Case study: Stora Enso
Organization: Stora Enso
Industry sector: Paper manufacturer
Head Office: Sweden
Employees: 38,000
Guaranteeing a safe and secure supply chain through AEO certification
Stora Enso is one of the first companies in Europe to achieve AEO certification, and is using Citicus ONE to assess AEO readiness across the corporation.
Stora Enso’s Director of IT Security, Christian Thunberg was attracted by the simplicity, realism and scalability of the FIRM methodology. These are vital considerations for a successful implementation in a large manufacturing company.
Stora Enso piloted Citicus’ FIRM automation software, Citicus ONE for a year across five business divisions and completed risk assessments for over 100 critical information systems.
For some systems the results from Citicus ONE were compared with those from a parallel assessment using very detailed and time-consuming checklists. The comparison showed that Citicus ONE had identified all the major weaknesses and 70-80% of the minor issues picked up by the detailed analysis. Further, Citicus ONE had identified weaknesses not exposed by the checklist approach. This is testament to the efficiency of the Citicus ONE approach – allowing risk assessment to be applied across a much wider range of systems than more time-consuming methods.
Citicus ONE is a keystone of Stora Enso’s information risk management process (IRMP). Since its introduction in 2002, Stora Enso's Director of IT Security Christian Thunberg has configured his system with 'bases of evaluation' (BoEs) for sites, business applications, networks, computer rooms, production control systems, SOX and now AEO readiness. Three of these employ Citicus ONE's 'smart' BoE capabilities, with particular provisions being selected automatically to reflect to an asset's characteristics.
Stora Enso's Director of IT Security Christian Thunberg comments:
“We've completed about 300 criticality assessments and expect to carry out risk assessments regularly for all our critical IT systems. We use Citicus ONE’s consolidation capabilities to report on risk status to our main board.
We have got the necessary backing, the right tools and a solid process in place – now we just need to get on with it”.