• a thorough and timely understanding of the criticality of each computer system
• effective governance over all risks associated with such systems (including effective aggregation and reporting of risk data).

To progress this, the company's IS Security and Risk Management team:

• selected Citicus ONE to power its security / risk management process
• trained 50+ employees in using Citicus ONE to facilitate and record criticality and risk assessments
• developed their in-house implementation, in conjunction with Citicus Limited, to record key attributes of the systems being evaluated, as well as their criticality / risk status.  This enabled them to position Citicus ONE as their 'system of systems' (ie Citicus ONE holds the inventory of the company’s computer systems, facilitating analysis of application portfolio characteristics such system aging and special situations management readiness).

Initial assessments:

• raised awareness of application/data ownership and service providers
• fostered formal acceptance of risk
• enabled incremental system security improvements for specific systems
• supported the case for wider-ranging information security improvement programs.

The company upgraded to Citicus ONE Release 3 in February 2009.  This enabled it to keep assessments up-to-date with enhanced efficiency and accuracy. 

Tailor-made assessments are currently underway at process and entity levels.  These are being conducted within and beyond the IT function to support Sarbanes-Oxley compliance, business continuity and operational risk management.  The company's director of IS Security and Risk Management comments:

"Citicus ONE leverages a risk assessment methodology based on extensive research in the field of information security.  This facilitates development of a credible internal practice for information risk management.  We're working with Citicus to extend the system's capabilities and looking to leverage these into other fields in 2010 and beyond"