ConnectedGRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

MetricStream Named Category Leader in All Seven Quadrants of the Chartis Research RiskTech Quadrant® for Integrated GRC Solutions, 2024

MetricStream Named Category Leader in All Seven Quadrants of the Chartis Research RiskTech Quadrant® for Integrated GRC Solutions, 2024

Learn More

Discover ConnectedGRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Find Everything You Need to Build Your GRC Journey and Thrive on Risk

Download this report to explore why cyber risk is rising in significance as a business risk.

Download this report to explore why cyber risk is rising in significance as a business risk.

Learn More

Learn about our mission, vision, and core values

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
+1-650-620-2955
+1-650-620-2955 Contact Us Request Demo
×
Hit enter to search or ESC to close
Blogs

How Autodesk Moved from Siloed to Integrated IT Risk and Compliance Processes

Weekly-Blog-Upload-16-May-2024-dsk
3 min read

Introduction

At MetricStream’s flagship event, GRC Summit, Clyde Tsai, GRC Lead at Autodesk, shared how MetricStream has helped them implement an integrated framework for IT risk and compliance management programs. Autodesk is a leading provider of software products to architecture, engineering, construction, product design, manufacturing, media, and entertainment industries.

Here are the key takeaways from Clyde’s session at the summit.

Why MetricStream?

Clyde: One of the very special things about Autodesk teaming up with MetricStream is that we're trying to get FedRAMP compliant. We are in the midst of getting the authority to operate in FedRAMP – it is the ability to sell to the federal government. It’s a huge audit and continuous process. That was actually our main driver for choosing MetricStream.

Apart from that we're also doing compliance for a range of frameworks. We’re trying to infuse more of a culture of risk-aware decision-making. We have a small risk team and we’re trying to do as many risk assessments as we can. Automation really helps us with that.

The Journey So Far

Clyde: We’re two years into it. Specifically, the products – IT and Cyber Risk Management, IT and Cyber Compliance Management, and Policy and Document Management. All of our initial use cases are security use cases – security compliance, security risk, FedRAMP compliance, and security policies.

Key Challenges and Learnings

Clyde: We have this challenge with silos -- we have security, privacy, internal audit, ERM, IT, and legal. The challenge that I see here is understanding and being informed when something is happening in any of these areas that affects me as a GRC implementation person. To address this challenge, we are just learning how to do interdisciplinary working groups.

An example of this is our initiative to put together an information asset inventory, which is a requirement for ISO and other frameworks. This information asset inventory includes all organizational databases, EC2s, containers, and much more. To do it right, one should collect this data from other systems. But the challenge is determining the authoritative sources of truth and what the systems are, what data is in them, and then normalizing them if they're coming from multiple systems.

In such a situation, one should piggyback on other data consolidation efforts. And that's one thing that I've learned while putting together these interdisciplinary groups. I am communicating with these groups, and they have similar initiatives going on. So, I can put my requirements in there as they might have bigger teams for doing these things.

Another challenge is that we have some processes that are mature and some that are immature. MetricStream has a lot of these workflows already as out-of-the-box workflows. Therefore, you have an opportunity to just use that as your process and have the perfect alignment between your technology and your process, which is rare to have.

Business Value and Realized Benefits

Clyde: Regarding business value that we have realized:

  • We now have a one-stop shop for product owners and other leaders on SOC2 and ISO compliance. We plan to do a lot of other frameworks, like SOX, which we have to comply with.
  • We have a single source of truth risk register for Autodesk at least from the security perspective.
  • Regarding security risk assessments, we are in the process of getting those onboarded on MetricStream.
  • We have implemented an integrated framework and process for integrating all risk data
  • We have a huge requirement around FedRAMP, which requires us to report to our sponsoring federal agency every month, such as, how we are doing against vulnerabilities, etc. We have achieved complete automation around FedRAMP Plan of Action and Milestones (POAM) tracking:
    • Generation of monthly POAM Report to sponsoring agency
    • Issues tracking for open vulnerabilities
    • Parity checks to ensure more than 90% of assets are scanned

Going forward, our priorities include end-to-end compliance testing, integrated control framework, automated evidence collection, and security policy management lifecycle.

You can watch the complete session here:

 

Join us in our upcoming GRC Summit 2024 in Baltimore on June 17-18 to explore other real-world GRC implementation stories. To register, click here.

Shampa-mani

Shampa Mani Assistant Manager – Marketing

Shampa Mani, Assistant Manager - Marketing, at MetricStream, has over 7 years of experience in content writing and editing. Prior to joining MetricStream, she worked in the news and media industry, covering news on fintech, blockchain technology, and digital currencies. Academically, she has an MBA in Business Economics and an MA in Economics. In her free time, she loves to cook, read, and delve into the world of UFOs and extraterrestrials.

 

Related Resources

Blog
Blog
5 mins
Aanya Sharan
Your Ultimate Guide to the MetricStream 2024 GRC Summit: 7 Pro Tips