Enviar pesquisa
Carregar
Intro to citicus_one_r3
•
0 gostou
•
438 visualizações
C
citicus
Seguir
Risk management approach for IT risk, vendor risk
Leia menos
Leia mais
Negócios
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 31
Baixar agora
Baixar para ler offline
Recomendados
AutoDCR (Building Plan Approval system)
AutoDCR (Building Plan Approval system)
SoftTech Engineers
Service Creation, Service Delivery, Service Management - PCTY 2011
Service Creation, Service Delivery, Service Management - PCTY 2011
IBM Sverige
Business Intelligence
Business Intelligence
jamiesim
Product Portfolio Usp June 2009
Product Portfolio Usp June 2009
TrendIC
IBM Rational Software Conference 2009: Requirements Definition & Management T...
IBM Rational Software Conference 2009: Requirements Definition & Management T...
Kathy (Kat) Mandelstein
9sept2009 iiruc
9sept2009 iiruc
Agora Group
Virtual Desktop Infrastructure
Virtual Desktop Infrastructure
krajav
Ficci basel ii 2007
Ficci basel ii 2007
Partho Chakraborty
Recomendados
AutoDCR (Building Plan Approval system)
AutoDCR (Building Plan Approval system)
SoftTech Engineers
Service Creation, Service Delivery, Service Management - PCTY 2011
Service Creation, Service Delivery, Service Management - PCTY 2011
IBM Sverige
Business Intelligence
Business Intelligence
jamiesim
Product Portfolio Usp June 2009
Product Portfolio Usp June 2009
TrendIC
IBM Rational Software Conference 2009: Requirements Definition & Management T...
IBM Rational Software Conference 2009: Requirements Definition & Management T...
Kathy (Kat) Mandelstein
9sept2009 iiruc
9sept2009 iiruc
Agora Group
Virtual Desktop Infrastructure
Virtual Desktop Infrastructure
krajav
Ficci basel ii 2007
Ficci basel ii 2007
Partho Chakraborty
Essential Arb 2
Essential Arb 2
hinser14
Value Reference Model - Quality and Customer Care
Value Reference Model - Quality and Customer Care
Arnaldo Colombo
Efficient claims processing solution
Efficient claims processing solution
Newgen Software Technologies Limited
3 hang on_a_minute-ankur_goyal
3 hang on_a_minute-ankur_goyal
IBM
Skelta Corporate Brochure
Skelta Corporate Brochure
Schneider Electric
Gaining efficiency and business value through effective management of your IT...
Gaining efficiency and business value through effective management of your IT...
IBM India Smarter Computing
SingleView IT Brochure
SingleView IT Brochure
PureShare
metricedge
metricedge
metricedge
Res Software In Healthcare
Res Software In Healthcare
jckirby
Due Diligence - Real-estate solution
Due Diligence - Real-estate solution
CONact GmbH
1 jazz overview-karthik_k
1 jazz overview-karthik_k
IBM
Mind the 'business' while you 'analyze' - Mangesh Nadkarni
Mind the 'business' while you 'analyze' - Mangesh Nadkarni
BAConfPune
SmartCloud Monitoring, Peter Vernegreen, IBM
SmartCloud Monitoring, Peter Vernegreen, IBM
IBM Danmark
PLM Implementation services
PLM Implementation services
Geometric Ltd.
Idc Quantifying Business Value V Mware View
Idc Quantifying Business Value V Mware View
Zernike College
Systar - Check Image Exchange Monitoring Brochure
Systar - Check Image Exchange Monitoring Brochure
Vivastream
Res Software In Healthcare
Res Software In Healthcare
jckirby
VisionIT from Partners in IT
VisionIT from Partners in IT
paulcash
Vision IT Monitoring
Vision IT Monitoring
PaulJenks
Collaborative Lifecycle Managmenent - an Introduction
Collaborative Lifecycle Managmenent - an Introduction
Strongback Consulting
Keynote Day 1 2009
Keynote Day 1 2009
Microsoft Iceland
Ca partner day - qualità servizi – milano
Ca partner day - qualità servizi – milano
CA Technologies Italia
Mais conteúdo relacionado
Mais procurados
Essential Arb 2
Essential Arb 2
hinser14
Value Reference Model - Quality and Customer Care
Value Reference Model - Quality and Customer Care
Arnaldo Colombo
Efficient claims processing solution
Efficient claims processing solution
Newgen Software Technologies Limited
3 hang on_a_minute-ankur_goyal
3 hang on_a_minute-ankur_goyal
IBM
Skelta Corporate Brochure
Skelta Corporate Brochure
Schneider Electric
Gaining efficiency and business value through effective management of your IT...
Gaining efficiency and business value through effective management of your IT...
IBM India Smarter Computing
SingleView IT Brochure
SingleView IT Brochure
PureShare
metricedge
metricedge
metricedge
Res Software In Healthcare
Res Software In Healthcare
jckirby
Due Diligence - Real-estate solution
Due Diligence - Real-estate solution
CONact GmbH
1 jazz overview-karthik_k
1 jazz overview-karthik_k
IBM
Mind the 'business' while you 'analyze' - Mangesh Nadkarni
Mind the 'business' while you 'analyze' - Mangesh Nadkarni
BAConfPune
SmartCloud Monitoring, Peter Vernegreen, IBM
SmartCloud Monitoring, Peter Vernegreen, IBM
IBM Danmark
PLM Implementation services
PLM Implementation services
Geometric Ltd.
Idc Quantifying Business Value V Mware View
Idc Quantifying Business Value V Mware View
Zernike College
Systar - Check Image Exchange Monitoring Brochure
Systar - Check Image Exchange Monitoring Brochure
Vivastream
Mais procurados
(16)
Essential Arb 2
Essential Arb 2
Value Reference Model - Quality and Customer Care
Value Reference Model - Quality and Customer Care
Efficient claims processing solution
Efficient claims processing solution
3 hang on_a_minute-ankur_goyal
3 hang on_a_minute-ankur_goyal
Skelta Corporate Brochure
Skelta Corporate Brochure
Gaining efficiency and business value through effective management of your IT...
Gaining efficiency and business value through effective management of your IT...
SingleView IT Brochure
SingleView IT Brochure
metricedge
metricedge
Res Software In Healthcare
Res Software In Healthcare
Due Diligence - Real-estate solution
Due Diligence - Real-estate solution
1 jazz overview-karthik_k
1 jazz overview-karthik_k
Mind the 'business' while you 'analyze' - Mangesh Nadkarni
Mind the 'business' while you 'analyze' - Mangesh Nadkarni
SmartCloud Monitoring, Peter Vernegreen, IBM
SmartCloud Monitoring, Peter Vernegreen, IBM
PLM Implementation services
PLM Implementation services
Idc Quantifying Business Value V Mware View
Idc Quantifying Business Value V Mware View
Systar - Check Image Exchange Monitoring Brochure
Systar - Check Image Exchange Monitoring Brochure
Semelhante a Intro to citicus_one_r3
Res Software In Healthcare
Res Software In Healthcare
jckirby
VisionIT from Partners in IT
VisionIT from Partners in IT
paulcash
Vision IT Monitoring
Vision IT Monitoring
PaulJenks
Collaborative Lifecycle Managmenent - an Introduction
Collaborative Lifecycle Managmenent - an Introduction
Strongback Consulting
Keynote Day 1 2009
Keynote Day 1 2009
Microsoft Iceland
Ca partner day - qualità servizi – milano
Ca partner day - qualità servizi – milano
CA Technologies Italia
Posecco clustering meeting
Posecco clustering meeting
fcleary
Net@Work Client Presentation with Security
Net@Work Client Presentation with Security
Ray Glass
VisionIT - SaaS IT Infrastructure Monitoring
VisionIT - SaaS IT Infrastructure Monitoring
Partners in IT
2010 Software Licensing and Pricing Survey Results and 2011 Predictions
2010 Software Licensing and Pricing Survey Results and 2011 Predictions
Flexera
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
Andris Soroka
IBM Smarter Business 2012 - PureSystems - PureData
IBM Smarter Business 2012 - PureSystems - PureData
IBM Sverige
TechEd 2012 NA - MGT332 - fighting fire to the cloud!
TechEd 2012 NA - MGT332 - fighting fire to the cloud!
wwwally
Making a Strong Business Case for Multiagent Technology
Making a Strong Business Case for Multiagent Technology
dgalanti
3 D – Management Constructor
3 D – Management Constructor
Vadim Salnikov
Bobby.german
Bobby.german
NASAPMC
Application Lifecycle Management & VSTS
Application Lifecycle Management & VSTS
Microsoft Iceland
Omnitech Corporate Overview
Omnitech Corporate Overview
fonsjanssen
“A Practitioner’s View” on the latest trends and information on BI/ DW techno...
“A Practitioner’s View” on the latest trends and information on BI/ DW techno...
Hazelknight Media & Entertainment Pvt Ltd
Securing Your Infrastructure: Identity Management and Data Protection
Securing Your Infrastructure: Identity Management and Data Protection
Lumension
Semelhante a Intro to citicus_one_r3
(20)
Res Software In Healthcare
Res Software In Healthcare
VisionIT from Partners in IT
VisionIT from Partners in IT
Vision IT Monitoring
Vision IT Monitoring
Collaborative Lifecycle Managmenent - an Introduction
Collaborative Lifecycle Managmenent - an Introduction
Keynote Day 1 2009
Keynote Day 1 2009
Ca partner day - qualità servizi – milano
Ca partner day - qualità servizi – milano
Posecco clustering meeting
Posecco clustering meeting
Net@Work Client Presentation with Security
Net@Work Client Presentation with Security
VisionIT - SaaS IT Infrastructure Monitoring
VisionIT - SaaS IT Infrastructure Monitoring
2010 Software Licensing and Pricing Survey Results and 2011 Predictions
2010 Software Licensing and Pricing Survey Results and 2011 Predictions
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
IBM Smarter Business 2012 - PureSystems - PureData
IBM Smarter Business 2012 - PureSystems - PureData
TechEd 2012 NA - MGT332 - fighting fire to the cloud!
TechEd 2012 NA - MGT332 - fighting fire to the cloud!
Making a Strong Business Case for Multiagent Technology
Making a Strong Business Case for Multiagent Technology
3 D – Management Constructor
3 D – Management Constructor
Bobby.german
Bobby.german
Application Lifecycle Management & VSTS
Application Lifecycle Management & VSTS
Omnitech Corporate Overview
Omnitech Corporate Overview
“A Practitioner’s View” on the latest trends and information on BI/ DW techno...
“A Practitioner’s View” on the latest trends and information on BI/ DW techno...
Securing Your Infrastructure: Identity Management and Data Protection
Securing Your Infrastructure: Identity Management and Data Protection
Último
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
Peter Ward
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
ashishs7044
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
DallasHaselhorst
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...
Americas Got Grants
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
Call girls in Goa, +91 9319373153 Escort Service in North Goa
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
Rbc Rbcua
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
Khaled Al Awadi
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
ictsugar
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
dollysharma2066
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Perera
ictsugar
PB Project 1: Exploring Your Personal Brand
PB Project 1: Exploring Your Personal Brand
SharisaBethune
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
callgirls2057
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
Anamaria Contreras
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
saniyaimamuddin
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
ashishs7044
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
Kirill Klimov
Call Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North Goa
Call girls in Goa, +91 9319373153 Escort Service in North Goa
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
Data Analytics Company - 47Billion Inc.
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
Seta Wicaksana
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in Philippines
DavidSamuel525586
Último
(20)
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Perera
PB Project 1: Exploring Your Personal Brand
PB Project 1: Exploring Your Personal Brand
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
Call Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North Goa
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in Philippines
Intro to citicus_one_r3
1.
Introducing Citicus ONE
Release 3.3 Managing information risk ... and beyond Citicus Limited www.citicus.com Citicus material copyright © Citicus Limited, 2011. All rights reserved.
2.
What our award-winning
Citicus ONE software can do for you Citicus ONE Release 3.3 equips you to: Establish a highly-efficient, continuous process for measuring and managing risk and compliance across your organization Measure the criticality and risk of business systems, IT infrastructure, business processes, sites, suppliers and other assets objectively and in business terms Measure compliance with relevant standards of practice including internal policies, external codes of practice (eg SOGP, ISO2700x, COBIT, PCI, ITIL) and any legislation or regulations that applies (eg privacy regulations, Sarbanes-Oxley, Basel II, health and safety rules) Assess and record incidents, including their business impact and root causes Record and track remediation activity, including oversight of all issues until they are resolved and both the costs and benefits of remedial action Report to management on risk in succinct, business-oriented terms, with aggregation across different areas of risk Exchange data with other systems Copyright © Citicus Limited, 2011. All rights reserved.
3.
Determining what you
want Citicus ONE to evaluate Business applications IT infrastructure Top management Business Industrial processes / Citicus ONE control units Release 3 systems Programme manager and Sites Projects core team Suppliers Citicus ONE and other parties Local co-ordinators 'Owners' Types of ‘target of evaluation’ IT Industrial Business infra- Supplier Site control application structure system Copyright © Citicus Limited, 2011. All rights reserved.
4.
Types of ‘Target
of evaluation’ supported out-of-the-box Several target types are supported ‘out of the box’. Additional ones can be set up at any time using Citicus ON E and Citicus W orkbench. Information Supplied Industrial Supplier Site control resource relationship service system Category Category Category Category Category Business Alliance Application Main office SCADA application development Collaborative Branch office DCS Computer Help desk Transactional Manufacturing Other installation Hosting facility Other Communication Telecoms R&D facility network Business IT facility Development processing activity Other Other Set of information Any Project other Business process area of Business unit risk ... Copyright © Citicus Limited, 2011. All rights reserved.
5.
Citicus ONE supports
a proportionate risk management process ‘P hase 0: Discovery’ P hase 1: Criticality assessm ents: Assess each target of evaluation’s criticality Identify and ‘Owner’ ‘unpack’ targets P hase 2: Deeper dives: Evaluate risk posed of evaluation, and by critical targets of evaluation by completing risk identify their ‘owners’ scorecards at 3-hr risk workshops Operations Development Facilitator The criticality of ‘User’ (eg local hundreds of targets of co-ordinator) evaluation can be evaluated in a few weeks ‘Owner’ Phase 3: Update: Owners’ / – thousands might take completers update scorecards / 6 months to complete. remediation plans Once completed, Development evaluations can be / support Operations updated in minutes. Business user Facilitator or Help desk (eg local You can also use Citicus representative co-ordinator) MoCA for iPhone, iPad Embed as a and iPod touch to continuing process complete criticality into the business assessments. ‘Owner’ Copyright © Citicus Limited, 2011. All rights reserved.
6.
Risk metrics To
get a good handle on risk Citicus ONE measures the status of 5 determinants / indicators of risk. These are aggregated into a single risk metric. Control weaknesses Special Criticality circumstances Level of Business threat impact Level of risk acceptable Level of risk posed by this to top management target of evaluation 75% Individual risk chart Risk: Low Medium High Overall risk rating Copyright © Citicus Limited, 2011. All rights reserved.
7.
Phase 1: Assessing
criticality in a business-oriented manner Based on the maximum harm that could be suffered by the enterprise if An ‘owner’ can complete a criticality assessment on-line in Extremely confidentiality, integrity or availability of information were lost 20 minutes serious harm Critical timescale Very serious harm Serious harm ‘Owner’ Minor harm of an information resource No significant harm Loss of Loss of An hour Half a A 2-3 A A confidentiality integrity or less day day days week month The results of Loss of availability different Criticality Unacceptable Lower level assessments can be harm of harm consolidated into a Criticality league table, providing a risk-oriented inventory of the organization’s information resources Copyright © Citicus Limited, 2011. All rights reserved.
8.
Assessing impact objectively
with a Harm reference table Excerpt of a sample Harm LEVEL OF HARM reference table A Extremely B C D E Appropriate serious Very NATURE OF HARM measure serious Serious Minor None Financial loss (lost Financial $10+ million $1 - 10 $100 $10 - 100 $0 - 10 revenue, unforeseen costs, impact: million thousand - 1 thousand thousand penalties, fraud) million Degraded performance Targets under- 10%+ 5% to 10% 1% to 5% Less than No (failure to achieve targets, achieved by: 1% impact loss of productivity) Wasted staff- 10,000+ 5,000 to 1,000 to 100 to 1,000 0 to 100 hours: hours 10,000 hours 5,000 hours hours hours Damaged reputation Extent of Prolonged Brief Prolonged Brief local No impact (negative publicity, negative widespread widespread local negative regulatory action, litigation) publicity negative negative negative publicity publicity publicity publicity Minor adaptation required to cover types of harm that matter to a specific organisation Copyright © Citicus Limited, 2011. All rights reserved.
9.
Phase 2: Evaluating
risk and compliance, in as much detail as you wish Risk factors can be fully 2-page evaluated at 3-hour R isk facilitated risk workshops: scorecard Criticality Target of Status of controls evaluation Special circumstances Experience of incidents Business impact of incidents Application Supporting support IT Operations harm reference Business Individual Facilitator table user or risk status report (eg local Help desk co-ordinator) specialist Business ‘owner’ Supporting standard of practice or com pliance checklist Com pliance status report Copyright © Citicus Limited, 2011. All rights reserved.
10.
Assessing the strength
of controls in detail The checklist allows a detailed assessment of control status in a way which allows the compliance with key standards to be measured and reported. Copyright © Citicus Limited, 2011. All rights reserved.
11.
Recording additional details
while completing a checklist Control area on scorecard Data back-up (regular cycle, secure storage) ISO27001 Standard of practice for this control area Status of this particular statement of required practice (control item D1.10.02) Copyright © Citicus Limited, 2011. All rights reserved.
12.
‘Owners’ obtain good-looking
management information on risk status Page 1 enables an ‘owner’ to take in his or her risk status ‘at a glance’ Page 2 highlights ‘dependency risk’ Twin risk charts show improvement from one evaluation to the next Highlights and prioritises opportunities for further action in control areas categorised as Not OK Copyright © Citicus Limited, 2011. All rights reserved.
13.
Dependency risk maps
help ‘owners’ look at risk in context Citicus ON E allows you to plot dependency risk m aps for any or all targets of evaluation. This target of evaluation sits at the centre of an individual dependency risk map. W hat relies on this one: the risk status of targets of evaluation that rely on this one can be identified by the outward- pointing arrowhead on the connecting line. Unknow n risk: the risk status of this target of W hat this one relies on: the risk status evaluation is unknown because no evaluation of supporting targets of evaluation can be has been performed. identified by the inward-pointing arrowheads on the connecting lines. Copyright © Citicus Limited, 2011. All rights reserved.
14.
Compliance status reports
provide more detail on controls Citicus ON E provides an overview of compliance with a customizable set of control areas Our arrangements have We believe that the Our arrangements do not been tested and comply stated standard does not comply with the stated with the stated standard apply in our case standard Our arrangements Current status is not Our arrangements comply with the stated known partially comply with the standard stated standard Copyright © Citicus Limited, 2011. All rights reserved.
15.
Compliance trend reports
show reduction in risk over time Individual Consolidated com pliance trend report com pliance trend report Copyright © Citicus Limited, 2011. All rights reserved.
16.
Drilling down to
see the status of an individual risk factor (eg BCP/DR) Risk factor analysis report The pie chart shows the status of a risk factor across multiple targets and the table shows what is driving each region of the chart Target of evaluation ‘Owner’ Evaluated Status of control item CDC Global email (RS8) David Tilbury 10 Jan '08 1 - Compliance confirmed CDC Group accounts consolidated (RS39) Honor Black 14 Apr '08 1 - Compliance confirmed EMA Dublin call centre (RS34) Sam Jackson 11 Sep '05 1 - Compliance confirmed EMA E-banking application (RS84) Richard Cliff 30 Jun '08 2 - Compliance achieved 2 - Compliance achieved Copyright © Citicus Limited, 2011. All rights reserved.
17.
Helping all involved
manage remediation activity Evaluators have two R esults of an evaluation ways of identifying the Action plan Citicus ONE remedial actions Citicus ONE needed to fix weaknesses identified by evaluations Route 1 Citicus ONE Route 2 Individual Issues can be weaknesses can linked to the be recorded as action item (s) issues, each needed to with a unique resolve them reference Schedule of issues Copyright © Citicus Limited, 2011. All rights reserved.
18.
Linking notes and
comments to issues and action items R ecorded com m ent “Back-ups are stored on an open shelf “ (IRS 163.CC.2) Recorded notes and comments may be edited I ssue Description SI.1 Back-ups of sensitive data to express them as Issues are held insecurely or action items Issues can be linked to Priority Medium action items and their Issue status Open status updated Date raised 14th Sep 2010 automatically Origin IRS 163.CC.2 Related action(s) AP.1, AP.2 Action item s Description AP.1 Acquire fire-proof safe Description AP.2 Transfer back-up media for storing back-up media to fire-proof safe Cost $1000 Cost 0.5 man days Benefit Reduce risk of loss / misuse Benefit Reduce risk of loss / misuse Priority Medium Priority Medium Lead role J Smith, IT Procurement Lead role T Atkins, Ops Supervisor Target completion Nov 14th 2010 Target completion Nov 14th 2010 Actual completion Oct 8th 2010 Actual completion Current status Completed Current status Not yet started Copyright © Citicus Limited, 2011. All rights reserved.
19.
Consolidated reporting –
your personal risk metrics dashboard W hat is the risk distribution of our assets? W hat is the status of m y risk m anagem ent program m e? W hat’s the likelihood of these system s suffering m ajor incidents? Copyright © Citicus Limited, 2011. All rights reserved.
20.
Consolidated reporting –
key risk drivers Citicus ONE risk dashboard The ‘clickable’ scatter diagram shows the contribution of individual evaluations and enables you to see what’s driving risk in particular regions of the chart 100% SR42.1 75% SS42.3 Criticality 50% SS42.4 IR42.2 25% IR42.7 IR42.5 0% SS42.6 0% 25% 50% 75% 100% Average of other risk factors Copyright © Citicus Limited, 2011. All rights reserved.
21.
Consolidated league tables
show where the key risks lie Citicus ON E ranks targets of evaluation in descending order of risk Top 10 entries Control Special Level of Business Colour codes Targets of evaluation Rank Criticality weaknesses circumstances threat impact indicate the danger SecurNet (RS151) 1 100% 76% 86% 50% 25% posed by each Credit card processing (RS156) 2= 75% 100% 57% 100% 50% component of risk: Global email (RS49) 2= 75% 100% 57% 100% 50% Boston data center (RS191) 4 75% 100% 29% 100% 75% High London data centre (RS155) 5 75% 94% 71% 100% 50% Med Global intranet (RS150) 6 75% 94% 86% 75% 50% Low Supplier data (RS124) 7 75% 94% 71% 100% 25% HQ LAN (RS67) 8 75% 88% 57% 100% 100% You can Pacific data centre (RS131) 9 75% 88% 71% 75% 25% control Group EIS (RS148) 10 75% 82% 100% 100% 75% colour and Bottom 10 entries sorting Relationship mgt (RS156) 136 25% 6% 43% 50% 25% Group payroll (RS167) 137 25% 0% 29% 50% 0% ePurchasing site (RS160) 138 25% 0% 0% 50% 25% Prices database (RS142) 139 0% 100% 29% 75% 25% UK sales information (RS12) 140 0% 82% 43% 100% 25% UK standby net (RS136) 141 0% 65% 14% 50% 0% Boston Order Proc. (RS190) 142 0% 59% 29% 100% 50% European data centre (RS46) 143 0% 47% 57% 50% 0% LaForce site LAN (RS101) 144 0% 41% 14% 100% 25% Erland site LAN (RS42) 145 0% 24% 14% 100% 25% Note: Names have been changed to preserve confidentiality but ratings are genuine Copyright © Citicus Limited, 2011. All rights reserved.
22.
Compliance trend reports
provide a timeline of compliance status Compliance with a specified standard can be tracked as a trend line. You can plot the overall status of all controls in the employed checklist or focus on an individual control area of interest. Copyright © Citicus Limited, 2011. All rights reserved.
23.
Examples of successful
practice Copyright © Citicus Limited, 2011. All rights reserved.
24.
Global branded food
manufacturer Global program driven IT assessments use by strong, personable FIRM+ Criticality programme manager assessments + Risk (2 people at centre, 3 ~ 1,200 evaluations since 2005 scorecards supported in regions) based in 1,000 criticality assessments by ISO 27000 Group Compliance & standard of practice 200 ‘deep dive’ risk assessments Controls 17 control areas 150 controls Business applications IT infrastructure IT assessments embedded in system development and IT Business Areas Business procurement processes “By implementing a business oriented and processes of risk units systematic risk assessment process, real Program benefits can be achieved Sites Projects entered for as compliance and excellence in security requirements Information can be quickly satisfied Suppliers Integrity without unnecessary and other parties award, 2009 burden ,and resources properly allocated Software currently being configured with throughout the checklists that enable evaluation of: organization” Food defence practices Compliance with bribery/child labour COLLABORATIVE DEVELOPMENTS laws (for Dow Jones Sustainability index) Supplier risk capability Suppliers Data exchange Particular business processes Copyright © Citicus Limited, 2011. All rights reserved.
25.
Global tobacco company
Global program driven IT assessments initially by strong, personable used FIRM+ programme manager Criticality (2 people at centre) ~ 2,500 evaluations since 2004 assessments + based in IT; 50 trained Program being extended to cover Scorecards supported local co-ordinators) by home-grown factory automation standard of practice 17 control areas 100 controls Business applications IT infrastructure “With a portfolio of more Standard of practice than 500 computer turned into a ‘smart systems supporting checklist’ in 2009 diverse business Business Areas Business driven by user- processes of risk units functions and controllable attributes application/data owners across the world, ad hoc assessment for policy Sites Projects compliance and IT governance needed to Citicus ONE be replaced with Suppliers employed as ‘system and other parties systematic and of systems’ transparent information risk management processes. “ Characteristics of COLLABORATIVE DEVELOPMENTS systems recorded as Attribute sophistication attributes Risk management metrics Copyright © Citicus Limited, 2011. All rights reserved.
26.
Other large-scale Citicus
ONE implementations Completed Geographical Program Customer evaluations scope Bases of evaluation management Insurance/ >18,000 70+ countries Criticality assessments, 3 at centre, 1+ local financial Scorecards + 2 home-grown co-ordinator in every services checklists (~60 control items) business unit Global 2,300 150 countries Criticality assessments, 2 at centre, 5 regional brands Scorecard + home-grown ‘smart’ co-ordinators, 15-20 checklist (~100 control items) local co-ordinators Insurance/ 1,200 North America Criticality assessments, 3-4 at centre. No financial Scorecard + ISF SoGP. Harm local co-ordinators services reference table being used for other areas of risk. Some tweaks needed. Central 600 30+ Ministries ISF Health check used for 2-3 at centre, 1-2 Government in major Ministry-level evaluations. local co-ordinators in Canadian ‘Smart’ checklists based on each Ministry province ISF SoGP used for information systems Copyright © Citicus Limited, 2011. All rights reserved.
27.
About Citicus Limited
Copyright © Citicus Limited, 2011. All rights reserved.
28.
Who we are
Citicus Limited was formed in 2000 to provide Simon Oxley world-class risk management software products Managing director Headed information security departments at National and supporting services Power and Reuters Took both companies into ISF Wholly-owned by its directors and staff and served on ISF Council 1992-94 Heads Citicus management Based in UK (London, Cheltenham) team and leads our commercial activities Oversees our relations with Exclusive, worldwide right to sell FIRM automation standards-makers (eg ISF, – reflecting Citicus directors’: BSI-ISO, ISACA) long-standing involvement with the Marco Kapp Sian Alcock Director Director Information Security Forum (ISF) lead role in the development of this ground- breaking risk measurement and management methodology Relations with customers based on a collaborative way of working Established ISF while a Extensive experience in Our relationship with the ISF is continuing (eg director of C&L’s UK consulting analysing ISF survey access to Survey data, involvement in FIRM and practice results Author of ISF’s first standard Developed new, IRAM development) and numerous reports on risk quantitative insights into Chief architect of ISF's FIRM what drives risk up / down methodology Lead author of ISF report Chief architect of collaborative on The impact of security Supplier Risk Assessment management (SRA) project – which Oversees design, culminates on delivery of development and delivery Citicus ONE Release 3 of Citicus ONE Copyright © Citicus Limited, 2011. All rights reserved.
29.
Our customers and
geographic focus Citicus ONE is currently helping customers to measure and manage the risk posed by many thousands of systems in over 150 countries Representative customers Main activity Where based Banking US, Saudi Arabia, UAE Consumer products Netherlands, Switzerland, UK, USA Energy UK, Germany Government Canada, Ireland, UK, Netherlands Insurance France, USA We support deployments all IT and professional services Germany, Scandinavia, Switzerland, UK, USA over the world via training and services delivered from the UK. Manufacturing France, Netherlands, Scandinavia We can orchestrate global Telecommunications Kenya support if needed. Copyright © Citicus Limited, 2011. All rights reserved.
30.
Citicus ONE is
based on solid, factual evidence Citicus ONE Release 3 is the end-product of an unrivalled volume of research - conducted by the founders of Citicus Limited for and / or in conjunction with leading organizations around the world. Results of this research over the last 20 years are illustrated below. Example: The ISF 1998 survey involved over 1,000 people: in-depth analysis of 800,000 facts about by 969 surveyed systems, including the controls applied to them, incidents they suffered and other key characteristics intensive review by practitioners provided major insights into what drives information risk 969 survey questionnaires: 61,000 pages (would make a pile 8 metres high) ISF: Information security Forum We developed the FIRM risk management methodology for and in conjunction with the Information Security Form (ISF). It reflects all the above research and is automated by our Citicus ONE software. Release 3 extends FIRM to cover all areas of operational risk. Copyright © Citicus Limited, 2011. All rights reserved.
31.
FIRM risk management
methodology Developed by founders of Citicus Limited for and in conjunction with the Information Security Forum (ISF) in 2000 FIRM Implementation Guide FIRM Supporting material Revised FIRM Scorecard (2000) (2000) (2005) The problem Terminology, concepts and Rearranged presentation Key challenges role definitions Updated content to align The methodology Operational tools with other ISF tools (eg 6-step implementation Examples of successful SoGP, Healthcheck, IRAM) process practice Advice on making selective improvements Copyright © Citicus Limited, 2011. All rights reserved.
Baixar agora