×
Case Study

Financial Services Major Automates IT Control Assessments for Faster, Better Insights on Compliance

When you’re one of the world’s leading financial services companies, it is imperative to comply with IT regulations that affect enterprise operations. You need to effectively manage IT compliance risks while tracking and testing all relevant controls. That can be a massive, time-consuming, and complex endeavor, especially when you have millions of assets and thousands of processes for which 1,000+ IT controls across multiple regulatory frameworks need to be tested regularly.

The key questions you need to ask are - How do you build and maintain a common IT risk and control taxonomy across the organization? How do you automate the control testing process and subsequent reporting? How do you deliver a real-time view of IT compliance risks to your top management?

These were a few of the concerns that the global financial services major faced. Being in a highly regulated line of business with constantly changing customer demands and technologies, the company needed to automate IT control testing as part of its DevOps process. To do that, they needed to define their compliance risk limits, align their first line of defense, and establish a scalable and mature compliance testing process.

Drawbacks Of Traditional Approaches

It started in the year 2015 when the Securities and Exchange Commission (SEC) adopted a new regulation on systems compliance and integrity (SCI) which required self-regulatory organizations (SROs) to improve resilience by reducing the occurrence of system issues, and accelerating recovery from technology disruptions.

To comply with the regulation, the company began testing their IT controls based on scripts that ran on a manual basis. However, this approach led to numerous business concerns, as the testing process was resource-intensive, time-consuming, and had to be backed by adequate support plans.

Further challenges arose during compliance risk assessments. Given the sheer number of internal controls in place, it became difficult for the company to calculate inherent risks, and then evaluate the strength of the controls to determine residual risks. In addition, risk reporting processes were largely siloed, thus slowing down the overall decision-making process.

Because of these challenges, the company began assessing various IT compliance solutions in the market. They eventually selected the MetricStream product for IT compliance management that would enable the company to strengthen compliance not only with SCI requirements but also with a wide range of other IT regulations and associated risks.

Mitigating It Compliance Risks

With the MetricStream IT and Cyber Risk Compliance the company has been able to streamline and automate their IT compliance management workflows, while consolidating compliance data in a centralized repository for optimal visibility.

Users can also map compliance controls, policies, and assessments in an integrated structure. The product simplifies the process of scheduling and conducting automated IT control tests based on pre-defined criteria and checklists. It also accelerates IT compliance risk assessments, enabling the company to efficiently calculate inherent and residual risks in the first line of defense.

Improving Efficiency Through Automation

To push the control testing details from the MetricStream product to an automated testing tool or framework, it was configured to integrate with an external testing tool named Selenium. The integration was performed by the MetricStream product’s data integration engine – APIs - through a secure file transfer protocol (SFTP) process to ensure the secure transfer of inbound and outbound data.

Challenges

  • Conduct automated IT control testing without manual intervention
  • Deliver a real-time view of IT compliance risks to executive management

Business value realized

  • Improved IT compliance maturity and sustainability
  • Reduced compliance costs due to automated control testing
  • Increased effectiveness of the internal control environment
  • Enhanced visibility into IT compliance risks

The implemented product is automation tool or framework agnostic and can therefore be integrated with any automated testing tool

Business Benefits

The product enables the company to continue leveraging existing automation tools without the need to switch to a new one. The underlying MetricStream Platform also provides an enterprise view of the control testing results.

Technology Integration Details

Scripts are executed through a pre-defined algorithm to identify evidence of controls. The Selenium automation server then updates the evidence with all required findings. To keep a track of tasks, the automation server records all the activities and sends the final attachment as an inbound file to the MetricStream product.

Then those results are applied to a specific task within a test plan for a test analyst or control tester to view the summary, and to check if the control test results are a pass or fail. Detailed reports are also generated so that different stakeholders within the company can view the results.

Enhancing Visibility Into It Compliance Risk Assessments

The company now has a robust reporting and dashboard engine to gain a 360-degree, real-time view of IT and Cyber compliance risks across the enterprise. The tool enables them to create user-configurable executive reports and dashboards based on their specific business requirements.

Stakeholders within the company can now make faster decisions based on risks that have a high potential impact on business operations. They can also generate comprehensive reports of self-assessments with visibility into key risk indicators (KRIs), assessment results, and compliance initiatives. All these insights enable the company to maintain sustainable compliance with various IT regulations, while minimizing risks and any other issues that arise. 

lets-talk-img

Ready to get started?

Speak to our GRC experts Let’s talk