Measuring success

"Measuring success"

Who We Are

   metriQuality prepares companies for IT audits,  collecting required documentation, and implementing controls for information security and compliance with corporate policies and regulatory requirements.

How We Help

   By monitoring what your people and processes do,
we help to ensure compliance with corporate policies and regulatory requirements.

   By measuring resource utilization:

  Are your people working effectively?
  Are your projects and/or vendors delivering the results you expect?

What We Do

Policy Management   Write and review company policies and procedures

Compliance Controls   Monitor, assess, and improve compliance controls

Performance Management   Optimize business operations through performance audits

Security Awareness Training   Train and mentor staff for compliance and information security issues

Vendor Risk Management   Manage outsourced IT projects and third-party service providers

Vulnerability Assessments   Conduct security  assessments and  minimize risk exposure

Corporate Standards   Align corporate standards with generally accepted standards

Incident Response   Plan, coordinate, and respond to security incidents

 

Cloud Security Alliance

   The Cloud Security Alliance is a voluntary, member-driven professional association promoting security best practices for the cloud computing industry.

Why is this important to you?

Whether you consume or provide cloud services, CSA provides helpful guidelines for selecting, providing, securing, and governing cloud services as a critical component of every IT portfolio.

metriQuality helps secure data in the cloud in compliance with CSA best practices for cloud governance.

   CSA produces significant guidance and tools, including:

  • CSA Security, Trust and Assurance Registry
  • Security Guidance for Early Adopters of the Internet of Things
  • Security Guidance for Critical Areas of Focus in Cloud Computing
  • Cloud Control Matrix

 

"If you're not using the cloud, then why is your data there?"

    According to SkyHigh Networks, a CSA member organization, the senior management at many companies aren't even aware that employees, vendors, and business partners have already put company data in the cloud. "But they get interested in cloud governance real quick when we show them how their data gets into the cloud."

Shadow IT

   When employees bring cloud services to work without the knowledge of the IT department, they create a parallel technology stack unknown to the company called “shadow IT”. As a result, IT teams often underestimate the scope of cloud usage by a factor of ten, and cannot enforce corporate security policies or identify and respond to security incidents.

  • IT lacks visibility into the cloud services individual employees bring into the corporate environment and their associated risk
  • Employees upload corporate data to high-risk cloud services that lack security controls, have onerous terms and conditions, or a recent breach
  • Cloud services that provide business value are also increasingly used by malware as a vector of data exfiltration
  • The use of shadow IT reveals which cloud service categories are in greatest demand across the organization, informing decisions on what to enable

    On the other side of the cloud dilemma, additional controls are needed to extend corporate security policies to sanctioned cloud services procured by IT. Specifically, they need to protect data from breaches and blind subpoenas, comply with regulatory requirements, enforce governance policies, and detect compromised accounts and insider threats.

Sanctioned IT

  • An employee or attacker may use a cloud service in malicious ways, and IT needs ways to detect and stop insider threats and compromised accounts
  • Given the sensitivity of some corporate data, organizations need to ensure that only the right people have access certain data via specific devices
  • Numerous regulatory requirements must be met for sensitive data including PCI DSS, HIPAA and HITECH, FISMA, and GLBA
  • The weakest security link could be third-party applications and business partners with trusted digital connections to your data stored in the cloud