rating to support remediation planning. The combined risk rating is calculated by converting the vulnerability severity number range into business/ human readable values, and then mapping it to the asset business criticality value. Users at the bank can also review incoming vulnerabilities from a business context.
IT Compliance Management: The solution provides a single integrated system for the bank to manage compliance with multiple IT regulations and standards. Users can define a single control assessment to manage several compliance requirements. Additionally, with the help of MongoDB-based connectors, the solution integrates content from the Unified Compliance Framework (UCF), helping the bank harmonize IT controls across multiple regulations, and minimize redundancies in control data.
Compliance requirements can be mapped to controls, assets, asset classes, policies, risks, and other factors (due to the flexible relational data model of the GRC Foundation). This makes it easy to measure the impact of new regulations on the bank’s compliance framework.
Embedded regulatory content helps the bank stay informed on various regulations. Other capabilities provided by the solution include the ability to define quantitative compliance frameworks (for metrics-driven compliance), and measure the drift from recommended technology configuration baselines.
Issue and Remediation Management: If issues are discovered during any IT GRC processes, the MetricStream solution triggers a systematic process of issue recording, investigation, escalation, diagnosis, and closure, leading to remediation and corrective action. The issue management process is centralized and streamlined to enhance visibility and efficiency. Business units across the bank can easily collaborate and share data on issue investigation and remediation, while senior management can track the status of each issue in real time.
Being in a highly regulated industry, the bank faces numerous IT compliance regulations in addition to a range of IT risks and cybersecurity concerns. Previously, most of these requirements were managed in siloes across multiple systems. This approach limited the bank’s ability to aggregate IT GRC metrics, and measure their true risk and compliance posture.
The other challenge was that processes to identify emerging risks were not always clearly defined. Workflows were manually intensive which, in turn, made activities such as continuous control monitoring an arduous task. Additionally, due to siloed processes, the bank found it difficult to understand the impact of regulatory and recommended configuration baseline changes on policies and controls.
When it came to information security governance, the bank faced multiple challenges in terms of analyzing the impact of new threats and vulnerabilities, consolidating threat intelligence, and integrating security operations such as SOC, SIEM, DLP, and IDM. Issue and remediation management processes were also fragmented and not entirely efficient.
Against this backdrop, the bank began looking out for an IT GRC solution that would help them manage various IT risks, controls, regulations, policies, and security requirements in an automated, streamlined, and holistic manner.