MetricStream Risk Management Application and Policy and Document Application
November 01, 2015
Ranging from £134-£1,680 per user per app, based on user type.
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Technical superiority, huge customer support starting before deployment and continuing throughout the GRC journey. The broadest offering we’ve seen – there is something specialised for just about any business you can imagine.
- Weaknesses: None.
- Verdict: Whether you want a technology-driven tool or a traditional one, this product can get the job done. For its very high value, it’s technical chops and the way the company handles its customers we make this our Best Buy.
This is a modular application delivered as SaaS or on-premise. The company has a broad set of GRC-related applications. We were quite impressed with this product, which really is more of an ecosystem. The overall footprint consists of 20 applications that address governance, risk management compliance management, audit management, legal GRC, supplier governance, quality management, IT risk and compliance and content and training.
So, this is a huge system and it would seem that, at first glance, this is going to be a complicated system to deploy. That turns out not to be the case. MetricStream has taken many years of experience and refined the deployment process - realising that, even in a small company that uses a minimal number of their applications, there are a lot of moving parts to a GRC deployment. Support starts well before the product is deployed to ensure that pre-planning is accomplished smoothly to prepare the way for installation and population of the data.
This is a traditional GRC program on steroids. There is no way, in the space we have, to cover it completely. Part of the under-the-covers engine that drives the system is a very sophisticated data model. For example, for vulnerability assessment the tool has its own common vulnerability data model. It takes in data from tools such as Nessus and Qualys, as well as threat data from third parties.
One begins simply: You select the board in which you plan to work - for example, risks, assets or policy. Then you drill down to get to the tools and outputs for the particular task set you've selected. Although this is a traditional GRC tool, it gives a lot more than lip service to IT risks. IT issues can be managed and reported in detail.
We found that there are lots of excellent views, and custom views can be created on the fly. Of course you can map across standards very easily, and the product comes complete with lots of pre-done mappings. Risks can be assessed in a variety of ways - from asset-based to such other issues as supplier risk. For that the product consumes information (from such sources as Lexis and Dow-Jones) about the organisation's suppliers and applies it to the risk measurement.
Of course there are a lot of ways to view audits, including findings, issues and actions. The tool has an excellent workflow capability that automates tracking of incidents, audit findings, vulnerabilities, etc. Tracking, of course, includes such things as trending where appropriate. Visualisations are excellent, employing such techniques as heat maps and bubble charts. This is applied to threat and vulnerability management resulting in reports that will tell you everything you need to know about the state of your IT infrastructure. All of that data also plays into the rest of the overall data model. The database model uses both MongoDB and SQL. It is fully optimised for big data.
There is a dedicated rules engine that provides a framework for structuring and executing rules. Searching uses multiple algorithms for large, complicated searches. Given the size of the system's data store, searches pose a real challenge. With this offering, we did not see a search, no matter how complicated, that lasted more than a couple of seconds. Risk assessments and audit results can be created from stored data in near real time and its currency is as recent as the data collected. Reports can be created on the fly.
The product's sophisticated analytics and visualisation impressed us, as did its ability to deal drinking from several data fire hoses simultaneously. To make deployment easier, the company has collected artifacts from previous deployments going back 10 years. Plus, it has an on-boarding programme unlike any we've ever seen. The company describes GRC as a journey and has developed a community that can help each other including new customers.
Cost is more than reasonable given what you get, and the website and support are first rate, consisting of standard aid included and several options for premium assistance.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- ICYMI: CEO Sacked; MS Zero-day; Passwords dropped; Ransomware wild, charging hack
- 9.2 million medical records for sale on darkweb
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry