How Citicus ONE works

Citicus ONE automates a rigorous methodology for evaluating information risk, known as FIRM (fundamental approach to information risk management).

This was developed by Citicus Limited’s founders for and in conjunction with the Information Security Forum. Citicus retains the exclusive, worldwide right to develop and sell FIRM automation, through our Citicus ONE software.

Citicus ONE evaluates the risk posed by individual ‘information resources’ (ie business application systems, computer installations, networks and development initiatives), and consolidates this risk data to provide an enterprise-wide perspective of information risk, in line with the FIRM methodology.

Sound fact-gathering tools

Citicus ONE enables information risk data to be collected efficiently, using attractively-designed scorecards and assessment forms, backed up by key completion aids:

• criticality assessments can be completed in minutes, providing an initial estimate of an information resource's criticality and need for protection
• easy to complete 2-page information risk scorecards can be used to evaluate the risk posed by any information resource
• 16-page e-risk scorecards can be used to conduct risk assessments for e-commerce initiatives in greater detail
• 2-page incident assessments can be employed to record consistent information about significant security incidents, including their cause and effect
• risk remediation action plans can be maintained and signed-off by ‘owners’ of information resources, and also by those responsible for managing information risk at business unit, department or enterprise level
• customizable harm reference tables and standards of practice are presented to help users evaluate information risk consistently, objectively and in meaningful business terms
• Users have access to a rich set of other completion aids, which explain why managing information risk is important, how to do so efficiently and the benefits of participating in the risk management process.
  

Citicus ONE’s comprehensive fact-gathering tool-set means you can use the system not just to measure and record compliance with a designated standard of practice (eg BS7799), but also to promote awareness of the standard.

Note: Applying a good standard of practice is important. To help you, Citicus ONE comes pre-loaded with interpretations of five widely-used standards of practice including:

• British Standard BS 7799-2: 2002, Specification for Information Security Management Systems (this summarises the ISO /IEC standard known as ISO/IEC 17799)
• the Information Security Forum's (ISF's) Standard of good practice, 2003 and 2000.

You can easily customize Citicus ONE to incorporate other standards (eg if you have adopted BS7799 but with local variations). Whichever standard you choose is presented to business owners and IT staff completing risk assessments in chunks they can easily assimilate.

Citicus ONE’s constructive risk management process

Risk management processes fail when they are used to ‘beat people up’ who don’t get things right. To avoid this, Citicus ONE supports a constructive, 2-phase risk management process, designed to help you establish a ‘virtuous circle’ for driving down information risk:

Risk managers can apply the cycle uniformly so all targeted information resources are evaluated at the same time.

Alternatively, you can time the cycle differently for each information resource, so that particularly critical systems are evaluated more frequently than less critical ones. This makes good sense when staff time is in short supply.

Nowadays, no evaluation of information risk can be complete unless the risk status of dependent systems is taken into account. This is easy to accomplish using Citicus ONE’s graphical ‘dependency risk maps^TM’.

As shown above, these keep track of relationships and visually highlight the risk status of dependent systems.

Together Citicus ONE’s powerful, innovative capabilities, will equip you to implement a flexible, efficient, business-oriented and proportionate information risk management process across your enterprise, at modest cost.