Governance Risk & Compliance Software as a Service
MetricStream provides a complete portfolio of enterprise Governance, Risk and Compliance (GRC) Applications in a SaaS model. This integrated approach leads to tremendous gains in enterprise-wide visibility of risks, strengthen compliance with multiple regulations, policies, and standards. Analytics, reporting and regulatory notifications enable you to minimize liability and optimize opportunities.
- Modern responsive interface, intuitive, engaging, efficient, personalised
- Integrated, secure GRC Applications and Platform on the Cloud
- Lean, modern, scalable, extensible SOA architecture
- Innovative Data Explorer for visualisation
- API centric design for versatile mobility, layering, third-party integration
- Real-time Analytics, Reports and Dashboards with Reports Wizard
- AppStudio form and workflow designer: configure forms, reports, workflow
- Feature rich Governance, Risk, Compliance management applications
- Modular applications and libraries that integrate seamlessly
- User productivity tools like search, tasks, offline briefcase
- Exemplary user experience to simplify and accelerate user adoption
- Seamless collaboration and sharing across devices enabling anywhere access
- Easily configure the system to meet changing or growing requirements
- Rapid deployment reducing costs and improving acceptance
- Modular applications structure allows buying only what is needed
- Application integration provides unified view across enterprise
- Integration prevents content duplication and ensures common language
- Easily carry out audits, surveys, map risks, threats, vulnerabilities, controls
- Integrate, aggregate external information like threat scanners, content feeds
£100 to £5000 per user per year
1 3 1 1 5 0 8 3 3 2 5 6 6 2 3
MetricStream UK Limited
|Software add-on or extension||No|
|Cloud deployment model||
|Service constraints||Planned maintenance is carried out periodically for which customers are notified in advance.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Weekend support can be purchased as an optional service|
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||WCAG 2.1 AAA|
|Phone support availability||24 hours, 7 days a week|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
4 levels of Support are provided using offshore resources:
1. Bronze 8x5 is the standard offering. SaaS subscription on Cloud will have this included.
2. Silver - 12x5. Costs will be % age of SaaS subscription fees. 10% on annual SaaS subscription
3. Gold - 24x5. 20% of annual SaaS subscription
4. Platinum - 24x7 - 25% of annual SaaS subscription
If only European resources are stipulated, costs would be higher.
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||Online help, user documentation as well as online training are available for users. We provide train the trainer programme as part of our implementation services.|
|End-of-contract data extraction||
We provide data export facility for users to extract their data.
Client can take full backups too.
The contract includes the right to use the software, create data and reports. Standard 8x5 remote support is included. Additional support hours are available for an additional charge.
The software is implemented as per the user's requirements. There is a fee for the implementation.
At the end of the contract, the service can be renewed or terminated. Users can export the data and save them. Migration services are available at extra cost.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Display will be scaled to fit the mobile device|
|What users can and can't do using the API||
Users do not need API to access the service. They do so directly through their web-browser.
The MetricStream system uses API based integrations to integrate with external systems. Integrations are supported by Infolets technology. The Infolets framework allows for bi-directional data exchanges with appropriate security and authentication wrappers and helps provide RESTful and SOAP web services that together form a complete MetricStream integration framework.
Changes on APIs are to be only performed for integrations with external systems.
There are no limitations as such.
|API documentation formats|
|API sandbox or test environment||Yes|
|Description of customisation||
Our applications can be configured as well as customised by users. Configuration is possible by selecting different functionality and options. Super users and System administrators can configure.
Customisation is available via our customisation tool, AppStudio. Superusers or developers can be trained on AppStudio to customise the system.
|Independence of resources||MetricStream Cloud is designed as multi-instance SaaS - which means each customer gets its own full stack (web, application and database tiers). This eliminates co-mingling of data as well as any performance concerns across customers. In addition, within each stack, appropriate planning and sizing considerations are put in to ensure Performance and Service Level delivery. These are monitored 24x7 by MetricStream Cloud Operations to provide sustained assurance on SLAs.|
|Service usage metrics||Yes|
User access and activity metrics can be provided. MetricStream offers a web-based customer support portal that is powered by MetricStream GRC Platform, where customers can log issues, view the status of their open issues, and the current resolution status to those issues. All issues, whether reported via phone, email or the customer support portal, are logged to the same TAR (Technical Action Request) system and are viewable online via customer-specific reports and dashboards.
MetricStream can also provide these reports manually via preset customer meetings, as well as have these reports automatically emailed to selected users if desired.
|Reporting types||Reports on request|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||
Data at Rest Encryption: MetricStream uses encrypted file system (enabled at the Operating System level) to store the files in which database data is stored. The encryption is transparent to the application.
It employs the Advanced Encryption Standard (AES) algorithm for encrypting attachments. It supports 256-bit key.
Backups: All backups are encrypted and stored.
Database at Rest Encryption (Optional Capability): The MetricStream platform leverages Oracle Transparent Data Encryption (TDE) technology, and can be configured to encrypt the entire table space, or specific columns stored in database files (available only with Oracle Enterprise Edition at an additional cost).
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||Users can export data via the Reporting option.|
|Data export formats||Other|
|Other data export formats||
|Data import formats||Other|
|Other data import formats||Excel|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||
Availability and resilience
MetricStream supports 99.5% system availability. For higher system availability, MetricStream provides advanced Cloud tiers.
MetricStream strives to minimize downtime as much as possible. Patches can often be applied in a hot-fix mode supported by our architecture. If the system has been down outside the scheduled maintenance window, the system is usually restored within 5 minutes on average after the call is reported to MetricStream’s help desk. Our standard SLA provides for credit if the downtime exceeds 4 hours in a month.
Note: MetricStream has never encountered a downtime of this duration.
|Approach to resilience||
MetricStream partners with SSAE 16 Type II Audited Tier III/IV data centers with state-of-the-art infrastructure and services for serving our clients in UK, Europe, North and South America, Asia and Africa. Beyond being widely adopted by small and medium enterprises, even some of the world’s largest companies are using the MetricStream Cloud after rigorously testing the security and reliability of our infrastructure.
In addition, MetricStream is SSAE 16 SOC 2 Type II compliant for its internal processes and Cloud operations.
MetricStream’s solution is a web-based, J2EE n-tier application, using a database, application and web server architecture. Our solutions can run on any hardware and operating systems.
High-availability deployment architecture is supported by MetricStream and can be used to provide fail-over capabilities.
• At the presentation and application server layers, MetricStream can be configured in a redundant manner with a hot standby that automatically wakes up and starts accepting requests if the primary servers go down
• At the database layer, MetricStream recommends that it be configured using approaches outlined by Oracle for high availability.
Further details can be provided on request.
|Outage reporting||Email alerts and notification on Support Portal|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||
MetricStream has a dedicated CloudOps and Support team who have access to Scoped Systems and Data. Role based security ensures restricted access.
Physical access is restricted to Senior Onsite CloudOps Engineers. The datacenter has multi-layer security controls. Each customer gets dedicated full-stack servers so there is no co-mingling of data.
On the logical layer of application and database, while staff has access to data, they need to access it only for periodic software updates as well as for troubleshooting application issues/support.
Access list is validated on a quarterly basis.
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||Between 6 months and 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||Between 6 months and 12 months|
|How long system logs are stored for||Between 6 months and 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||BSI|
|ISO/IEC 27001 accreditation date||14/02/2016|
|What the ISO/IEC 27001 doesn’t cover||Not sure what is not covered. The certificate is provided to our parent company for research & development, services, cloud engineering, partner, sales and marketing as well as support functions.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Who accredited the PCI DSS certification||Self-certified using standards from PCI Standards Council|
|PCI DSS accreditation date||28/02/2018|
|What the PCI DSS doesn’t cover||Covers all of MetricStream|
|Other security certifications||Yes|
|Any other security certifications||US Regulation HIPAA|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
Metricstream follows ISO27001 guidelines, based on which it has built policies and processes. It is an Information Security team reporting to the CTO who is a board member.
MetricStream has its Information Security Management System (ISMS) certified on ISO27001 with well-defined policies and procedures, roles and responsibilities, objectives, awareness programs etc. MetricStream has well-defined policies and procedures for Information Security documented as a part of MetricStream's Information Security Management System (ISMS) policy. This document is approved by the management and communicated to appropriate constituents and has an owner and a review manager.
The Information Security organization comprises of Information Security Head, Information Security Manager and IS team. Then we have the Information Security Management (ISMC) and Working committees (ISWC) teams which has representations from each business unit who would be interfaces for the communication, review, implementation of Information Security programs and activities.
We are also audited by external independent auditors for SOC2 and HIPAA controls.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
MetricStream’s Quality process includes a change management procedure that minimizes the impact to a customer system while it ensures that a customer is aware of any changes being made to the system.
As part of the change management procedure, MetricStream can optionally offer and implement a ‘staging’ system that emulates the production system. This allows MetricStream’s support and QA staff as well as our customers to test and verify the software change before any change is applied to the production environment.
As part of the SLA contract, scheduled maintenance windows are also defined.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
Logging is enabled on the network firewalls to capture current activity. These activity logs are retained for subsequent review.
Network vulnerability assessments are regularly done to identify potential vulnerabilities. These assessments help identify weaknesses within the network configuration, systems that have not been updated with the latest service packs and security patches, or systems that still require specific hardening techniques for which non-intrusive assessments are performed for a range of addresses. Results are reviewed and posted internally.
A formal anti-virus management process to monitor and remediate virus vulnerabilities where anti-virus software monitors/detects/prevents virus signatures from being transmitted.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
Automated monitoring tools poll the system every 5 minutes and test such connections as the web server, the Application server, the database server, and various parts of the application layer.
HTTP requests monitor connections and failures trigger alerts over email and/or pager to the help desk.
Website and application availability are monitored by Alertbot, Nagios and Kace to provide uptime, response time, and cause reports.
Incident Response: Immediately isolate the respective V-LAN or Server or set of servers. MetricStream will first arrest the breach and notify both Data Center and end customer.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||In case of any incident, MetricStream will notify the customer in case of incident and breach. The incidents are typically handled based on standard operating procedures setup which details the corrective actions, key personnel to be involved and informed as well as risk mitigations to be put in place. MetricStream will first arrest the breach and notify both Data Center and end customer. The point of contact (POC) within the customer and others in their team are notified. MetricStream will work in tandem until the incident is solved and respective notifications are done and acknowledged by customer.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£100 to £5000 per user per year|
|Discount for educational organisations||No|
|Free trial available||No|