IT GRC Solution v6.0
June 23, 2010
£32,000-£65,000 (user-based pricing)
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Great business risk/policy management tool, with added value of validating rules to controls through inclusion of vulnerability data
- Weaknesses: Third party vendor support, cost
- Verdict: The best-in-breed approach is great, but more third party vendor support needed. Cost makes this more suited to larger enterprises
IT GRC Solution v6.0 is an IT governance and compliance tracking solution that integrates risk scoring with business-level policies and industry and security standards.
MetricStream provides a central IT risk management framework to simplify identifying and analysing all risks in the IT operations of an organisation, enabling informed decision making to support business performance and overall management of business risks.
By automating the entire IT risk management process and workflow, from risk identification and assessment scoring to mitigation and reporting, MetricStream provides timely, actionable information for proactively addressing IT risks against corporate objectives and compliance for multiple regulations such as PCI DSS, HIPAA, SOX, privacy laws, FISMA and GLBA. It also enables compliance with IT governance standards such as CobiT, ISO 27002 and NIST-SP 800.
You can capture and classify assets using imports from supported solutions and determine risk associated per asset and report on that risk right down to the control level from any supported industry, enterprise or regulatory requirements. A controls and standards library is pulled from Network Frontiers' Unified Compliance Framework. Vulnerability data can be imported from Nessus, CIS and MBSA. Monitoring and problem management is supported through BigFix and eEye. Incident management was strong.
The user interface is manageable but does have a lot of text-based information screen to screen, giving it a crowded feeling. There is a dashboard section that is configurable and report templates and custom reports are also available.
The ability to report on a risk and correlate it down to the list of specific controls in various regulatory bodies was great. Most organisations are subject to more than one legal or regulatory requirement and the ability to quickly group and summarise your risk to the combined controls is very helpful.
You can purchase MetricStream as either a hosted SaaS offering or as client side software. It is accessed through a standard web browser. The backend is an Oracle database and the server side application runs on IIS or Apache web servers with Java application server. Typical deployments range from 30 to 120 days. Email and phone support is available on an 8/5 basis for a fee.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Information Security Risk Manager, £45-55k + bens
Infosec People - West Midlands, England, Coventry
SOC Analyst, Aldershot, £55-63k + benefits
Infosec People - England, Aldershot, Hampshire
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Interim CISO (Chief Information Security Officer) - Cyber Security Director
CYBER EXECS - London (Central), London (Greater)
Sign up to our newsletters
SC Magazine UK Articles
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Met Police grab suspect with phone unlocked to get hold of data
- Cyber-security must reflect risk not just regulation
- Data centres are on the move - where will they end up?
- Same fate befalls Post Office broadband as hit DT?
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- Former Expedia IT employee admits to hacking execs from the inside
- Cyber-insurance: What will you be able to claim for and is it worth it?
- Levelling the playing field against targeted attacks
- India Supreme Court calls on tech giants to curb sexual assault, cyber-crime
- IoTSF conference: EU should become de facto regulator