Citicus : Results Produced

Our software

Why managing information risk is important

How Citicus ONE works

What makes Citicus ONE so special?

Software capabilities

Product availability

Platform requirements

Request a demonstration

Customer case studies

Results produced

Citicus ONE produces high-quality results for three categories of staff:

top management, who need a high-level view of the risk status of their organisation
information risk or information security managers, who need a systematic method of evaluating the business need for protection across large numbers of information resources, and for identifying improvement priorities
‘owners’ of individual information resources who need to understand how to drive risk down to the level that is acceptable to top management.

High-level view for top management

Citicus ONE produces an excellent overview for top management that tells them what they need to know about the information risk status of their enterprise. The first page of the High-level risk status report produced for top management summarises how many information resources are in good shape, how many require remedial action, the number of information incidents suffered and their impact on the bottom line. It also highlights the risk status of those information resources that pose greatest risk to the enterprise.

Supporting tables and charts are illustrated below and provide further details about the:

risk status of evaluated information resources, ranked in descending order of risk
business impact of information incidents
financial impact of incidents.

Information risk league tables

Information risk league tables present an organisation’s information resources sorted according to their measured risk. They provide an excellent overview for top management and allow attention to be focused on the information resources posing greatest risk.

Information risk league tables provide an overview of the risk status of the organisation

Business impact of information incidents

Information incidents are a feature of day-to-day business life in most organisations. Most have a small impact on the enterprise concerned– though their cumulative effect degrades business performance and erodes profit. Others have a major impact.

By keeping track of their impact, in terms decision-makers can relate to, Citicus ONE helps you get across that information risk is real.

The effect that information incidents have on the enterprise is shown graphically by the business impact charts that Citicus ONE provides for decision-makers.

Chart showing the business impact of security incidents

Financial impact of incidents

The financial impact of information incidents is also identified, to help you make the business case for improvements.

Table showing the cost of incidents

Results for information risk / security managers

Information risk / security managers need to win the support of the business and make best use of the resources available.

Citicus ONE helps do so, firstly by establishing the level of protection information resources need, in business terms. Using the 1-page criticality assessment forms provided by Citicus ONE, large numbers of information resources can be evaluated with very little effort.

Getting business ‘owners’ to fill these in as part of a managed process helps in building support ‘from the business’ for information risk management. Effort can then be focused on evaluating the risk posed by systems that are truly critical, using the 2-page i-risk scorecard or the more-detailed e-risk scorecard provided by Citicus ONE.

Following evaluation, information risk / security managers at corporate and local level can use Citicus ONE to draw the results together to highlight control areas that are most in need of improvement across the enterprise, as shown below.

Chart showing common areas of control weakness

They can also identify the types of information incident that occur most often as a result of such control weaknesses, as illustrated below.

Chart showing a breakdown of incidents by type

Information risk ‘pinch points’ requiring improvement can also be identified systematically, using the graphical ‘dependency risk maps’ produced by Citicus ONE.

Dependency risk map showing the relationships between information systems from a risk perspective

These factual insights will help you come up with well-informed, well-focused action programmes at local and corporate level, aimed at bringing information risk down to an acceptable level across your enterprise.

Results for ‘owners’ of individual information resources

Information risk is heavily influenced by the behaviour of ‘owners’ of individual information resources.

Citicus ONE helps ‘owners’ to understand information risk and drive it down to an acceptable level by providing succinct, easily-understood results. These include:

a 1-page risk status report showing the current status of the key factors that determine or indicate risk for their particular information resource and changes in their risk profile since last evaluated
a dependency risk schedule, highlighting the risk status of dependent systems
guidance on driving down risk, tailored to suit their risk status
issues recorded while completing the evaluation, which explain why a rating was made or highlight the need for action
an action plan, recording the remedial actions needed to drive risk down, and their status (planned, in progress, completed).

The first page of a sample i-risk status report and a dependency risk schedule are provided below.

First page of the i-risk status report produced for each 'owner'

Information risk status report

'Owners' dependency risk schedule

Risk dependency schedule


	Home \| Our software \| Services \| Resources \| News/events \| Customers \| Partners \| Company \| Contact us \| Privacy policy \| © 2008 Citicus Ltd