MetricStream IT GRC Solution v6.0
Strengths: A great business risk/policy management tool with the additional values of validating rules to controls through inclusion of vulnerability data.
Weaknesses: Third-party vendor support; cost.
Verdict: The best-in-breed approach is great, but we would like to see greater third-party vendor support. Its cost makes this a larger enterprise solution.
MetricStream IT GRC Solution v6.0 is an IT governance and compliance-tracking solution that integrates risk scoring with business level policies and industry and security standards.
MetricStream provides a central IT risk management framework to simplify identifying and analyzing all risks in the IT operations of an organization. This enables informed decision-making to support business performance and overall management of business risks. By automating the entire IT risk management process and workflow - from risk identification and assessment scoring to mitigation and reporting - MetricStream provide timely, actionable information for proactively addressing IT risks against corporate objectives and provides compliance for multiple regulations, such as PCI, NERC, HIPAA, SOX, privacy laws, FISMA and GLBA. It also enables compliance with IT governance standards, like CoBit, FFIEC, ISO 27002 and NIST-SP800.
Users can capture and classify assets using imports from supported solutions, and subsequently determine risk associated per asset and report on that risk right down to the control level from any supported industry, enterprise or regulatory requirements. A controls and standards library is pulled from Network Frontiers' Unified Compliance Framework (UCF). Vulnerability data can be imported from Nessus, CIS and MBSA. Monitoring and problem management is supported through BigFix and eEye. Incident management was strong. The user interface is manageable, but does have a lot of text-based information screen to screen giving it a crowed feeling. There is a dashboard section that is configurable. Report templates and custom reports are also available. The ability to report on a risk and correlate it right down to the list of specific controls in various regulatory bodies was great. Most organizations are subject to more than one legal or regulatory requirement, and the ability to quickly group and summarize risk to the combined controls is very helpful.
MetricStream can be purchased as either a hosted SaaS offering or as client-side software. The product is accessed through a standard web browser, while the backend is an Oracle database and the server-side application runs on IIS or Apache web servers with Java application server. Typical deployments range from 30 to 120 days. Email and phone support is available on an eight-hours-a-day/five-days-a-week basis for a fee.