Citicus ONE is the world’s most-advanced tool for measuring information risk, supplier risk and other areas of operational risk and managing these down to a level that is acceptable to top management, because it:
- measures information risk reliably, and applies the same principles to other key areas of risk
- implements a constructive risk management process
- actively supports and promotes compliance with established standards of practice
- offers a highly efficient way of reliably evaluating risk on an enterprise scale
- produces great-looking, meaningful results for decision-makers from Board-level down.
Information about these features can be found below.
Citicus ONE measures risk reliably, using techniques informed by years of rigorous, quantitative research into:
- the level of risk posed by thousands of mission-critical systems in use or under development in a wide cross-section of leading enterprises, active in most sectors of economic activity around the globe
- the effectiveness of the arrangements made by the ‘owners’ of those systems to control risk, quantified in terms of their measurable effect in reducing the experience of information incidents and the magnitude of their business impact
This research was led or conducted by the founders of Citicus Limited for and on behalf of the Information Security Forum (ISF), and Citicus ONE’s statistical base is refreshed every two years, by arrangement with the ISF.
A topic paper summarizing the research findings shown opposite can be obtained by clicking Key facts about risk (PDF, 146KB).
Further details of the research that underpins our approach can be found under Our research foundation.
Citicus ONE implements a constructive risk management process called FIRM, which is based on extensive research into:
- what makes risk analysis and risk monitoring processes effective
- key pitfalls to avoid (eg overly-detailed, sporadic processes that take too much time to implement and produce results that business people don’t understand or believe in)
- secrets of success identified from studies of successful practice and many years of statistical investigations. Key success factors and pitfalls to avoid are identified under How Citicus ONE works.
Citicus ONE actively supports and promotes compliance with established standards of practice.
The system is neutral about which standards you employ (providing that they cover all control areas known to be critical). Thus it can support whatever standards are employed by your organization. To facilitate deployment, Citicus ONE comes pre-loaded with a series of widely-recognized standards of practice including:
- ISO 27001/2
- ISF Standard of Good Practice
- OWASP Top 10 and ASVS
- Cloud Security Alliance CAIQ
- GDPR privacy regulations
- Payment card industry's Data security Standard (PCI/DSS)
- Cyber Essentials
In addition, we provide Citicus-devised standards of practice for areas where we feel existing standards are weak, non-existent or not in a form that can be readily applied. These include:
- Citicus supplier relationship framework
- Citicus supplied service framework
- Citicus industrial control system standards (incorporating CPNI, NIST standards)
- Citicus site security, health and safety framework
- Citicus privacy framework
These pre-loaded standards are ready for use ‘out of the box’. You can also upload your own policies and standards if you wish.
Citicus ONE offers the most efficient way by far of reliably evaluating information risk, supplier risk and other areas of operational risk on an enterprise scale that is available on the market today. This is because our software is designed to yield meaningful and reliable business-oriented results by involving business management and subject practitioners in ways that make optimum use of their time.
The effort involved to carry out evaluations and produce results has been minimized by careful design. This focus on efficiency means that 1000s of assets, activities, processes and / or external parties can be evaluated and evaluations can be routinely kept up-to-date with modest effort. As a guide:
- Citicus supplier relationship framework
- Citicus supplied service framework
- Citicus industrial control system standards (incorporating CPNI, NIST standards)
- Citicus site security, health and safety framework
- Citicus privacy framework
Although a programme manager needs to be assigned to drive the risk management process, Citicus ONE enables his or her workload to be shared across a network of local co-ordinators, so no one becomes overburdened.
Citicus ONE produces great-looking meaningful results for decision-makers from Board-level down.
All results produced by the system are designed to command the attention of decision-makers who deal with things other than risk as their ‘day job’.
They are expressed in clear, business terms, make good use of text and graphics and are attractively presented. This helps practitioners communicate what needs to be done about risk effectively and build the credibility of risk management.
Together, these features enable our customers to build a climate of support for risk management - and make decisions about information risk, supplier risk and other key areas of operational risk based on first-rate, reliable information.
Background information on FIRM
FIRM is a ground-breaking methodology for managing information risk published by the Information Security Forum (ISF). It was developed by the founders of Citicus for and in conjunction with the ISF and Citicus Limited has an exclusive licensing arrangement with the ISF for automating FIRM - manifested by our Citicus ONE risk and compliance management software.
This agreement makes Citicus ONE available to all organisations – including those who are not ISF Members.
Note: Citicus ONE fully supports the published FIRM methodology. The latest versions of Citicus ONE offer significant advances in risk management techniques - such as individual results, dependency risk maps, action plans and support for workshop-based risk assessments - which elevate FIRM to a higher plane and widen its applicability.
For more information on FIRM and Citicus ONE, you can download the Citicus topic paper entitled Driving risk down using FIRM and Citicus ONE (PDF, 640KB).
- an asset's criticality can be assessed on-line in minutes
- a full evaluation of risk can be completed in three hours initially
- once completed, full evaluations can be updated in minutes