Stora Enso’s Director of IT Security, Christian Thunberg was attracted by the simplicity, realism and scalability of the FIRM methodology. These are vital considerations for a successful implementation in a large manufacturing company.

Stora Enso piloted Citicus’s FIRM automation software, Citicus ONE for a year across five business divisions and completed risk assessments for over 100 critical information systems.

For some systems the results from Citicus ONE were compared with those from a parallel assessment using very detailed and time-consuming checklists. The comparison showed that Citicus ONE had identified all the major weaknesses and 70-80% of the minor issues picked up by the detailed analysis. Further, Citicus ONE had identified weaknesses not exposed by the checklist approach. This is testament to the efficiency of the Citicus ONE approach – allowing risk assessment to be applied across a much wider range of systems than more time-consuming methods.

Citicus ONE is now a keystone of Stora Enso’s information risk management process (IRMP) and is being deployed across the whole enterprise.

Christian Thunberg comments:
“We expect to carry out risk assessments for around a thousand IT systems and use Citicus ONE’s consolidation capabilities to report on risk status to our main board. We have got the necessary backing, the right tools and a solid process in place – now we just need to get on with it”.

Standard Bank, the largest South African banking group, has been using Citicus ONE for two years. So far, it has been deployed across three business units and has been used to carry out risk evaluations for 240 business critical systems.

Surendra Naidoo, Standard Bank’s Group Information Officer says: “Citicus ONE helps us to identify important business applications and to apply appropriate levels of protection to them. It also helps us ensure that information security practices are consistently applied to installations that process our business information”.

Standard Bank are also making use of Citicus ONE to gather consistent data on incidents affecting IT systems and the impact they have on the business. Incident data from Citicus ONE is used to feed operational risk management systems to help the Bank address Basel II requirements.

Humberside Police need to comply with the BS7799-based Community Security Policy (CSP) defined by the Association of Chief Police Officers. One of the policy’s requirements is that all information systems must be subject to a risk assessment process and that the identified risks must be actively managed.

In the past Humberside Police had used external consultants to help with risk assessment for key systems but had found this an expensive and unwieldy approach.

Humberside’s Information Security Officer, Mick Adair, chose Citicus ONE as a way of carrying out the risk assessment and management process internally. Citicus ONE’s built-in BS7799 standard of practice has allowed Mick to assess the extent of compliance of Humberside Police’s critical information systems through a series of risk workshops involving system owners, users and technical staff.

Mick Adair says:
“Citicus ONE is an exceptional risk management tool that enables the system owners, managers and users to see immediate results from their input. The product has been well received by all who have been involved as the simplicity of the methodology provides non security people with a clear picture of the risks to their system.”

“Involving the system owners and users to identify the risks and getting them to decide on a risk action plan makes managing and monitoring the risks much easier both in the long and short term.”

Standard Chartered is one of the world’s leading international banks. It is committed to building an integrated, dynamic approach to information security and corporate governance driven by a better understanding of information risk across the business lifecycle.

John Meakin, Group Head of Information Security at Standard Chartered will use Citicus ONE to help measure and analyze risks to critical IT systems so that the company can focus investment and resources where they are most needed and will be most effective.

“Citicus ONE allows us to capture risk data and take an aggregate view of information security risk across the enterprise as well as to measure the impact of risk in one system on other related systems – so called dependency risk,” said John Meakin.

“As a web-based tool, Citicus ONE is easy to deploy and use by business and IT staff alike, thus avoiding bottlenecks in collecting data. Output is just as important and powerful graphical reporting functionality allows us to deliver clear presentations of risk and impact analysis in order to get buy-in at the highest level”.

A central government department of a European country wanted to conduct risk assessments of its e-government initiatives that provide online access to its services for citizens.

They chose Citicus’s ‘e-risk’ scorecard – a detailed risk assessment questionnaire based on the Citicus ONE information risk scorecard. The e-risk scorecard probes the same risk factors examined by the information risk scorecard but in more detail and addresses issues specific to e-commerce initiatives.  In addition, the e-risk scorecard addresses project risk issues – a common cause of problem for e-commerce initiatives.

Citicus customized the e-risk scorecard and harm reference table that are built-in to Citicus ONE to adapt them for use with systems that are oriented towards e-government rather than commercial objectives.