GOVERNANCE, RISK & COMPLIANCE

MetricStream Whitepaper
Benefits of IT Risk Management Process Today, corporate battles can be fought using cyber warfare,
Automation wherein competitors steal sensitive information by hacking into
○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○
corporate systems or exploiting their vulnerabilities. Such unethi-
cal acts of sabotage and vandalism can cause severe losses to an
INTRODUCTION organization's revenue, brand value and market share. Moreover,
Automating the IT Risk Management process is critical for the organization is held liable for any data theft incidents related to
organizations who want to secure their IT investments from payment card or patient healthcare information.
internal and external risks related to information security, infra-
structure, project management and business continuity processes. AUTOMATION OF THE IT RISK MANAGEMENT PROCESS
Furthermore, a well defined IT GRC program based on frameworks IT operations, fraud and surveillance systems such as threat and
such as COBIT and ISO 27002 cannot achieve high maturity vulnerability management, configuration and compliance auditing
scores without process automation for risk and compliance and identity governance systems can be used as sources for
management. automating the IT Risk Management process. Incidents arising
from these systems can be mapped to IT Risk repositories,
Threat and
Vulnerability
National
Vulnerability
Incident, Fraud
and Surveillance
Identity
Governance
enabling incident response teams to evaluate their risk to the
Management System Database System System
organization.

For instance, details about a newly registered Internet Explorer

IT Risk Management Solution vulnerability in the National Vulnerability Database (NVD) can be
automatically downloaded onto the IT Risk Management solution.
Based on the Common Vulnerabilities and Exposures (CVE) list, the
IT Risk Management solution can trigger an incident investigation
and bind the incident to the information security asset or group of
assets. The solution can then classify the risk ratings and severity
of the incident based on the risk criteria (confidentiality, integrity,
availability, effectiveness, efficiency, compliance and reliability) of
IT RISK MANAGEMENT WORKFLOW
the asset.

Following classification, the automated system can trigger the

IT RISKS FACED BY ORGANIZATIONS necessary action plan for owner(s) of the information asset.
Companies are faced with IT risks from multiple sources which are Should the vulnerability become a threat, the asset owner can
not restricted to information systems. trigger the risk assessment process and use the CVE# number to
trigger proactive patch management. The asset owner can also
Internal IT Risks – data fraud, unauthorized system access, discard the incident if it has little or no impact on the business
lack of an information security culture, inadequate employee (false alarm). In this way, risk management automation can bring
awareness, inefficient IT governance, poor application more rigor and discipline to the tasks of IT threat and incident
development standards resolution, thus reducing compliance costs and business losses.
External IT Risks – cyber crime, threats such as viruses and
worms, vulnerability of emerging technologies (Cloud comput-
ing, SaaS)
 GOVERNANCE, RISK & COMPLIANCE

Threat and National Incident, Fraud Identity

Vulnerability Vulnerability and Surveillance Governance
Management System Database System System

IT Risk Management Solution

IT RISK MANAGEMENT WORKFLOW

MetricStream has been positioned in the “leaders” quadrant in
the recently published Gartner Magic Quadrant for Enterprise
Governance, Risk and Compliance Platforms.
As per the Gartner Research Analysts French Caldwell and
Tom Eid, MetricStream “demonstrated effectively all four
GRCM primary functions - audit management, compliance
management, risk management and policy management.”
MetricStream has been cited as a 'Leader' in the recent
published report Forrester Wave: Enterprise Governance, Risk
and Compliance Platforms, Q3 2009.
ABOUT METRICSTREAM
MetricStream is a market leader in Enterprise-wide Gover-
nance, Risk, Compliance (GRC) and Quality Solutions for global
corporations. MetricStream solutions are used by leading
corporations such as Pfizer, Philips, American Airlines,
NASDAQ, Hitachi, Aurobindo Pharma, Sandisk, BP, Entergy,
Subway, Fairchild Semiconductor, and TaylorMade-Adidas Golf
in diverse industries such as Pharmaceuticals, Medical
Devices, Automotive, Food, High Tech Manufacturing, Energy
and Financial Services to manage their quality processes,
regulatory and industry-mandated compliance and corporate
governance initiatives, as well as by over a million compliance
professionals worldwide via the ComplianceOnline.com portal.
MetricStream
www.metricstream.com info@metricstream.com

Copyright © 2010 MetricStream, Inc. All rights reserved.