Upload
bartholomew-preston
View
217
Download
2
Tags:
Embed Size (px)
Citation preview
Citicus material copyright © Citicus Limited, 2015. All rights reserved.
Citicus Limited
Introducing Citicus ONEManaging information risk ... and beyond
Citicus Limited71-75 Shelton StreetCovent GardenLondon WC2H 9JQUnited Kingdom
E-mail [email protected] www.citicus.comTel +44 (0)20 3126
4999
Copyright © Citicus Limited, 2015. All rights reserved.
What our award-winning Citicus ONE software can do for you
Measure the criticality and security, risk and compliance of sites, business systems, IT infrastructure, business processes, suppliers, industrial control systems and other assets objectively and in business terms
Citicus ONE equips you to:
Report to management on risk in succinct, business-oriented terms, with aggregation across different areas of risk
Record and track remediation activity, including oversight of all issues until they are resolved and the costs and benefits of remedial action
Assess and record incidents, including their business impact and root causes
Measure security, risk and compliance against relevant standards of practice including internal policies, external codes of practice (eg ISO27001, COBIT, PCI, ITIL, ISF) and any legislation or regulations that applies (eg privacy regulations, Sarbanes-Oxley, Basel II, health and safety rules)
Orchestrate an enterprise-wide - or smaller scale - security, risk and compliance management programme, using the system’s role-based access model and outstanding workflow capabilities
Exchange data with other systems – including with external directories, asset registers and Citicus MOCA – our mobile app for iPad / iPhone
Customize your system to suit the needs of your organization (eg ‘branding’, target types, bases of evaluation, user-defined attributes)
Copyright © Citicus Limited, 2015. All rights reserved.
Citicus ONE enables you to measure and manage information risk - and other key areas of risk - enterprise-wide
Top management
Programme manager and
core team
SiteBusiness
applicationSupplier
Owners
Citicus ONECiticus ONE
Industrial
control system
Local co-
ordinators
IT infra-
structure
Business applications IT infrastructure
You decide what you want to evaluate
‘Targets of evaluation’ (ToEs)
Citicus ONE
Suppliers andother external
parties
Industrial controlsystems
Personallyidentifiable information
securityPhysical
of sites
Paymentcard
systems
Copyright © Citicus Limited, 2015. All rights reserved.
Types of ‘Target of evaluation’ supported out-of-the-box
Several target types are supported ‘out of the box’. Additional ones can be set up at any time using Citicus ONE and Citicus Workbench.
Category
Business application
Computer installation
Communication network
Development activity
Set of information
End-user computing
Category
Alliance
Collaborative
Transactional
Other
Category
Main office
Branch office
Manufacturing facility
R&D facility
IT facility
Other
Category
Application development
Help desk
Hosting
Telecoms
Business processing
Other
SiteSupplied service
Any other
area of risk
ProjectBusiness process
Business unit...
Information resource
Category
SCADA
DCS
Other
Industrialcontrolsystem
Supplier relationship
Copyright © Citicus Limited, 2015. All rights reserved.
Citicus ONE supports a proportionate risk management process
Phase 4: Update: Owners / Completers update scorecards and remediation plans
‘Owner’
Business user
or Help desk representati
ve
Development
/ support
Operations
Facilitator (eg local co-ordinator)
‘Owner’
Development
Operations
Facilitator (eg local co-ordinator)
User
Phase 3: Deeper dives: Evaluate risk posed by critical targets of evaluation by completing risk scorecards at 3-hr risk workshops
Phase 2: Criticality assessments: Assess each target of evaluation’s criticality
‘Owner’
‘Phase 1:
Discovery’
Identify and‘unpack’ targets of evaluation, and
identify their ‘owners’
Embed as a continuing
process into the business
The criticality of hundreds of targets of evaluation can be evaluated in a few weeks Once completed, evaluations can be updated in minutes.You can also use Citicus MOCA for iPhone and iPad to complete criticality assessments.
Copyright © Citicus Limited, 2015. All rights reserved.
Citicus ONE risk model and metrics
To get a good handle on risk Citicus ONE measures the status of 5 determinants / indicators of risk for each target of evaluation.
HighMediumLowRisk:
75%
Control weaknesse
s
Special circumstances
Business impact
Criticality
Level of threat
Level of risk posed by this target of evaluation
Level of risk acceptable to top management
Individual risk chart
Overall risk rating
These can be aggregated into a single risk metric.
Copyright © Citicus Limited, 2015. All rights reserved.
Example ‘Basis of evaluation’ for information risk scorecard (ISO27001:2013)
Criticality
Confidentiality
Integrity
Availability• <1 hour• Half a day• A day• 2-3 days• A week• A month+
Control arrangements
Information security policies
• Management direction for information security
Organization of information security …
Human resources security
Asset management
Access control
Cryptography
Physical and environmental security
Operations security
Communications security
Systems acquisition, development and maintenance
Supplier relationships
Information security incident management
Business continuity management
Compliance
Special circumstances
Large in scale …
Complex
Accessible by external parties
Based on technology that uses the Internet
Widely extended geographically
Level of threat
External attacks …
Internal misuse or abuse
Theft
Malfunctions
Service interruption
Human error
Unforeseen effects of change
These 3 sections can be supported by a detailed checklist
Business impact
Financial impact• Loss of revenue • Increased costs• Depressed share price
Degraded performance …
Loss of management control
Damaged reputation
Impaired growth
Any other impact
Copyright © Citicus Limited, 2015. All rights reserved.
The results of different Criticality assessments can be consolidated into a Criticality league table, providing a risk-oriented inventory of the organization’s information resources
‘Owner’ of an information resource
An ‘owner’ can complete a criticality assessment on-
line in 20 minutes
Assessing criticality in a business-oriented manner
Unacceptable harm
Lower level of harm
Based on the maximum harm that could be suffered by the enterprise if confidentiality, integrity or availability of information were lost
An hour or
less
Half a
day
A mont
h
Loss ofconfidentiali
ty
Loss ofintegrit
y
A day
2-3days
A week
Critical timescale
Extremely serious harm
Very serious harm
Serious harm
Minor harm
No significant harm
Loss of availability
Copyright © Citicus Limited, 2015. All rights reserved.
Excerpt of a sample Harm reference table
Assessing impact objectively with a Harm reference table
A Extremely
serious
B Very
serious
C
Serious
D
Minor
E
None
Financial impact:
£10+ million
£1 - 10 million
£100 thousand - 1 million
£10 - 100 thousand
£0 - 10 thousand
Targets under-achieved by:
10%+ 5% to 10% 1% to 5% Less than 1%
No impact
Wasted staff-hours:
10,000+ hours
5,000 to 10,000 hours
1,000 to 5,000 hours
100 to 1,000 hours
0 to 100 hours
Extent of negative publicity
Prolonged widespread
negative publicity
Brief widespread
negative publicity
Prolonged local
negative publicity
Brief local negative publicity
No impact
Financial loss (lost revenue, unforeseen costs, penalties, fraud)
Degraded performance (failure to achieve targets, loss of productivity)
Damaged reputation (negative publicity, regulatory action, litigation)
NATURE OF HARMAppropriate measure
LEVEL OF HARM
Minor adaptation required to cover types of harm that matter to a specific organisation
Copyright © Citicus Limited, 2015. All rights reserved.
Evaluating risk and compliance, in as much detail as you wish
Risk factors can be fully evaluated at 3-hour facilitated risk workshops: Criticality Status of controls Special circumstances Experience of incidents Business impact of
incidents
Business ‘owner’
Business
user or Help desk
specialist
Application support IT Operations
Facilitator (eg local co-ordinator)
Risk status reports
Supporting checklists for identifying controls weaknesses, special circumstances that heighten risk and experience of incidents
2-page Risk scorecard
Supporting harm
reference table
Target of evaluatio
n
Compliance status reports
Citicus ONE
Citicus ONE
Remediation plan
Copyright © Citicus Limited, 2015. All rights reserved.
Assessing the strength of controls in detail
The checklist allows a detailed assessment of control status in a way which allows the compliance with key standards to be measured and reported.
Copyright © Citicus Limited, 2015. All rights reserved.
Recording additional details while completing a checklist
Data back-up (regular cycle, secure storage) Control area on scorecard
ISO27001 Standard of practice for this control area
Status of this particular statement of required practice (control item D1.10.02)
Copyright © Citicus Limited, 2015. All rights reserved.
Results of an evaluation Action plan
Evaluators have two ways of identifying
the remedial actions needed to fix weaknesses identified by evaluations
Individual weaknesses
can be recorded as issues, each with a unique
reference
Issues can be linked to the
action item(s)
needed to resolve them
Route 2
Schedule of issues
Citicus ONE
Citicus ONE
Citicus ONE
Route 1
Managing remediation activity
Copyright © Citicus Limited, 2015. All rights reserved.
AP.1 Conduct audit of network connections
5 man days
Reduce risk of loss / misuse
Medium
J Smith, Network Operations
Nov 14th 2014
Oct 8th 2014
Completed
Description
Cost
Benefit
Priority
Lead role
Target completion
Actual completion
Current status
AP.2 Record details of all undocumented connections
5 man days
Reduce risk of loss / misuse
Medium
T Atkins, ICS Engineering
March 14th 2015
Not yet started
Description
Cost
Benefit
Priority
Lead role
Target completion
Actual completion
Current status
Control requirement
Action items
Issue Description
Priority
Issue status
Issue owner
Date raised
Related action(s)
SI.1 Not all network connections are documented
Medium
Open
Ray Beale
14th Sep 2014
AP.1, AP.2
Linking identified issues and action items to control improvements
SA.9.4 Ensure all network connections to the system are documentedCurrent rating: 4 – Our arrangements do not comply with the standard
Target rating: 2 – Our arrangements comply with the standard
On completion
Copyright © Citicus Limited, 2015. All rights reserved.
Reporting on security / risk / compliance to management
Risk statusCompliance
status Compliance trend
Citicus ONE provides a wealth ofpre-defined reports for you to select from when
reporting risk. Most of those shown here are for decision-makers. Other more-detailed ones are for analysts/remediators. You can also export your risk
data for analysis outside the system
Criticality status
Risk heat map
Risk dashboard
Dependency risk map
Criticality, Risk and Compliance league tables
Compliance schedule and Compliance
checklist
Copyright © Citicus Limited, 2015. All rights reserved.
Risk status reports and heat maps
Summarizing the status of the measured risk factors
Copyright © Citicus Limited, 2015. All rights reserved.
Dependency risk maps help ‘owners’ look at risk in context
What this one relies on: the risk status of supporting targets of
evaluation can be identified by the inward-pointing arrowheads on the
connecting lines.
What relies on this one: the risk status of targets of evaluation that rely on this one can be identified by the outward-pointing arrowhead on
the connecting line.
Unknown risk: the risk status of this target of evaluation is unknown because
no evaluation has been performed.
This target of evaluation sits at the centre of an individual dependency risk
map.
Citicus ONE allows you to plot dependency risk maps for any or all targets of evaluation.
Copyright © Citicus Limited, 2015. All rights reserved.
Compliance status reports provide more detail on controls
Citicus ONE provides an overview of compliance with a customizable set of control areas
Our arrangements have been tested and comply with the stated standardOur arrangements comply with the stated standard
We believe that the stated standard does not apply in our case
Current status is not known
Our arrangements do not comply with the stated standard
Our arrangements partially comply with the stated standard
Copyright © Citicus Limited, 2015. All rights reserved.
Compliance trend reports provide a timeline of compliance status
Compliance with a specified standard can be tracked as a trend line. You can plot the overall status of all controls in the employed checklist or focus on an individual control area of interest.
19 Jan ‘12 13 Oct ‘13 25 May ‘14 10 Jan ‘15
Copyright © Citicus Limited, 2015. All rights reserved.
Consolidated reporting – your personal risk metrics dashboard
What is the status of my risk management programme?What is the risk distribution of our assets?
What’s the likelihood of these systems suffering major incidents?
Copyright © Citicus Limited, 2015. All rights reserved.
Consolidated reporting – key risk drivers
The ‘clickable’ scatter diagram shows the contribution of individual evaluations and enables you to see what’s driving risk in particular regions of the chart
SR42.1
SS42.4 IR42.2
IR42.7 IR42.5
SS42.6
SS42.3
0%
25%
50%
75%
100%
Cri
tic
ali
ty
0% 25% 50% 75% 100%
Average of other risk factors
Citicus ONE risk dashboard
Copyright © Citicus Limited, 2015. All rights reserved.
25%
25%25%
0%0%
0%
0%
0%0%
0%
0%
6%0%
65%82%
41%
100%
47%59%
24%
50%50%50%
50%100%
100%
75%
50%100%
100%
25%
25%0%
25%0%
25%
25%
50%0%
25%
29%
14%43%
14%57%29%
14%
29%43%
0%
Consolidated league tables show where the key risks lie
Citicus ONE ranks targets of evaluation in descending order of risk
Low
High
Med
Colour codes indicate
the danger posed by each component of
risk:
Top 10 entries
Targets of evaluation Rank
Criticality
Level of
threat
Businessimpact
SecurNet (RS151) 1
London data centre (RS155) 5Global intranet (RS150) 6Supplier data (RS124) 7HQ LAN (RS67) 8Pacific data centre (RS131)
9Group EIS (RS148) 10
Controlweaknesse
s
Specialcircumstance
s
ePurchasing site (RS160) 138
2=Global email (RS49)Credit card processing (RS156)
2=
Boston data center (RS191)
4
Bottom 10 entries
100%
75%75%75%75%75%75%
75%75%
75%100%
76%
94%94%94%88%88%82%
100%
100%
86%
71%86%71%57%71%100%
57%57%
29%
50%
100%75%
100%100%75%
100%
100%
100%
100%
25%
50%50%
75%50%50%25%100%25%
75%
Relationship mgt (RS156) 136Group payroll (RS167) 137
UK standby net (RS136) 141
UK sales information (RS12)
140
LaForce site LAN (RS101) 144
Prices database (RS142) 139
European data centre (RS46)
143
Boston Order Proc. (RS190)
142
Erland site LAN (RS42) 145
You can control colour and
sorting
Note: Names have been changed to preserve confidentiality but ratings are genuine
Copyright © Citicus Limited, 2015. All rights reserved.
Drilling down to see the status of an individual risk factor (eg BCP/DR)
The pie chart shows the status of a risk factor across multiple targets and the table shows what is driving each region of the chart
Risk factor analysis report
CDC Global email (RS8)
CDC Group accounts consolidated (RS39)
EMA Dublin call centre (RS34)
EMA E-banking application (RS84)
Target of evaluation
David Tilbury
Honor Black
Sam Jackson
Richard Cliff
‘Owner’ Evaluated
10 Jan '08
14 Apr '08
11 Sep '05
30 Jun '08
Status of control item1 - Compliance confirmed
1 - Compliance confirmed
1 - Compliance confirmed
2 - Compliance achieved
2 - Compliance achieved
Copyright © Citicus Limited, 2015. All rights reserved.
Our customers and geographic focus
Citicus ONE is currently helping customers to measure and manage the risk posed by many thousands of systems in over 150 countries
We support deployments all over the world via training and services delivered from the UK.
Representative customers
Banking USA, UK, Saudi Arabia, South Africa
Consumer products Netherlands, Switzerland, UK, USA, Japan
Energy/Transport Australia, Belgium, Saudi Arabia, UK, US
Government Canada, Ireland, UK, Netherlands
Insurance France, USA
IT and professional services Germany, Scandinavia, Switzerland, UK, US
Manufacturing France, Netherlands, Scandinavia
Retail UK, Canada
Telecommunications Kenya, Caribbean, Asia Pacific
Main activityWhere based
Healthcare Canada, New Zealand, Netherlands
Copyright © Citicus Limited, 2015. All rights reserved.
Awards
Citicus ONE offers a best-of-breed, award-winning solution for measuring and managing information risk, supplier risk and other key areas of operational risk across an enterprise.
A selection of awards that we have been honoured to receive for our flagship software (including independent ratings and awards won by customers' implementations) are highlighted opposite. More details can be found on our web site under Awards
Details can also be found of the Citicus outstanding achievement awards we give to individuals who stand out in the risk and compliance arena.
Solution provider for
Barclays Global Retail &
Commercial Banking's
process for managing
information risk, shortlisted for
Best information security project
of the year Award.
Kraft Foods wins US EIIA Silver award,
2009 for its Citicus ONE implementation
Citicus ONE shortlisted for Risk
Management Product of the year, 2009
IDG Network Awards 2004: Network
Application Product of the Year
Butler Group Technology audit
Citicus ONE nominated for Best security management
and Innovation
Awards
SC Magazine five-star value for
money 2010
SC Magazine 'outstanding' rating in SC Magazine Risk and Policy Management
review, 2014
Internet and IT Products
and Services
Award 2011
Copyright © Citicus Limited, 2015. All rights reserved.
Award-winning initiatives
Large scale information risk implementations of Citicus ONE
Geographical scope
Completed evaluations
Bases of evaluationkey features
Insurance/financialservices
Insurance/ financial services
Branded foods
>20,000
1,200
4,600
70+ countries
North America
Global implementati
on
Program management
Criticality assessments, Scorecards (19 control areas) Control checklists (~60 control items)
Criticality assessments, Scorecard (17 control areas) + ISF SoGP.
Criticality assessments, Scorecard (17 control areas)Control checklist (~100 control items)
3 at centre, local co-ordinator(s) in every business unit (~200)
3 at centre. No local co-ordinators
2 at centre, 50 trained local co-ordinators
Organization
Global consumables
Consumer goods
5,500 Global implementati
on
Criticality assessments, Scorecard + home-grown ‘smart’ checklist (~100 control items)
2 at centre, 5 regional co-ordinators, 15-20 local co-ordinators
2,200 150+ countries
Criticality assessments, Scorecard (17 control areas)Control checklist (~150 control items)
2 at centre, 3 regional co-ordinators
Global bank
900 Europe, Middle East, Africa and
Asia
Criticality assessments, Compliance assessments (~50 control items)
2-3 at centre, 1 local co-ordinator in each business unit