Intro to citicus_one_r3

Introducing Citicus ONE Release 3.3
Managing information risk ... and beyond

Citicus Limited
www.citicus.com

Citicus material copyright © Citicus Limited, 2011. All rights reserved.

What our award-winning Citicus ONE software can do for you

Citicus ONE Release 3.3 equips you to:
Establish a highly-efficient, continuous process for measuring and managing risk and
compliance across your organization

Measure the criticality and risk of business systems, IT infrastructure, business
processes, sites, suppliers and other assets objectively and in business terms

Measure compliance with relevant standards of practice including internal policies, external
codes of practice (eg SOGP, ISO2700x, COBIT, PCI, ITIL) and any legislation or regulations that
applies (eg privacy regulations, Sarbanes-Oxley, Basel II, health and safety rules)

Assess and record incidents, including their business impact and root causes

Record and track remediation activity, including oversight of all issues until they are
resolved and both the costs and benefits of remedial action

Report to management on risk in succinct, business-oriented terms, with aggregation
across different areas of risk

Exchange data with other systems

Copyright © Citicus Limited, 2011. All rights reserved.

Determining what you want Citicus ONE to evaluate

Business applications IT infrastructure Top management

Business Industrial
processes / Citicus ONE control
units Release 3 systems
Programme
manager and
Sites Projects core team

Suppliers

Citicus ONE
and other parties Local
co-ordinators

'Owners'

Types of ‘target of
evaluation’ IT Industrial
Business infra- Supplier Site control
application structure system


Types of ‘Target of evaluation’ supported out-of-the-box

Several target types are supported ‘out of the box’. Additional ones can be
set up at any time using Citicus ON E and Citicus W orkbench.

Information Supplied Industrial
Supplier
Site control
resource relationship service
system

Category Category Category Category Category
Business Alliance Application Main office SCADA
application development
Collaborative Branch office DCS
Computer Help desk
Transactional Manufacturing Other
installation
Hosting facility
Other
Communication
Telecoms R&D facility
network
Business IT facility
Development
processing
activity Other
Other
Set of
information

Any Project
other Business process
area of Business unit
risk ...


Citicus ONE supports a proportionate risk management process

‘P hase 0:
Discovery’ P hase 1: Criticality assessm ents: Assess each
target of evaluation’s criticality

Identify and ‘Owner’
‘unpack’ targets P hase 2: Deeper dives: Evaluate risk posed
of evaluation, and by critical targets of evaluation by completing risk
identify their ‘owners’ scorecards at 3-hr risk workshops
Operations Development

Facilitator
The criticality of ‘User’ (eg local
hundreds of targets of co-ordinator)
evaluation can be
evaluated in a few weeks ‘Owner’ Phase 3: Update: Owners’ /
– thousands might take completers update scorecards /
6 months to complete. remediation plans
Once completed, Development
evaluations can be / support Operations
updated in minutes. Business user Facilitator
or Help desk (eg local
You can also use Citicus representative co-ordinator)
MoCA for iPhone, iPad Embed as a
and iPod touch to continuing process
complete criticality into the business
assessments.

‘Owner’

Risk metrics

To get a good handle on risk Citicus ONE measures the status of 5 determinants /
indicators of risk. These are aggregated into a single risk metric.

Control
weaknesses

Special
Criticality circumstances

Level of Business
threat impact
Level of risk acceptable Level of risk posed by this
to top management target of evaluation 75%

Individual risk chart Risk: Low Medium High

Overall risk rating


Phase 1: Assessing criticality in a business-oriented manner
Based on the maximum harm that could be suffered by the enterprise if
An ‘owner’ can complete a
criticality assessment on-line in Extremely confidentiality, integrity or availability of information were lost
20 minutes serious harm
Critical timescale
Very serious
harm

Serious harm

‘Owner’ Minor harm
of an information resource
No significant
harm Loss of Loss of An hour Half a A 2-3 A A
confidentiality integrity or less day day days week month
The results of
Loss of availability
different Criticality Unacceptable Lower level
assessments can be harm of harm
consolidated into a
Criticality league
table, providing a
risk-oriented
inventory of the
organization’s
information
resources


Assessing impact objectively with a Harm reference table

Excerpt of a sample Harm LEVEL OF HARM
reference table
A Extremely B C D E
Appropriate serious Very
NATURE OF HARM measure serious Serious Minor None

Financial loss (lost Financial $10+ million $1 - 10 $100 $10 - 100 $0 - 10
revenue, unforeseen costs, impact: million thousand - 1 thousand thousand
penalties, fraud) million

Degraded performance Targets under- 10%+ 5% to 10% 1% to 5% Less than No
(failure to achieve targets, achieved by: 1% impact
loss of productivity)

Wasted staff- 10,000+ 5,000 to 1,000 to 100 to 1,000 0 to 100
hours: hours 10,000 hours 5,000 hours hours hours

Damaged reputation Extent of Prolonged Brief Prolonged Brief local No impact
(negative publicity, negative widespread widespread local negative
regulatory action, litigation) publicity negative negative negative publicity
publicity publicity publicity

Minor adaptation required to cover types of harm that matter to a specific organisation


Phase 2: Evaluating risk and compliance, in as much detail as you wish

Risk factors can be fully
2-page evaluated at 3-hour
R isk facilitated risk workshops:
scorecard  Criticality Target of
 Status of controls evaluation
 Special circumstances
 Experience of incidents
 Business impact of
incidents

Application
Supporting
support IT Operations
harm
reference Business Individual
Facilitator
table user or risk status report
(eg local
Help desk
co-ordinator)
specialist

Business ‘owner’

Supporting
standard of
practice or
com pliance
checklist

Com pliance status
report


Assessing the strength of controls in detail

The checklist allows a detailed assessment of control status in a way which allows the
compliance with key standards to be measured and reported.


Recording additional details while completing a checklist
Control area on scorecard Data back-up (regular cycle, secure storage)

ISO27001 Standard of
practice for this control
area

Status of this
particular
statement of
required practice
(control item
D1.10.02)


‘Owners’ obtain good-looking management information on risk status

Page 1 enables an ‘owner’ to take in
his or her risk status ‘at a glance’ Page 2 highlights ‘dependency risk’
Twin risk
charts show
improvement
from one
evaluation to
the next

Highlights and
prioritises
opportunities for
further action in
control areas
categorised as
Not OK


Dependency risk maps help ‘owners’ look at risk in context
Citicus ON E allows you to plot dependency risk m aps for any or all targets of
evaluation.
This target of evaluation sits at the centre of
an individual dependency risk map.

W hat relies on this one: the risk status
of targets of evaluation that rely on this
one can be identified by the outward-
pointing arrowhead on the connecting line.

Unknow n risk: the risk status of this target of
W hat this one relies on: the risk status evaluation is unknown because no evaluation
of supporting targets of evaluation can be has been performed.
identified by the inward-pointing
arrowheads on the connecting lines.

Compliance status reports provide more detail on controls

Citicus ON E provides an overview of compliance with a customizable set of
control areas

Our arrangements have We believe that the Our arrangements do not
been tested and comply stated standard does not comply with the stated
with the stated standard apply in our case standard

Our arrangements Current status is not Our arrangements
comply with the stated known partially comply with the
standard stated standard


Compliance trend reports show reduction in risk over time

Individual Consolidated
com pliance trend report com pliance trend report

Drilling down to see the status of an individual risk factor (eg BCP/DR)

Risk factor analysis report The pie chart shows the status of a risk factor
across multiple targets and the table shows
what is driving each region of the chart

Target of evaluation ‘Owner’ Evaluated Status of control item

CDC Global email (RS8) David Tilbury 10 Jan '08 1 - Compliance confirmed

CDC Group accounts consolidated (RS39) Honor Black 14 Apr '08 1 - Compliance confirmed

EMA Dublin call centre (RS34) Sam Jackson 11 Sep '05 1 - Compliance confirmed

EMA E-banking application (RS84) Richard Cliff 30 Jun '08 2 - Compliance achieved

2 - Compliance achieved


Helping all involved manage remediation activity

Evaluators have two
R esults of an evaluation ways of identifying the Action plan
Citicus ONE
remedial actions Citicus ONE

needed to fix
weaknesses identified
by evaluations
Route 1

Citicus ONE

Route 2

Individual Issues can be
weaknesses can linked to the
be recorded as action item (s)
issues, each needed to
with a unique resolve them
reference
Schedule of issues

Linking notes and comments to issues and action items

R ecorded com m ent “Back-ups are stored on an
open shelf “
(IRS 163.CC.2)
Recorded notes and
comments may be edited
I ssue Description SI.1 Back-ups of sensitive data to express them as Issues
are held insecurely or action items
Issues can be linked to
Priority Medium
action items and their
Issue status Open status updated
Date raised 14th Sep 2010 automatically
Origin IRS 163.CC.2
Related action(s) AP.1, AP.2
Action item s

Description AP.1 Acquire fire-proof safe Description AP.2 Transfer back-up media
for storing back-up media to fire-proof safe
Cost $1000 Cost 0.5 man days
Benefit Reduce risk of loss / misuse Benefit Reduce risk of loss / misuse
Priority Medium Priority Medium
Lead role J Smith, IT Procurement Lead role T Atkins, Ops Supervisor
Target completion Nov 14th 2010 Target completion Nov 14th 2010
Actual completion Oct 8th 2010 Actual completion
Current status Completed Current status Not yet started


Consolidated reporting – your personal risk metrics dashboard

W hat is the risk distribution of our assets? W hat is the status of m y risk m anagem ent program m e?

W hat’s the likelihood of
these system s suffering
m ajor incidents?


Consolidated reporting – key risk drivers

Citicus ONE risk dashboard The ‘clickable’ scatter diagram shows the
contribution of individual evaluations and
enables you to see what’s driving risk in
particular regions of the chart

100% SR42.1

75% SS42.3

Criticality
50% SS42.4 IR42.2

25% IR42.7 IR42.5

0% SS42.6

0% 25% 50% 75% 100%
Average of other risk factors


Consolidated league tables show where the key risks lie

Citicus ON E ranks targets of evaluation in descending order of risk
Top 10 entries Control Special Level of Business Colour codes
Targets of evaluation Rank Criticality weaknesses circumstances threat impact indicate
the danger
SecurNet (RS151) 1 100% 76% 86% 50% 25% posed by each
Credit card processing (RS156) 2= 75% 100% 57% 100% 50% component of
risk:
Global email (RS49) 2= 75% 100% 57% 100% 50%
Boston data center (RS191) 4 75% 100% 29% 100% 75% High
London data centre (RS155) 5 75% 94% 71% 100% 50% Med
Global intranet (RS150) 6 75% 94% 86% 75% 50% Low
Supplier data (RS124) 7 75% 94% 71% 100% 25%
HQ LAN (RS67) 8 75% 88% 57% 100% 100%
You can
Pacific data centre (RS131) 9 75% 88% 71% 75% 25% control
Group EIS (RS148) 10 75% 82% 100% 100% 75% colour and
Bottom 10 entries sorting
Relationship mgt (RS156) 136 25% 6% 43% 50% 25%
Group payroll (RS167) 137 25% 0% 29% 50% 0%
ePurchasing site (RS160) 138 25% 0% 0% 50% 25%
Prices database (RS142) 139 0% 100% 29% 75% 25%
UK sales information (RS12) 140 0% 82% 43% 100% 25%
UK standby net (RS136) 141 0% 65% 14% 50% 0%
Boston Order Proc. (RS190) 142 0% 59% 29% 100% 50%
European data centre (RS46) 143 0% 47% 57% 50% 0%
LaForce site LAN (RS101) 144 0% 41% 14% 100% 25%
Erland site LAN (RS42) 145 0% 24% 14% 100% 25%
Note: Names have been changed to preserve confidentiality but ratings are genuine

Compliance trend reports provide a timeline of compliance status

Compliance with a specified standard can be tracked as a trend line. You can
plot the overall status of all controls in the employed checklist or focus on an
individual control area of interest.


Examples of successful practice


Global branded food manufacturer
Global program driven IT assessments use
by strong, personable FIRM+ Criticality
programme manager assessments + Risk
(2 people at centre, 3
~ 1,200 evaluations since 2005 scorecards supported
in regions) based in  1,000 criticality assessments by ISO 27000
Group Compliance & standard of practice
 200 ‘deep dive’ risk assessments
Controls  17 control areas
 150 controls

Business applications IT infrastructure
IT assessments
embedded in system
development and IT
Business Areas Business procurement processes
“By implementing a
business oriented and processes of risk units
systematic risk
assessment process, real Program
benefits can be achieved Sites Projects entered for
as compliance and excellence in
security requirements Information
can be quickly satisfied Suppliers Integrity
without unnecessary and other parties
award, 2009
burden ,and resources
properly allocated Software currently being configured with
throughout the checklists that enable evaluation of:
organization”
 Food defence practices
 Compliance with bribery/child labour COLLABORATIVE DEVELOPMENTS
laws (for Dow Jones Sustainability index) Supplier risk capability
 Suppliers Data exchange
 Particular business processes

Global tobacco company
Global program driven IT assessments initially
by strong, personable used FIRM+
programme manager Criticality
(2 people at centre) ~ 2,500 evaluations since 2004 assessments +
based in IT; 50 trained Program being extended to cover Scorecards supported
local co-ordinators) by home-grown
factory automation standard of practice
 17 control areas
 100 controls
Business applications IT infrastructure
“With a portfolio of more
Standard of practice
than 500 computer turned into a ‘smart
systems supporting checklist’ in 2009
diverse business
Business Areas Business
driven by user-
processes of risk units
functions and controllable attributes
application/data owners
across the world, ad hoc
assessment for policy Sites Projects
compliance and IT
governance needed to Citicus ONE
be replaced with Suppliers employed as ‘system
and other parties
systematic and of systems’
transparent information
risk management
processes. “
Characteristics of
COLLABORATIVE DEVELOPMENTS systems recorded as
Attribute sophistication attributes
Risk management metrics


Other large-scale Citicus ONE implementations

Completed Geographical Program
Customer evaluations scope Bases of evaluation management

Insurance/ >18,000 70+ countries Criticality assessments, 3 at centre, 1+ local
financial Scorecards + 2 home-grown co-ordinator in every
services checklists (~60 control items) business unit

Global 2,300 150 countries Criticality assessments, 2 at centre, 5 regional
brands Scorecard + home-grown ‘smart’ co-ordinators, 15-20
checklist (~100 control items) local co-ordinators

Insurance/ 1,200 North America Criticality assessments, 3-4 at centre. No
financial Scorecard + ISF SoGP. Harm local co-ordinators
services reference table being used
for other areas of risk. Some
tweaks needed.

Central 600 30+ Ministries ISF Health check used for 2-3 at centre, 1-2
Government in major Ministry-level evaluations. local co-ordinators in
Canadian ‘Smart’ checklists based on each Ministry
province ISF SoGP used for
information systems


About Citicus Limited


Who we are
 Citicus Limited was formed in 2000 to provide Simon Oxley
world-class risk management software products Managing director  Headed information security
departments at National
and supporting services Power and Reuters
 Took both companies into ISF
 Wholly-owned by its directors and staff and served on ISF Council
1992-94
 Heads Citicus management
 Based in UK (London, Cheltenham) team and leads our
commercial activities
 Oversees our relations with
 Exclusive, worldwide right to sell FIRM automation standards-makers (eg ISF,
– reflecting Citicus directors’: BSI-ISO, ISACA)

 long-standing involvement with the Marco Kapp Sian Alcock
Director Director
Information Security Forum (ISF)
 lead role in the development of this ground-
breaking risk measurement and management
methodology

 Relations with customers based on a collaborative
way of working
 Established ISF while a  Extensive experience in
 Our relationship with the ISF is continuing (eg director of C&L’s UK consulting analysing ISF survey
access to Survey data, involvement in FIRM and practice results
 Author of ISF’s first standard  Developed new,
IRAM development) and numerous reports on risk quantitative insights into
 Chief architect of ISF's FIRM what drives risk up / down
methodology  Lead author of ISF report
 Chief architect of collaborative on The impact of security
Supplier Risk Assessment management
(SRA) project – which  Oversees design,
culminates on delivery of development and delivery
Citicus ONE Release 3 of Citicus ONE


Our customers and geographic focus
Citicus ONE is currently helping customers to measure and manage the risk posed by
many thousands of systems in over 150 countries
Representative customers

Main activity Where based
Banking US, Saudi Arabia, UAE
Consumer products Netherlands, Switzerland, UK, USA
Energy UK, Germany
Government Canada, Ireland, UK, Netherlands
Insurance France, USA
We support deployments all
IT and professional services Germany, Scandinavia, Switzerland, UK, USA
over the world via training and
services delivered from the UK. Manufacturing France, Netherlands, Scandinavia

We can orchestrate global Telecommunications Kenya
support if needed.


Citicus ONE is based on solid, factual evidence
Citicus ONE Release 3 is the end-product of an unrivalled volume of research - conducted by the
founders of Citicus Limited for and / or in conjunction with leading organizations around the world.
Results of this research over the last 20 years are illustrated below.
Example: The ISF 1998 survey involved over 1,000 people:
 in-depth analysis of 800,000 facts about by 969 surveyed
systems, including the controls applied to them, incidents
they suffered and other key characteristics
 intensive review by practitioners
 provided major insights into what drives information risk
969 survey questionnaires:

61,000 pages
(would make a
pile 8 metres
high)

ISF: Information security Forum
We developed the FIRM risk management methodology for and in conjunction with the
Information Security Form (ISF). It reflects all the above research and is automated by our
Citicus ONE software. Release 3 extends FIRM to cover all areas of operational risk.

FIRM risk management methodology
Developed by founders of Citicus Limited for and in conjunction with the Information
Security Forum (ISF) in 2000
FIRM Implementation Guide FIRM Supporting material Revised FIRM Scorecard
(2000) (2000) (2005)

 The problem  Terminology, concepts and  Rearranged presentation
 Key challenges role definitions  Updated content to align
 The methodology  Operational tools with other ISF tools (eg
 6-step implementation  Examples of successful SoGP, Healthcheck, IRAM)
process practice
 Advice on making selective
improvements

Intro to citicus_one_r3

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (16)

Semelhante a Intro to citicus_one_r3

Semelhante a Intro to citicus_one_r3 (20)

Último

Último (20)

Intro to citicus_one_r3