Stora Enso’s Director of IT Security, Christian Thunberg was attracted by the simplicity, realism and scalability of the FIRM methodology. These are vital considerations for a successful implementation in a large manufacturing company.

Stora Enso piloted Citicus’ FIRM automation software, Citicus ONE for a year across five business divisions and completed risk assessments for over 100 critical information systems.

For some systems the results from Citicus ONE were compared with those from a parallel assessment using very detailed and time-consuming checklists. The comparison showed that Citicus ONE had identified all the major weaknesses and 70-80% of the minor issues picked up by the detailed analysis. Further, Citicus ONE had identified weaknesses not exposed by the checklist approach. This is testament to the efficiency of the Citicus ONE approach – allowing risk assessment to be applied across a much wider range of systems than more time-consuming methods.

Citicus ONE is now a keystone of Stora Enso’s information risk management process (IRMP) and is being deployed across the whole enterprise.

	Stora Enso’s Director of IT Security Christian Thunberg comments: “We expect to carry out risk assessments regularly for all our 300 critical IT systems and use Citicus ONE’s consolidation capabilities to report on risk status to our main board. We have got the necessary backing, the right tools and a solid process in place – now we just need to get on with it”.
Christian Thunberg, Director of IT Security, Stora Enso

Standard Bank of South Africa, the largest South African banking group ranked by assets and earnings, has been using Citicus ONE risk and compliance management software since its first delivery in 2000.

So far, Citicus ONE has been used to evaluate the criticality / risk posed by, and incidents that have affected, 500 business critical systems.  As at end 2009, around 1,000 evaluations have been performed.

Standard Bank  is currently looking into extending its implementation of Citicus ONE to meet AMA requirements.

Surendra Naidoo, the executive responsible for deploying Citicus ONE in Standard Bank in 2000 says: “Citicus ONE helps us to identify important business applications and to apply appropriate levels of protection to them. It also helps us ensure that information security practices are consistently applied to installations that process our business information”. For further information see Operational Risk & Compliance magazine's January 2010 cover story entitled Coming of age about how our oldest customer's approach to managing risk has helped them weather the credit storm well.

Surendra Naidoo, risk management director and group head of operational risk, Standard Bank of South Africa

The key objective of the Scottish Government’s Improvement Service was to establish if Citicus ONE could provide a standardised risk assessment framework and single point of storage for risk identification, recording, management and reporting across its Customer First Programme. A pilot project was undertaken to improve risk identification and management for the different systems and programmes within Customer First, focussing initially on three key systems:

• Citizen Account System - enabling the Scottish councils to access and maintain a definitive electronic record of all their citizens through a voluntary citizen account
• OneScotland Gazetteer - providing an accurate, up to date database of land and property data/assets for all Scottish councils and also for other parts of the public sector
• Customer Service Professional - supporting an accredited training and qualification scheme for council employees who deal directly with members of the public.

Customer First’s ‘risk owners’ participated in risk workshops using Citicus ONE’s succinct criticality assessments and risk scorecards to help them measure risk and compliance of their individual programmes in an objective and consistent way. This enabled Customer First’s management team to collate and report information about risks from the different interdependent elements of the overall programme.

As a result, Citicus ONE has provided a single, centralised and informed view of risk across key elements of the Customer First Programme.

As well as reducing the likelihood and impact of incidents, Customer First’s risk, compliance and regulatory obligations can now be managed efficiently and business oriented results can be produced for decision-makers. This now gives risk managers the means to roll out consistent risk programmes swiftly. [Read full case study]

The Improvement Service’s Programme Manager Tom McHugh comments: “With its strong pedigree in information assurance, Citicus ONE was a valued choice. Not only does it provide an important centralised single framework, but it also provides a fast and easy solution to responding to compliance requests. The reporting structure allows us to provide reports to meet various requests at both summary level down to a more detailed analysis of a particular type of risk.”.

Tom McHugh, Programme Manager, Improvement Service

In the past Humberside Police had used external consultants to help with risk assessment for key systems but had found this an expensive and unwieldy approach.

Humberside’s Information Security Officer, Mick Adair, chose Citicus ONE as a way of carrying out the risk assessment and management process internally. Citicus ONE’s built-in BS7799 standard of practice has allowed Mick to assess the extent of compliance of Humberside Police’s critical information systems through a series of risk workshops involving system owners, users and technical staff.

Mick Adair comments:

“Citicus ONE is an exceptional risk management tool that enables the system owners, managers and users to see immediate results from their input. The product has been well received by all who have been involved as the simplicity of the methodology provides non security people with a clear picture of the risks to their system.”

“Involving the system owners and users to identify the risks and getting them to decide on a risk action plan makes managing and monitoring the risks much easier both in the long and short term.”

Safaricom sees sound management of risk as a vital enabler for delivering innovative services that customers can rely on, and was one of the first Kenyan companies to set up a dedicated Risk Management function.

Its risk team made an early decision to automate risk activities so as to reduce reliance on manual processes and stretched security specialists, whilst increasing the accuracy and validity of risk management activity; and to focus on the security of company and subscriber data.  To these ends, with the aid of an external consultant team led by Jason Finlayson of Security Risk Solutions Ltd, Safaricom:

• established a Corporate Information Security Office
• established an Information Security Management System (ISMS) in line with the ISO27002 Code of Practice for Information Security Management
• conducted an extensive comparative evaluation of automated tools that would assist internal risk management
• selected Citicus ONE to support the information risk management cycle, which is the nucleus of an ISMS
• conducted a pilot implementation, assisted by Citicus Limited, for its most critical systems from mid 2007 to mid 2008
• rolled out a full implementation in 2008-9, based on the successful pilot.

Anthony Gacanja, manager of Safaricom's Corporate Information Security Office comments:

"The use of external consultants experienced in a wide range of companies/industries in the risk arena, enabled Safaricom to leverage global industry trends as well as local information risk concerns. Identifying Security Risk Solutions Ltd as a local provider with international experience, was a key enabler to quick adoption of risk management practices and the use of Citicus ONE facilitated the ISMS implementation through its measurable and repeatable information risk management process. Since 2007, Citicus Limited has continued providing support and training, which has added immensely to entrenching risk awareness within Safaricom.

Safaricom is currently focusing on implementing a full incident reporting and monitoring process using Citicus ONE and is looking to extend its use of Citicus ONE into other areas of risk.

• a thorough and timely understanding of the criticality of each computer system
• effective governance over all risks associated with such systems (including effective aggregation and reporting of risk data).

To progress this, the company's IS Security and Risk Management team:

• selected Citicus ONE to power its security / risk management process
• trained 50+ employees in using Citicus ONE to facilitate and record criticality and risk assessments
• developed their in-house implementation, in conjunction with Citicus Limited, to record key attributes of the systems being evaluated, as well as their criticality / risk status.  This enabled them to position Citicus ONE as their 'system of systems' (ie Citicus ONE holds the inventory of the company’s computer systems, facilitating analysis of application portfolio characteristics such system aging and special situations management readiness).

Initial assessments:

• raised awareness of application/data ownership and service providers
• fostered formal acceptance of risk
• enabled incremental system security improvements for specific systems
• supported the case for wider-ranging information security improvement programs.

The company upgraded to Citicus ONE Release 3 in February 2009.  This enabled it to keep assessments up-to-date with enhanced efficiency and accuracy. 

Tailor-made assessments are currently underway at process and entity levels.  These are being conducted within and beyond the IT function to support Sarbanes-Oxley compliance, business continuity and operational risk management.  The company's director of IS Security and Risk Management comments:

"Citicus ONE leverages a risk assessment methodology based on extensive research in the field of information security.  This facilitates development of a credible internal practice for information risk management.  We're working with Citicus to extend the system's capabilities and looking to leverage these into other fields in 2010 and beyond"