Citicus ONE measures information risk reliably, using techniques informed by years of rigorous, quantitative research into:

• the level of risk posed by thousands of mission-critical systems in use or under development in a wide cross-section of leading enterprises, active in most sectors of economic activity around the globe
• the effectiveness of the arrangements made by the ‘owners’ of those systems to control risk, quantified in terms of their measurable effect in reducing the experience of information incidents and the magnitude of their business impact.

This research was led or conducted by the founders of Citicus Limited for and on behalf of the Information Security Forum (ISF), and Citicus ONE’s statistical base is refreshed every two years, by arrangement with the ISF.

Back to top

Citicus ONE implements a constructive risk management process called FIRM, which is based on extensive research into:

• what makes risk analysis and risk monitoring processes effective
• key pitfalls to avoid (eg overly-detailed, sporadic processes that take too much time to implement and produce results that business people don’t understand or believe in).

Back to top
 

Citicus ONE actively supports and promotes compliance with established standards of practice for developing, running or using IT-based information systems.

The system is neutral about which standards you employ (providing that they cover all control areas known to be critical). Thus it can support whatever standards are employed by your organization. To facilitate deployment, Citicus ONE comes pre-loaded with a series of widely-recognized standards of practice including:

• BS7799 / ISO 17999 (1999 and 2002 versions)
• ISF Standard of practice (2000 and 2003 versions)
• ISF Standard of practice for e-commerce (2000)

Other standards such as the IT Governance Institute’s COBIT standard for good IT security and control practices can also be incorporated.

These pre-loaded standards are ready for use ‘out of the box’ if you wish.

Back to top
 

Citicus ONE offers the most efficient way by far of reliably evaluating information risk on an enterprise scale that is available on the market today. This is because our software is designed to yield meaningful and reliable business-oriented results by involving business, IT and information risk / security people in ways that make optimum use of their time.

The effort involved to carry out evaluations and produce results has been minimized by careful design. This focus on efficiency means that 1000s of systems can be evaluated and evaluations can be routinely kept up-to-date with modest effort. As a guide:

• the criticality of a system can be assessed on-line in minutes
• a full evaluation of information risk can be completed in three hours initially
• once completed, full evaluations can be updated in minutes thereafter.

Although a programme manager needs to be assigned to drive the risk management process, Citicus ONE enables his or her workload to be shared across a network of local co-ordinators, so no one becomes overburdened.

Back to top

As a result, our customers gain first-rate, reliable information with which to make decisions about this large and growing component of information risk, with a process that builds a climate of support for risk management.

Background information on FIRM

FIRM is a ground-breaking methodology for managing information risk published by the Information Security Forum (ISF). It was developed by the founders of Citicus for and in conjunction with the (ISF) and Citicus Limited has an exclusive licensing arrangement with the ISF for automating FIRM, - manifested by our Citicus ONE product.

This agreement makes Citicus ONE available to all organisations – including those who are not ISF Members.

Note: Citicus ONE fully supports the published FIRM methodology. The latest version of Citicus ONE also offers significant advances in risk management techniques - such as individual results, dependency risk maps, action plans and support for workshop-based risk assessment – which elevate FIRM to a higher plane.

For more information on FIRM and Citicus ONE, download a Citicus topic paper on Driving information risk down using FIRM and Citicus ONE (PDF, 640Kb).

Bibliography

The extensive research that underpins Citicus ONE has been conducted over a 16 year period and documented in a series of reports, including:

• Business Risk Analysis - covered in Major issues and assessment of solutions - Security of Network systems, Coopers & Lybrand, 1998
• Business Risk Analysis: Establishing a risk analysis method which is easy to understand and simple to apply ISF, 1992
• Business Risk Analysis: How to establish a satisfactory IT risk analysis process, ISF, 1990
• Business Risk Analysis: FIRM Implementation guide, ISF, 2000
• Business Risk Analysis: FIRM Supporting material, ISF, 2000
• Citicus analysis of data from ISF 200-02 Information Security Status Survey, Citicus, 2003
• Information Security Status Survey - Consolidated Results - Communications networks, ISF, 1997
• Information Security Status Survey - Consolidated Results - Corporate / group, ISF, 1997
• Information Security Status Survey - Consolidated Results - Critical business applications, ISF, 1997
• Information Security Status Survey - Consolidated Results - Executive guide, ISF, 1997
• Information Security Status Survey - Consolidated Results - Information processing, ISF, 1997
• Information Security Status Survey - Consolidated Results - Overall results, ISF, 1997
• Information Security Status Survey - Consolidated Results - Systems development, ISF, 1997
• Information Security Status Survey - Consolidated Results - Driving information risk out of the business, ISF, 1999
• Information Security Status Survey - Consolidated Results - Identifying benchmarks and key factors, ISF,1998
• Information Security Status Survey - Consolidated Results - Impact of security management, ISF, 1999
• Information Security Status Survey - Consolidated Results - Information risk reference guide, ISF, 1999
• Information Security Status Survey - Consolidated Results - Initial overview of key statistics , ISF, 1998
• Information Security Status Survey - Consolidated Results - Overall results, ISF, 1990
• Information Security Status Survey - Consolidated Results - Overall results, ISF, 1996
• ISF Standard of Good Practice - Comparison of the Forum’s Standard of Good Practice for Information Security and BS 7799, ISF, 1999
• ISF Standard of Good Practice - The standard for information security, ISF, 1996
• ISF Standard of Good Practice - The standard for information security, ISF, 1998
• It could happen to you: Profile of major incidents, ISF, 2000
• Securing -commerce - Briefing paper, ISF, 1999
• Securing e-commerce - working paper 1 Identifying key issues, ISF, 2000
• Securing e-commerce - working paper 2 Measuring e-risk, ISF, 2000
• Securing e-commerce - working paper 3 Dealing with threats and incidents, ISF, 2000
• Securing e-commerce - working paper 4 Establishing controls, ISF, 2000
• SPRINT (Risk Analysis For Information Systems) - Directory of controls, ISF, 1997
• SPRINT (Risk Analysis For Information Systems) - User guide, ISF, 1997.