Software capabilities

Our award-winning Citicus ONE software provides all the functionality you need to measure information risk and manage it down to an acceptable level across your organisation. As a part of this process you can evaluate compliance with any standards governing the development and operation of information systems.

Citicus ONE automates all the core features of the ISF's FIRM methodology and provides added functionality which will help you measure and manage information risk and compliance efficiently across your organization. These extended capabilities were conceived, designed and developed by the team who originated the FIRM methodology. Thus, they reflect a detailed and coherent understanding of the challenges that need to be overcome to measure and manage information risk in business terms across an enterprise.

Summary of Citicus ONE's functionality

Citicus ONE's functionality is outlined below.

For a printer-friendly version, download our Summary of Citicus ONE's capabilities (PDF, 184Kb).

Core capabilities

Citicus ONE is a web-based application, available in six languages, designed to help you:

• Measure risk posed by any number of 'information resources', efficiently and accurately in meaningful business terms, in line with a formal, published methodology
• Present 'owners' of such information resources with business-like results that encourage them to drive information risk down to an acceptable level, and help them do so over time
• Present an overall picture of risk to decision-makers from top management down
• Monitor compliance of information resources with internal policies, regulatory requirements and established standards
• Manage both the evaluation process and remediation activity in an efficient and constructive manner
• Customize key details of the process to reflect the nature of your organization's business activities, top management's attitude to risk and risk appetite, chosen standard(s) of practice, your corporate structure, and method of integration with your identity management and user authentication procedures.

Note: 'Information resources' is a collective term covering sets of information, business applications, e-commerce initiatives, computer installations, wide-area networks / LANS, and system development activities.

Fact-gathering
 

Citicus ONE collects risk and compliance data using carefully-designed forms:

• Criticality assessment (half page)
• Information risk scorecard (2 page)
• E-risk scorecard (17 page)
• Compliance checklists (variable length)
• Brief incident assessment (2 page).

Results produced for 'owners' of information resources
 

Citicus ONE presents 'owners' with succinct results they can readily understand:

• Information risk (or e-risk) status report (1 page)
• Compliance status report (1 page)
• Schedule of dependency risk (usually 1 page)
• Owner-centric dependency risk map (usually on 1 page)
• Guidance on driving down risk (usually 3 pages)
• Issue schedule and Action plan (variable length)
• Schedule of control weaknesses and other key points made in discussion (usually 1-3 pages).

Results produced for decision-makers at business unit/corporate level
 

Citicus ONE produces results for decision-makers at higher levels:

• High-level risk status report, showing key risks and the 'cost of insecurity'
• Criticality league table, ranking information resources according to their measured criticality
• Information risk league table, ranking information resources according to their measured risk
• Compliance league table, ranking information resources according to their compliance with a specified set of regulations/standards
• Dependency risk map for systems supporting particular business processes or whole enterprise
• Incident list, ranked by harm caused
• Incident statistics, including breakdowns by type and their business impact.

Workflow management
 

Citicus ONE helps you implement a constructive risk management process efficiently:

• Define information resources
• Administer users either directly or via an external user directory via LDAP
• Assign 'owners' to information resources and a 'completer' for each evaluation form
• Issue risk scorecards and assessments at frequencies that reflect the criticality of each information resource
• Bring forward previous evaluation results for updating, with minimal effort
• Track completion of issued scorecards/assessments/checklists and chase up as required
• Review completed forms and mark them as 'accepted' or 'returned for correction'
• Keep track of unresolved issues and actions needed at corporate level
• Identify risk 'pinch points' (eg weaknesses in IT infrastructure which affect many information resources)
• Generate and 'publish' high-level results (these can be refreshed automatically as evaluations are updated)
• Keep track of risk management activities via an informative audit log.

Remediation activity planning
 

Citicus ONE records key issues raised by evaluations and maintains action plans to help manage these issues through to resolution. Issue schedules and Action plans are maintained at three levels:

• For individual information resources, enabling system ‘owners’ to identify and manage the control improvements called for by risk and compliance evaluations
• For specific parts of the enterprise, enabling local co-ordinators to identify and manage actions they need to take within their business units
• For the enterprise as a whole, enabling the custodian of the entire risk management process to identify and manage actions needed at corporate level (eg new policies, standards or procedures).

Customization
 

Citicus ONE's customization capabilities enable you to tailor the process to fulfil your own requirements. For example, you can:

• Generate Harm reference tables which help users evaluate risk consistently, in terms that reflect your organization's activities
• Generate Standards of practice and compliance checklists to help users consistently evaluate the status of the controls applied to their information resources (if desired these can be based on the built-in standards such as ISO27001, ISO17799, ISF Standard of practice)
• Generate one or more Determinations of acceptable risk, against which owners can assess their risk status
• Define the level of risk that is unacceptable to top management.

Recent enhancements

The enhancements introduced in recent Citicus ONE releases (most recently R2.3 in December 2006) deliver some major new features that reinforce Citicus ONE's status as the most complete information risk management tool in the world. The new features include:

• Import/export of standards and checklists using an XML format that can be manipulated with Microsoft Excel^®, allowing any set of control statements to be incorporated easily into a Citicus ONE checklist
• System-generated notes highlighting risk and compliance issues that need to be addressed following an evaluation
• Automatic population of Issue schedules and Action plans with notes and comments recorded during a risk or compliance evaluation
• An Interactive Harm Reference Table providing business users with an objective and quantitative approach  to identify and record  the potential or actual harm caused by incidents affecting critical information systems
• New industry standards shipped with Citicus ONE, including the Information Security Forum's Standard of Good Practice, 2005, BS7799-2:2005/ISO27001, Payment Card Industry Data Security Standard V1.1,  allowing the level of compliance with these standards to be assessed and monitored
• The ability to extract risk data from Citicus ONE in an XML format for external analysis or incorporation into operational risk management reports
• Multi-language support allowing users to select their preferred language from English (UK or US), French, German, Dutch or Japanese.