MetricStream IT GRC Solution
Strengths: Very solid GRC with the added benefit of the most comprehensive configurability we’ve seen. Lots of experience here and it shows.
Weaknesses: We would like to have seen more of the documentation which, judging from earlier years, is prodigious. However, MetricStream likes to talk about the “GRC Journey” and that is very well-documented on the website.
Verdict: For a pure-play GRC this is about the most solid product we’ve seen. If GRC is what you want, and you need next generation, look at this one. We predict you’ll like what you see.
This is a pure-play GRC product with a twist: everything is modularized so that you can select only those modules that you need. The modules are sold as snap-in applications. So, once you have the platform, you can create a GRC management system that really matches your environment perfectly. We found this unique the first time that we saw it and it just seems to get better with time. Currently, there are 20 applications that cover everything from issue management to compliance and incident management, among several others.
MetricStream is bred for the cloud. However, the vendor has redefined the cloud as the "Modern Cloud". Actually, this is a term that has sneaked into the computing vernacular and has a few consistencies across somewhat disparate definitions. For example, rather than depend upon virtual machines it depends upon containers. So, claims MetricStream, there is no comingling of resources between users of the cloud. Of course, not just any cloud can do this because the cloud paradigm is dependent upon virtualization. However, the major cloud providers are getting on board so it is possible to get this tool working and working quite well, indeed.
The tool supports development in a closed loop in the cloud using all the latest nifty developing tools and ensuring that security and compliance is maintained within the development process. The vendor claims up to a 25% reduction in reaction time for businesses and that, if accurate, is significant. Reporting is excellent and because the actual GRC deployment depends heavily upon your needs and the modules that you select, you can configure a GRC that covers just what you need. However, along with that flexibility comes a package of consistencies that are the product of the platform itself. For example, the mobile capability lets you access the GRC from wherever you happen to be. Since it can manage incidents, that by itself can be a very good piece of functionality.
As well, the platform supports the AppStudio that lets you customize the look and feel of the various applications so that they deliver just what you need. The company outlines three lines of defense: The first line is the Business View User. The second line of defense is the IT manager and the third is the Auditor. The IT risk manager customizes the program as required for the organization's needs. He or she works from libraries that include everything from layouts to controls and policies. Next, he or she adds relationships and that can be anything from compliance, to policies, controls or organizations and assets. The list is long and flexible. Relationships also can be mapped on the fly.
Visualization is among the most unusual that we've seen. It is an example of what we might call automated drill-down. Starting with a top-level wheel, called the data explorer, the user selects a starting point such as Areas of Compliance. The wheel then drills down automatically to every aspect that is covered by areas of compliance. We get a new wheel and it has all the current compliance standards listed around its perimeter. Picking one we click again and this time we go to the details of the standard we selected. Our last stop is the controls for a specific aspect of the standard that we selected. This lets us drill down to get details as they relate to our enterprise and its level of compliance.
The tool can ingest data from most common vulnerability scanners. The auditor view as well is unique. Rather than just display audit issues, it adds the answers that are part of any good audit process. You can create and save new dashboards on the fly. The company offers included basic support and there are premium packages available for an additional fee. The website largely is a marketing site but you can reach support from it. There is a lot of information, some of the best in the community section.