This is a modular application delivered as SaaS or on-premise. The company has a broad set of GRC-related applications. We were quite impressed with this product which really is more of an ecosystem. The overall footprint consists of 20 applications that address governance, risk management compliance management, audit management, legal GRC, supplier governance, quality management, IT risk and compliance and content and training.
So, this is a huge system and it would seem that, at first glance, this is going to be a complicated system to deploy. That turns out not to be the case. MetricStream has taken many years of experience and refined the deployment process - realizing that, even in a small company that uses a minimal number of their applications, there are a lot of moving parts to a GRC deployment. Support starts well before the product is deployed to ensure that pre-planning is accomplished smoothly to prepare the way for installation and population of the data.
This is a traditional GRC program on steroids. There is no way, in the space we have, to cover it completely. Part of the under-the-covers engine that drives the system is a very sophisticated data model. For example, for vulnerability assessment the tool has its own common vulnerability data model. It takes in data from tools such as Nessus and Qualys, as well as threat data from third parties.
One begins simply: You select the board in which you plan to work - for example, risks, assets or policy. Then you drill down to get to the tools and outputs for the particular task set you've selected. Although this is a traditional GRC tool, it gives a lot more than lip service to IT risks. IT issues can be managed and reported in detail.
We found that there are lots of excellent views, and custom views can be created on the fly. Of course you can map across standards very easily, and the product comes complete with lots of pre-done mappings. Risks can be assessed in a variety of ways - from asset-based to such other issues as supplier risk. For that the product consumes information (from such sources as Lexis and Dow-Jones) about the organization's suppliers and applies it to the risk measurement.
Of course there are a lot of ways to view audits, including findings, issues and actions. The tool has an excellent workflow capability that automates tracking of incidents, audit findings, vulnerabilities, etc. Tracking, of course, includes such things as trending where appropriate. Visualizations are excellent, employing such techniques as heat maps and bubble charts. This is applied to threat and vulnerability management resulting in reports that will tell you everything you need to know about the state of your IT infrastructure. All of that data also plays into the rest of the overall data model. The database model uses both MongoDB and SQL. It is fully optimized for big data.
There is a dedicated rules engine that provides a framework for structuring and executing rules. Searching uses multiple algorithms for large, complicated searches. Given the size of the system's data store, searches pose a real challenge. With this offering, we did not see a search, no matter how complicated, that lasted more than a couple of seconds. Risk assessments and audit results can be created from stored data in near real time and its currency is as recent as the data collected. Reports can be created on the fly.
The product's sophisticated analytics and visualization impressed us, as did its ability to deal drinking from several data fire hoses simultaneously. To make deployment easier, the company has collected artifacts from previous deployments going back 10 years. Plus, it has an on-boarding program unlike any we've ever seen. The company describes GRC as a journey and has developed a community that can help each other including new customers.
Cost is more than reasonable given what you get, and the website and support are first rate, consisting of standard aid included and several options for premium assistance.
