Leading University, Strengthens Compliance with ISO 27001
and ASQA 800-53; Improves Resilience Against Security Incidents
One of Australia’s largest public research institutions, has been fortifying its IT governance structures across various boards, executive teams, and faculties.
Being a premier global research hub, the university is expected to maintain robust information security defenses that can withstand regulatory scrutiny.
A while ago, the institution wanted to renew its ISO 27001 certification, while also ensuring compliance with ASQA 800-53. However, existing legacy tools
no longer served the purpose. They were becoming increasingly fragmented, required significant manual intervention, did not scale well, and did not
provide timely visibility into IT compliance and IT risks. As the focus on information security compliance grew, the university realized it would need a more
automated, integrated, and scalable tool to strengthen its IT security posture
Beyond Legacy System
The university has multiple directorates that look after the operations of hundreds of faculties or departments. Some departments have mid-sized data centers, while others, specifically in Life Sciences, deal with much larger volumes of personally identifiable information (PII) and protected health information (PHI). Earlier, each department had its own separate structures and formats to collect, store, and report IT compliance and risk data. This fragmented approach made it challenging to coordinate IT GRC processes, or to gain a unified view of IT risks. In all, there were 45+ IT risks that needed to be assessed and monitored as efficiently as possible. Most IT GRC processes were handled manually on basic spreadsheets, emails, and ticket management tools. But as more faculty members got involved in IT compliance and risk assessments, it became increasingly difficult to manually gather and consolidate data from hundreds of stakeholders, many of whom had no IT security background. Reporting and decision-making processes slowed down. In addition, the university’s responsiveness to certain IT security crises was impacted. As a result, the institution turned to MetricStream to help automate and scale up its approach to IT GRC. Stakeholders wanted an integrated system that would strengthen coordination on IT GRC processes, while also improving visibility into ISO 27001 control status and risk assessment results. Today, MetricStream’s integrated IT GRC solution has enabled the university to streamline, automate, and strengthen collaboration on IT compliance and IT risk management processes. The solution is used across the institution to enhance compliance with ISO 27001 and ASQA 800-53, as well as to manage vulnerabilities in the IT infrastructure.
Key Challenges
▪ Lack of effective coordination on IT risk and
compliance processes across departments due to
incompatible and piecemeal tools.
▪ Cumbersome, time-consuming GRC processes
▪ Insufficient visibility into IT compliance and risks
Solutions Delivered
▪ IT Compliance Management (ISO 27001 and ASQA)
▪ IT Risk Management
▪ Integration with an external network vulnerability
management solution
The underlying GRC platform maps IT compliance requirements, control tests, processes, assets, risks, and other GRC elements in an integrated framework. This makes it easier for stakeholders to understand how all these data elements interact with and impact each other. Powerful reporting tools offer real-time visibility into the status of IT compliance and IT risks, enabling users to make well-informed decisions
Quick Delivery Model
Vivid Edge delivered the final solution in production just eight weeks after the project kick-off. That included onboarding the university onto the GRC platform, uploading organizational information, populating the necessary datasets for IT GRC, and developing a handful of the university’s staff into GRC tool champions. Simpler IT Compliance Monitoring The solution has helped the university strengthen compliance with ISO 27001 and ASQA 800-53. The tool streamlines IT compliance surveys, certifications, and self-assessments, thereby minimizing redundancies. It also accelerates control testing, enabling users to efficiently score, tabulate, and report the results. Any IT compliance issues that arise can be systematically and collaboratively addressed through the solution’s inbuilt workflows. Moreover, integration done with the Unified Compliance Framework (UCF) has helped university harmonize controls across various compliance requirements, thereby saving effort and costs.
Comprehensive View of IT-Risks
With the MetricStream Risk solution, the university can much more quickly assess, monitor, and manage 45+ IT risks across hundreds of faculties with thousands of staff members. The solution imports IT risk and vulnerability data from various existing tools, including a vulnerability scanner at the university. This data is then efficiently routed to the risk management team for analysis and action. The system also strengthens visibility into IT assets that store sensitive data. It generates a combined risk rating across each asset’s vulnerability and business context, thereby allowing the associated risks to be assessed and monitored effectively. It has also enabled a set of rules to automatically assign and mitigate the vulnerabilities identified by the scanning tool. Graphical risk heat maps, reports, and dashboards aggregate IT risk data and metrics for comprehensive visibility.
Value Delivered
▪ Better collaboration on IT risk and compliance management processes with a single integrated solution
▪ Stronger efficiency with faster, automated IT compliance processes
▪ Higher quality IT risk intelligence to strengthen data security and compliance
▪ Better resilience against IT security incidents.
▪ Improved IT GRC scalability, automation, and agility to support business growth
Enhanced Visibility
IT GRC solution is equipped with powerful dashboards, heat maps and scorecards which provide a complete, real-time view of the bank’s IT-GRC status. Drill-down capabilities enable the data to be viewed at finer levels of detail which, in turn, provide top management with the business intelligence required to make informed strategic decisions