 |
Screenshots
The screen shots below illustrate what Citicus ONE can do and show what's involved in deploying it in your organisation.
The screenshots are set out under the following headings (click their thumbnails to view them full-size):
Accessing the system's capabilities
Users gain access to Citicus ONE via their browser.
Adobe Acrobat Reader® (available free from Adobe Systems, Inc) is required to see results at their best.
No other client-side software is needed, which greatly simplifies large-scale deployment. |
|
|
| |
|
|
Once logged on, users gain access to the system's capabilities according to their assigned role.
For example, 'owners' of information resources can use Citicus ONE to:
- evaluate the criticality or risk status of their information resource
- report information incidents
- compile action plans for keeping risk under control
- view individual or high-level results produced by the system.
|
|
|
| |
|
|
'Custodians' of the Citicus ONE application - who oversee use of the system and control the risk management process that it supports - gain access to the full capabilities of the system, enabling them to:
- set up information resources for evaluation
- issue scorecards and assessments
- track progress in completing them
- review individual results
- compile high-level results
- customize and administer the system.
Local co-ordinators have access to similar capabilities.
|
|
|
|
Back to top
 |
|
|
|
|
|
Determining the relative criticality of information resources
The criticality of large numbers of information resources can be established with very little effort using Citicus ONE's 1-page criticality assessment forms. A form is issued to the 'owner' of each information resource that you wish to evaluate, which 'owners' can complete on-line in minutes.
As 'owners' complete their 1-page criticality assessment, they receive immediate feedback on-screen about their information resource's need for protection and measured criticality.
They can then use the system to view, print or store their results in attractive PDF form. |
|
|
| |
|
|
| Completing an assessment is easy. 'Owners' are simply asked to identify the maximum level of harm your enterprise could suffer if information handled by the system were wrongly disclosed, corrupted or rendered unavailable for varying periods of time. |
|
|
| |
|
|
'Owners' have 'one-click' access to a Harm reference table, which enables them to evaluate harm in a consistent, business-oriented fashion.
Note: The Harm reference tables provided by Citicus ONE are simple yet very effective.
If required, variants can be presented for different parts of your enterprise. |
|
|
| |
|
|
Once the criticality of your enterprise's information resources has been established, custodians and local co-ordinators of the risk management process can view the Criticality league table produced by the system to determine which information resources require full evaluation of information risk.
Back to top
|
|
|
| |
|
|
Measuring the level of risk posed by your most critical systems
Citicus ONE employs a rigorous, research-based method of evaluation to measure information risk. Known as FIRM, this was developed by the founders of Citicus Limited for and in conjunction with the Information Security Forum – an association of leading organisations that come together to fund research into problems affecting information security.
The method is based on more than 15 years of analysis into the effectiveness of controls applied to thousands of business-critical information systems, which shows that the probability of an enterprise suffering a major information incident and the number of minor information incidents it suffers is determined or otherwise indicated by five factors. Each of these factors is evaluated by Citicus ONE.
| The easy-to-understand risk charts produced by Citicus ONE display the status of five key determinants or indicators of information risk. The red portion of the chart shows the measured risk posed by a particular information resource. The green area shows what level of risk is acceptable to top management. This level is set by the custodian of the risk management process supported by Citicus ONE, in conjunction with the enterprise's risk steering committee. More than one level may be established. |
|
|
| |
|
|
The chance of an information resource suffering an information incident is mainly determined by the extent of weaknesses in the arrangements made to protect the confidentiality, integrity or availability of information. These arrangements serve to control risk, hence are generally termed 'controls'.
Using Citicus ONE, 'owners' identify control weaknesses by getting key business and IT staff together to evaluate the status of control in 17 areas - each identified as key using statistical means. |
|
|
| |
|
|
To ensure consistency, behind each control area there is an explicit standard of practice. This enables all involved to:
- see what standard should be met
- highlight any gaps where improvement is needed.
Citicus ONE comes pre-loaded with several recognised standards of practice including BS 7799-2 (ISO ISO/IEC 17799) and the Information Security Forum's Standard of practice, 2003.
Other (eg in-house) standards can also be applied. |
|
|
| |
|
|
By rating control areas through discussion with key business users and IT staff, 'owners' obtain a realistic understanding of their degree of compliance with
the adopted standard of practice, with significant vulnerabilities
highlighted.
This is summarized in the graphical results produced on screen as controls are assessed. |
|
|
| |
|
|
Similar processes are employed to establish how many information incidents have been experienced over the last year, their business impact and the status of improvement activity in each control area.
Together, these user-friendly processes enable Citicus ONE to produce an attractive report for each 'owner', setting out the risk status of their particular information system.
|
|
|
|
Back to top
|
|
|
| |
|
|
Keeping track of remedial action
Citicus ONE's constructive approach and graphical results are purposely designed to motivate 'owners' to reduce information risk to an acceptable level, and the system helps them to keep track of risk remediation activity.
Action items can be quickly and easily recorded for each information resource. |
|
|
| |
|
|
These can be assembled into an action plan for each information resource.
Action plans can also be maintained at enterprise level, and for particular parts of the enterprise.
Owners, custodians, local co-ordinators and others (eg auditors) can inspect these plans and verify that action is being taken where necessary.
Back to top
|
|
|
|
|
|
|
Compiling high-level results for decision-makers
Citicus ONE's business-oriented reporting capabilities are designed to keep top decision-makers informed about the risk status of their enterprise and to provide custodians and local co-ordinators with the facts needed to manage the overall information risk management programme.
These reporting capabilities enable you to compile a range of attractively-presented reports, which you can keep up-to-date with one click.
Each report employs a mix of graphical techniques and plain language in order to provide decision-makers with insights about information risk that they can readily understand and relate to. |
|
High-level reporting capabilities provided by Citicus ONE |
| |
|
|
| For example, using the High-level risk status report produced by the system, decision-makers can immediately see which information resources pose the greatest risk to their enterprise, and identify whether their risk status is above or below acceptable limits. |
|
|
| |
|
|
This graphical section of the report is accompanied by a digest showing key facts about your enterprise's risk status in plain language.
This identifies how many information resources have been evaluated, the percentage that are in good shape and how your enterprise has been affected by weaknesses in controls over the remainder.
Key incidents are also highlighted, along with their costs. |
|
The High-level risk status report
incorporates a digest of your risk status in plain language |
| |
|
|
Decision-makers can also obtain an information risk league table showing the risk status of each information resource that has been evaluated, ranked in descending order of risk.
External data can be included in such information risk league tables, to give decision-makers an idea of how their risk status compares to the outside world.
Together, the reporting capabilities of Citicus ONE will enable you to keep decision-makers informed, and give you the facts you need to direct risk reduction programmes at enterprise and local level.
|
|
|
| Back to top
|
|
|
| |
|
|
Helping users get the most out of the system
Help systems often are just a bolt-on afterthought. Not so in the case of Citicus ONE. Its comprehensive Help system is an integrated part of the risk management process, since to reduce risk you need to change behaviour. Providing informative educational material to users - in interesting, thought-provoking ways - is therefore one of Citicus ONE 's key goals.
To achieve this, the system provides over 350 pages of clear, colourful Help material, accessible through indexes that depend on the user's role in the system.
The 'owner's Help index covers completion of scorecards, generating results, and acting on them. Topics covered include:
- How and when to evaluate
- Gaining access to your results
- Acting on your results
- Seeing how you compare
- Calling for advice and assistance
- Benefits of driving risk down enterprise-wide.
To encourage constructive deployment and use, each major topic explains 'what's in it for me?' from the 'owner's point of view. |
|
|
| |
|
|
In contrast, the custodian's Help index focuses on deployment and governance issues (ie on driving information risk down to an acceptable level enterprise-wide). Topics covered include:
- Getting started
- Customising the system
- Setting up information resources
- Issuing scorecards and criticality assessments
- Collecting data on incidents
- Reporting to top management
- Helping 'owners' to drive risk down.
|
|
|
| |
|
|
Both classes of user have access to other key aids, including:
- Glossary of risk terms
- Glossary of system terms
- Sample results
- Blank forms
- Citicus-supplied standards of practice
- Tutorials and completion aids
|
|
|
|
Back to top
|
|
|
| |
|
|
Customising the system to suit your needs
Citicus ONE is designed to run 'out of the box' with minimal local configuration. However, many features of the application are customisable. These include:
- Standard of practice to be applied
- Harm reference table (you can have different tables for different parts of your enterprise, or a single one for your enterprise as a whole)
- Level of acceptable risk (you can vary these for particular types of information resources)
- Level of unacceptable harm
- Regional settings (eg currency employed, thousands separator)
- Structure of your organisation
- Methods of administering and authenticating users
- Colours employed in graphical results
- Branding (eg name displayed top left on browser pages and results).
These features can be customized using the capabilities of the system (ie no coding is required).
For example, a determination of acceptable risk can be readily set up by using simple, pull-down controls.
This enables Citicus ONE to give voice to the precise risk appetite of your top management. |
|
|
| |
|
|
Similarly, you can set up your enterprise's corporate structure with just a few simple operations, thereby enabling Citicus ONE to tie in with the organisation for risk management and reporting purposes.
To facilitate deployment enterprise-wide, Citicus ONE can
be integrated with your organisation's 'identity management' processes via LDAP (Lightweight Directory Access Protocol).
This minimizes the time spent on user administration, and enables you to tie into established processes. |
|
|
|
Back to top
|
|
|
| |
|
|
Administering the system in day-to-day use
Comprehensive facilities are provided to help you run the system day-to-day.
For example, you can:
- Set up information resources to evaluate
- Issue scorecards and assessments
- Keep track of progress in filling them in
- Review completed evaluations
- Return evaluations for correction.
These capabilities are employed using the Monitoring status page provided by the system. |
|
|
|
Back to top
|
|
|
|
