Citicus material copyright © Citicus Limited, 2015. All rights reserved. Citicus Limited Introducing Citicus ONE Managing information risk... and beyond

Citicus material copyright © Citicus Limited, 2015. All rights reserved.

Citicus Limited

Introducing Citicus ONEManaging information risk ... and beyond

Citicus Limited71-75 Shelton StreetCovent GardenLondon WC2H 9JQUnited Kingdom

E-mail [email protected] www.citicus.comTel +44 (0)20 3126

4999

mailto:[email protected]

http://www.citicus.com/

Copyright © Citicus Limited, 2015. All rights reserved.

What our award-winning Citicus ONE software can do for you

Measure the criticality and security, risk and compliance of sites, business systems, IT infrastructure, business processes, suppliers, industrial control systems and other assets objectively and in business terms

Citicus ONE equips you to:

Report to management on risk in succinct, business-oriented terms, with aggregation across different areas of risk

Record and track remediation activity, including oversight of all issues until they are resolved and the costs and benefits of remedial action

Assess and record incidents, including their business impact and root causes

Measure security, risk and compliance against relevant standards of practice including internal policies, external codes of practice (eg ISO27001, COBIT, PCI, ITIL, ISF) and any legislation or regulations that applies (eg privacy regulations, Sarbanes-Oxley, Basel II, health and safety rules)

Orchestrate an enterprise-wide - or smaller scale - security, risk and compliance management programme, using the system’s role-based access model and outstanding workflow capabilities

Exchange data with other systems – including with external directories, asset registers and Citicus MOCA – our mobile app for iPad / iPhone

Customize your system to suit the needs of your organization (eg ‘branding’, target types, bases of evaluation, user-defined attributes)


Citicus ONE enables you to measure and manage information risk - and other key areas of risk - enterprise-wide

Top management

Programme manager and

core team

SiteBusiness

applicationSupplier

Owners

Citicus ONECiticus ONE

Industrial

control system

Local co-

ordinators

IT infra-

structure

Business applications IT infrastructure

You decide what you want to evaluate

‘Targets of evaluation’ (ToEs)

Citicus ONE

Suppliers andother external

parties

Industrial controlsystems

Personallyidentifiable information

securityPhysical

of sites

Paymentcard

systems


Types of ‘Target of evaluation’ supported out-of-the-box

Several target types are supported ‘out of the box’. Additional ones can be set up at any time using Citicus ONE and Citicus Workbench.

Category

Business application

Computer installation

Communication network

Development activity

Set of information

End-user computing

Category

Alliance

Collaborative

Transactional

Other

Category

Main office

Branch office

Manufacturing facility

R&D facility

IT facility

Other

Category

Application development

Help desk

Hosting

Telecoms

Business processing

Other

SiteSupplied service

Any other

area of risk

ProjectBusiness process

Business unit...

Information resource

Category

SCADA

DCS

Other

Industrialcontrolsystem

Supplier relationship


Citicus ONE supports a proportionate risk management process

Phase 4: Update: Owners / Completers update scorecards and remediation plans

‘Owner’

Business user

or Help desk representati

ve

Development

/ support

Operations

Facilitator (eg local co-ordinator)

‘Owner’

Development

Operations


User

Phase 3: Deeper dives: Evaluate risk posed by critical targets of evaluation by completing risk scorecards at 3-hr risk workshops

Phase 2: Criticality assessments: Assess each target of evaluation’s criticality

‘Owner’

‘Phase 1:

Discovery’

Identify and‘unpack’ targets of evaluation, and

identify their ‘owners’

Embed as a continuing

process into the business

The criticality of hundreds of targets of evaluation can be evaluated in a few weeks Once completed, evaluations can be updated in minutes.You can also use Citicus MOCA for iPhone and iPad to complete criticality assessments.


Citicus ONE risk model and metrics

To get a good handle on risk Citicus ONE measures the status of 5 determinants / indicators of risk for each target of evaluation.

HighMediumLowRisk:

75%

Control weaknesse

s

Special circumstances

Business impact

Criticality

Level of threat

Level of risk posed by this target of evaluation

Level of risk acceptable to top management

Individual risk chart

Overall risk rating

These can be aggregated into a single risk metric.


Example ‘Basis of evaluation’ for information risk scorecard (ISO27001:2013)

Criticality

Confidentiality

Integrity

Availability• <1 hour• Half a day• A day• 2-3 days• A week• A month+

Control arrangements

Information security policies

• Management direction for information security

Organization of information security …

Human resources security

Asset management

Access control

Cryptography

Physical and environmental security

Operations security

Communications security

Systems acquisition, development and maintenance

Supplier relationships

Information security incident management

Business continuity management

Compliance

Special circumstances

Large in scale …

Complex

Accessible by external parties

Based on technology that uses the Internet

Widely extended geographically

Level of threat

External attacks …

Internal misuse or abuse

Theft

Malfunctions

Service interruption

Human error

Unforeseen effects of change

These 3 sections can be supported by a detailed checklist

Business impact

Financial impact• Loss of revenue • Increased costs• Depressed share price

Degraded performance …

Loss of management control

Damaged reputation

Impaired growth

Any other impact


The results of different Criticality assessments can be consolidated into a Criticality league table, providing a risk-oriented inventory of the organization’s information resources

‘Owner’ of an information resource

An ‘owner’ can complete a criticality assessment on-

line in 20 minutes

Assessing criticality in a business-oriented manner

Unacceptable harm

Lower level of harm

Based on the maximum harm that could be suffered by the enterprise if confidentiality, integrity or availability of information were lost

An hour or

less

Half a

day

A mont

h

Loss ofconfidentiali

ty

Loss ofintegrit

y

A day

2-3days

A week

Critical timescale

Extremely serious harm

Very serious harm

Serious harm

Minor harm

No significant harm

Loss of availability


Excerpt of a sample Harm reference table

Assessing impact objectively with a Harm reference table

A Extremely

serious

B Very

serious

C

Serious

D

Minor

E

None

Financial impact:

£10+ million

£1 - 10 million

£100 thousand - 1 million

£10 - 100 thousand

£0 - 10 thousand

Targets under-achieved by:

10%+ 5% to 10% 1% to 5% Less than 1%

No impact

Wasted staff-hours:

10,000+ hours

5,000 to 10,000 hours

1,000 to 5,000 hours

100 to 1,000 hours

0 to 100 hours

Extent of negative publicity

Prolonged widespread

negative publicity

Brief widespread

negative publicity

Prolonged local

negative publicity

Brief local negative publicity

No impact

Financial loss (lost revenue, unforeseen costs, penalties, fraud)

Degraded performance (failure to achieve targets, loss of productivity)

Damaged reputation (negative publicity, regulatory action, litigation)

NATURE OF HARMAppropriate measure

LEVEL OF HARM

Minor adaptation required to cover types of harm that matter to a specific organisation


Evaluating risk and compliance, in as much detail as you wish

Risk factors can be fully evaluated at 3-hour facilitated risk workshops: Criticality Status of controls Special circumstances Experience of incidents Business impact of

incidents

Business ‘owner’

Business

user or Help desk

specialist

Application support IT Operations


Risk status reports

Supporting checklists for identifying controls weaknesses, special circumstances that heighten risk and experience of incidents

2-page Risk scorecard

Supporting harm

reference table

Target of evaluatio

n

Compliance status reports

Citicus ONE

Citicus ONE

Remediation plan


Assessing the strength of controls in detail

The checklist allows a detailed assessment of control status in a way which allows the compliance with key standards to be measured and reported.


Recording additional details while completing a checklist

Data back-up (regular cycle, secure storage) Control area on scorecard

ISO27001 Standard of practice for this control area

Status of this particular statement of required practice (control item D1.10.02)


Results of an evaluation Action plan

Evaluators have two ways of identifying

the remedial actions needed to fix weaknesses identified by evaluations

Individual weaknesses

can be recorded as issues, each with a unique

reference

Issues can be linked to the

action item(s)

needed to resolve them

Route 2

Schedule of issues

Citicus ONE

Citicus ONE

Citicus ONE

Route 1

Managing remediation activity


AP.1 Conduct audit of network connections

5 man days

Reduce risk of loss / misuse

Medium

J Smith, Network Operations

Nov 14th 2014

Oct 8th 2014

Completed

Description

Cost

Benefit

Priority

Lead role

Target completion

Actual completion

Current status

AP.2 Record details of all undocumented connections

5 man days

Reduce risk of loss / misuse

Medium

T Atkins, ICS Engineering

March 14th 2015

Not yet started

Description

Cost

Benefit

Priority

Lead role

Target completion

Actual completion

Current status

Control requirement

Action items

Issue Description

Priority

Issue status

Issue owner

Date raised

Related action(s)

SI.1 Not all network connections are documented

Medium

Open

Ray Beale

14th Sep 2014

AP.1, AP.2

Linking identified issues and action items to control improvements

SA.9.4 Ensure all network connections to the system are documentedCurrent rating: 4 – Our arrangements do not comply with the standard

Target rating: 2 – Our arrangements comply with the standard

On completion


Reporting on security / risk / compliance to management

Risk statusCompliance

status Compliance trend

Citicus ONE provides a wealth ofpre-defined reports for you to select from when

reporting risk. Most of those shown here are for decision-makers. Other more-detailed ones are for analysts/remediators. You can also export your risk

data for analysis outside the system

Criticality status

Risk heat map

Risk dashboard

Dependency risk map

Criticality, Risk and Compliance league tables

Compliance schedule and Compliance

checklist


Risk status reports and heat maps

Summarizing the status of the measured risk factors


Dependency risk maps help ‘owners’ look at risk in context

What this one relies on: the risk status of supporting targets of

evaluation can be identified by the inward-pointing arrowheads on the

connecting lines.

What relies on this one: the risk status of targets of evaluation that rely on this one can be identified by the outward-pointing arrowhead on

the connecting line.

Unknown risk: the risk status of this target of evaluation is unknown because

no evaluation has been performed.

This target of evaluation sits at the centre of an individual dependency risk

map.

Citicus ONE allows you to plot dependency risk maps for any or all targets of evaluation.


Compliance status reports provide more detail on controls

Citicus ONE provides an overview of compliance with a customizable set of control areas

Our arrangements have been tested and comply with the stated standardOur arrangements comply with the stated standard

We believe that the stated standard does not apply in our case

Current status is not known

Our arrangements do not comply with the stated standard

Our arrangements partially comply with the stated standard


Compliance trend reports provide a timeline of compliance status

Compliance with a specified standard can be tracked as a trend line. You can plot the overall status of all controls in the employed checklist or focus on an individual control area of interest.

19 Jan ‘12 13 Oct ‘13 25 May ‘14 10 Jan ‘15


Consolidated reporting – your personal risk metrics dashboard

What is the status of my risk management programme?What is the risk distribution of our assets?

What’s the likelihood of these systems suffering major incidents?


Consolidated reporting – key risk drivers

The ‘clickable’ scatter diagram shows the contribution of individual evaluations and enables you to see what’s driving risk in particular regions of the chart

SR42.1

SS42.4 IR42.2

IR42.7 IR42.5

SS42.6

SS42.3

0%

25%

50%

75%

100%

Cri

tic

ali

ty

0% 25% 50% 75% 100%

Average of other risk factors

Citicus ONE risk dashboard


25%

25%25%

0%0%

0%

0%

0%0%

0%

0%

6%0%

65%82%

41%

100%

47%59%

24%

50%50%50%

50%100%

100%

75%

50%100%

100%

25%

25%0%

25%0%

25%

25%

50%0%

25%

29%

14%43%

14%57%29%

14%

29%43%

0%

Consolidated league tables show where the key risks lie

Citicus ONE ranks targets of evaluation in descending order of risk

Low

High

Med

Colour codes indicate

the danger posed by each component of

risk:

Top 10 entries

Targets of evaluation Rank

Criticality

Level of

threat

Businessimpact

SecurNet (RS151) 1

London data centre (RS155) 5Global intranet (RS150) 6Supplier data (RS124) 7HQ LAN (RS67) 8Pacific data centre (RS131)

9Group EIS (RS148) 10

Controlweaknesse

s

Specialcircumstance

s

ePurchasing site (RS160) 138

2=Global email (RS49)Credit card processing (RS156)

2=

Boston data center (RS191)

4

Bottom 10 entries

100%

75%75%75%75%75%75%

75%75%

75%100%

76%

94%94%94%88%88%82%

100%

100%

86%

71%86%71%57%71%100%

57%57%

29%

50%

100%75%

100%100%75%

100%

100%

100%

100%

25%

50%50%

75%50%50%25%100%25%

75%

Relationship mgt (RS156) 136Group payroll (RS167) 137

UK standby net (RS136) 141

UK sales information (RS12)

140

LaForce site LAN (RS101) 144

Prices database (RS142) 139

European data centre (RS46)

143

Boston Order Proc. (RS190)

142

Erland site LAN (RS42) 145

You can control colour and

sorting

Note: Names have been changed to preserve confidentiality but ratings are genuine


Drilling down to see the status of an individual risk factor (eg BCP/DR)

The pie chart shows the status of a risk factor across multiple targets and the table shows what is driving each region of the chart

Risk factor analysis report

CDC Global email (RS8)

CDC Group accounts consolidated (RS39)

EMA Dublin call centre (RS34)

EMA E-banking application (RS84)

Target of evaluation

David Tilbury

Honor Black

Sam Jackson

Richard Cliff

‘Owner’ Evaluated

10 Jan '08

14 Apr '08

11 Sep '05

30 Jun '08

Status of control item1 - Compliance confirmed

1 - Compliance confirmed

1 - Compliance confirmed

2 - Compliance achieved

2 - Compliance achieved


About Citicus Limited


Our customers and geographic focus

Citicus ONE is currently helping customers to measure and manage the risk posed by many thousands of systems in over 150 countries

We support deployments all over the world via training and services delivered from the UK.

Representative customers

Banking USA, UK, Saudi Arabia, South Africa

Consumer products Netherlands, Switzerland, UK, USA, Japan

Energy/Transport Australia, Belgium, Saudi Arabia, UK, US

Government Canada, Ireland, UK, Netherlands

Insurance France, USA

IT and professional services Germany, Scandinavia, Switzerland, UK, US

Manufacturing France, Netherlands, Scandinavia

Retail UK, Canada

Telecommunications Kenya, Caribbean, Asia Pacific

Main activityWhere based

Healthcare Canada, New Zealand, Netherlands

http://www.tesco.com/

http://www.rwe.com/


Awards

Citicus ONE offers a best-of-breed, award-winning solution for measuring and managing information risk, supplier risk and other key areas of operational risk across an enterprise.

A selection of awards that we have been honoured to receive for our flagship software (including independent ratings and awards won by customers' implementations) are highlighted opposite. More details can be found on our web site under Awards

Details can also be found of the Citicus outstanding achievement awards we give to individuals who stand out in the risk and compliance arena.

Solution provider for

Barclays Global Retail &

Commercial Banking's

process for managing

information risk, shortlisted for

Best information security project

of the year Award.

Kraft Foods wins US EIIA Silver award,

2009 for its Citicus ONE implementation

Citicus ONE shortlisted for Risk

Management Product of the year, 2009

IDG Network Awards 2004: Network

Application Product of the Year

Butler Group Technology audit

Citicus ONE nominated for Best security management

and Innovation

Awards

SC Magazine five-star value for

money 2010

SC Magazine 'outstanding' rating in SC Magazine Risk and Policy Management

review, 2014

Internet and IT Products

and Services

Award 2011


Award-winning initiatives

Large scale information risk implementations of Citicus ONE

Geographical scope

Completed evaluations

Bases of evaluationkey features

Insurance/financialservices

Insurance/ financial services

Branded foods

>20,000

1,200

4,600

70+ countries

North America

Global implementati

on

Program management

Criticality assessments, Scorecards (19 control areas) Control checklists (~60 control items)

Criticality assessments, Scorecard (17 control areas) + ISF SoGP.

Criticality assessments, Scorecard (17 control areas)Control checklist (~100 control items)

3 at centre, local co-ordinator(s) in every business unit (~200)

3 at centre. No local co-ordinators

2 at centre, 50 trained local co-ordinators

Organization

Global consumables

Consumer goods

5,500 Global implementati

on

Criticality assessments, Scorecard + home-grown ‘smart’ checklist (~100 control items)

2 at centre, 5 regional co-ordinators, 15-20 local co-ordinators

2,200 150+ countries

Criticality assessments, Scorecard (17 control areas)Control checklist (~150 control items)

2 at centre, 3 regional co-ordinators

Global bank

900 Europe, Middle East, Africa and

Asia

Criticality assessments, Compliance assessments (~50 control items)

2-3 at centre, 1 local co-ordinator in each business unit

Documents

Citicus material copyright © Citicus Limited, 2015. All rights reserved. Citicus Limited Introducing Citicus ONE Managing information risk... and beyond