IT GRC Solution v6.0
Strengths: Great business risk/policy management tool, with added value of validating rules to controls through inclusion of vulnerability data
Weaknesses: Third party vendor support, cost
Verdict: The best-in-breed approach is great, but more third party vendor support needed. Cost makes this more suited to larger enterprises
IT GRC Solution v6.0 is an IT governance and compliance tracking solution that integrates risk scoring with business-level policies and industry and security standards.
MetricStream provides a central IT risk management framework to simplify identifying and analysing all risks in the IT operations of an organisation, enabling informed decision making to support business performance and overall management of business risks.
By automating the entire IT risk management process and workflow, from risk identification and assessment scoring to mitigation and reporting, MetricStream provides timely, actionable information for proactively addressing IT risks against corporate objectives and compliance for multiple regulations such as PCI DSS, HIPAA, SOX, privacy laws, FISMA and GLBA. It also enables compliance with IT governance standards such as CobiT, ISO 27002 and NIST-SP 800.
You can capture and classify assets using imports from supported solutions and determine risk associated per asset and report on that risk right down to the control level from any supported industry, enterprise or regulatory requirements. A controls and standards library is pulled from Network Frontiers' Unified Compliance Framework. Vulnerability data can be imported from Nessus, CIS and MBSA. Monitoring and problem management is supported through BigFix and eEye. Incident management was strong.
The user interface is manageable but does have a lot of text-based information screen to screen, giving it a crowded feeling. There is a dashboard section that is configurable and report templates and custom reports are also available.
The ability to report on a risk and correlate it down to the list of specific controls in various regulatory bodies was great. Most organisations are subject to more than one legal or regulatory requirement and the ability to quickly group and summarise your risk to the combined controls is very helpful.
You can purchase MetricStream as either a hosted SaaS offering or as client side software. It is accessed through a standard web browser. The backend is an Oracle database and the server side application runs on IIS or Apache web servers with Java application server. Typical deployments range from 30 to 120 days. Email and phone support is available on an 8/5 basis for a fee.