Intro to citicus_one_r3


Published on

Risk management approach for IT risk, vendor risk

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Intro to citicus_one_r3

  1. 1. Introducing Citicus ONE Release 3.3Managing information risk ... and beyondCiticus Citicus material copyright © Citicus Limited, 2011. All rights reserved.
  2. 2. What our award-winning Citicus ONE software can do for youCiticus ONE Release 3.3 equips you to: Establish a highly-efficient, continuous process for measuring and managing risk and compliance across your organization Measure the criticality and risk of business systems, IT infrastructure, business processes, sites, suppliers and other assets objectively and in business terms Measure compliance with relevant standards of practice including internal policies, external codes of practice (eg SOGP, ISO2700x, COBIT, PCI, ITIL) and any legislation or regulations that applies (eg privacy regulations, Sarbanes-Oxley, Basel II, health and safety rules) Assess and record incidents, including their business impact and root causes Record and track remediation activity, including oversight of all issues until they are resolved and both the costs and benefits of remedial action Report to management on risk in succinct, business-oriented terms, with aggregation across different areas of risk Exchange data with other systems Copyright © Citicus Limited, 2011. All rights reserved.
  3. 3. Determining what you want Citicus ONE to evaluate Business applications IT infrastructure Top management Business Industrialprocesses / Citicus ONE control units Release 3 systems Programme manager and Sites Projects core team Suppliers Citicus ONE and other parties Local co-ordinators Owners Types of ‘target of evaluation’ IT Industrial Business infra- Supplier Site control application structure system Copyright © Citicus Limited, 2011. All rights reserved.
  4. 4. Types of ‘Target of evaluation’ supported out-of-the-boxSeveral target types are supported ‘out of the box’. Additional ones can beset up at any time using Citicus ON E and Citicus W orkbench. Information Supplied Industrial Supplier Site control resource relationship service system Category Category Category Category Category Business Alliance Application Main office SCADA application development Collaborative Branch office DCS Computer Help desk Transactional Manufacturing Other installation Hosting facility Other Communication Telecoms R&D facility network Business IT facility Development processing activity Other Other Set of information Any Project other Business process area of Business unit risk ... Copyright © Citicus Limited, 2011. All rights reserved.
  5. 5. Citicus ONE supports a proportionate risk management process ‘P hase 0: Discovery’ P hase 1: Criticality assessm ents: Assess each target of evaluation’s criticality Identify and ‘Owner’ ‘unpack’ targets P hase 2: Deeper dives: Evaluate risk posed of evaluation, and by critical targets of evaluation by completing riskidentify their ‘owners’ scorecards at 3-hr risk workshops Operations Development Facilitator The criticality of ‘User’ (eg local hundreds of targets of co-ordinator) evaluation can be evaluated in a few weeks ‘Owner’ Phase 3: Update: Owners’ / – thousands might take completers update scorecards / 6 months to complete. remediation plans Once completed, Development evaluations can be / support Operations updated in minutes. Business user Facilitator or Help desk (eg local You can also use Citicus representative co-ordinator) MoCA for iPhone, iPad Embed as a and iPod touch to continuing process complete criticality into the business assessments. ‘Owner’ Copyright © Citicus Limited, 2011. All rights reserved.
  6. 6. Risk metrics To get a good handle on risk Citicus ONE measures the status of 5 determinants / indicators of risk. These are aggregated into a single risk metric. Control weaknesses SpecialCriticality circumstances Level of Business threat impact Level of risk acceptable Level of risk posed by this to top management target of evaluation 75% Individual risk chart Risk: Low Medium High Overall risk rating Copyright © Citicus Limited, 2011. All rights reserved.
  7. 7. Phase 1: Assessing criticality in a business-oriented manner Based on the maximum harm that could be suffered by the enterprise if An ‘owner’ can complete a criticality assessment on-line in Extremely confidentiality, integrity or availability of information were lost 20 minutes serious harm Critical timescale Very serious harm Serious harm ‘Owner’ Minor harm of an information resource No significant harm Loss of Loss of An hour Half a A 2-3 A A confidentiality integrity or less day day days week monthThe results of Loss of availabilitydifferent Criticality Unacceptable Lower levelassessments can be harm of harmconsolidated into aCriticality leaguetable, providing arisk-orientedinventory of theorganization’sinformationresources Copyright © Citicus Limited, 2011. All rights reserved.
  8. 8. Assessing impact objectively with a Harm reference tableExcerpt of a sample Harm LEVEL OF HARMreference table A Extremely B C D E Appropriate serious Very NATURE OF HARM measure serious Serious Minor None Financial loss (lost Financial $10+ million $1 - 10 $100 $10 - 100 $0 - 10 revenue, unforeseen costs, impact: million thousand - 1 thousand thousand penalties, fraud) million Degraded performance Targets under- 10%+ 5% to 10% 1% to 5% Less than No (failure to achieve targets, achieved by: 1% impact loss of productivity) Wasted staff- 10,000+ 5,000 to 1,000 to 100 to 1,000 0 to 100 hours: hours 10,000 hours 5,000 hours hours hours Damaged reputation Extent of Prolonged Brief Prolonged Brief local No impact (negative publicity, negative widespread widespread local negative regulatory action, litigation) publicity negative negative negative publicity publicity publicity publicity Minor adaptation required to cover types of harm that matter to a specific organisation Copyright © Citicus Limited, 2011. All rights reserved.
  9. 9. Phase 2: Evaluating risk and compliance, in as much detail as you wish Risk factors can be fully 2-page evaluated at 3-hour R isk facilitated risk workshops: scorecard  Criticality Target of  Status of controls evaluation  Special circumstances  Experience of incidents  Business impact of incidents Application Supporting support IT Operations harm reference Business Individual Facilitator table user or risk status report (eg local Help desk co-ordinator) specialist Business ‘owner’ Supporting standard of practice or com pliance checklist Com pliance status report Copyright © Citicus Limited, 2011. All rights reserved.
  10. 10. Assessing the strength of controls in detail The checklist allows a detailed assessment of control status in a way which allows the compliance with key standards to be measured and reported. Copyright © Citicus Limited, 2011. All rights reserved.
  11. 11. Recording additional details while completing a checklistControl area on scorecard Data back-up (regular cycle, secure storage) ISO27001 Standard of practice for this control area Status of this particular statement of required practice (control item D1.10.02) Copyright © Citicus Limited, 2011. All rights reserved.
  12. 12. ‘Owners’ obtain good-looking management information on risk status Page 1 enables an ‘owner’ to take in his or her risk status ‘at a glance’ Page 2 highlights ‘dependency risk’ Twin risk charts show improvement from one evaluation to the next Highlights and prioritises opportunities for further action in control areas categorised as Not OK Copyright © Citicus Limited, 2011. All rights reserved.
  13. 13. Dependency risk maps help ‘owners’ look at risk in contextCiticus ON E allows you to plot dependency risk m aps for any or all targets of evaluation. This target of evaluation sits at the centre of an individual dependency risk map. W hat relies on this one: the risk status of targets of evaluation that rely on this one can be identified by the outward- pointing arrowhead on the connecting line. Unknow n risk: the risk status of this target of W hat this one relies on: the risk status evaluation is unknown because no evaluation of supporting targets of evaluation can be has been performed. identified by the inward-pointing arrowheads on the connecting lines. Copyright © Citicus Limited, 2011. All rights reserved.
  14. 14. Compliance status reports provide more detail on controlsCiticus ON E provides an overview of compliance with a customizable set ofcontrol areas Our arrangements have We believe that the Our arrangements do not been tested and comply stated standard does not comply with the stated with the stated standard apply in our case standard Our arrangements Current status is not Our arrangements comply with the stated known partially comply with the standard stated standard Copyright © Citicus Limited, 2011. All rights reserved.
  15. 15. Compliance trend reports show reduction in risk over time Individual Consolidated com pliance trend report com pliance trend report Copyright © Citicus Limited, 2011. All rights reserved.
  16. 16. Drilling down to see the status of an individual risk factor (eg BCP/DR)Risk factor analysis report The pie chart shows the status of a risk factor across multiple targets and the table shows what is driving each region of the chart Target of evaluation ‘Owner’ Evaluated Status of control item CDC Global email (RS8) David Tilbury 10 Jan 08 1 - Compliance confirmed CDC Group accounts consolidated (RS39) Honor Black 14 Apr 08 1 - Compliance confirmed EMA Dublin call centre (RS34) Sam Jackson 11 Sep 05 1 - Compliance confirmed EMA E-banking application (RS84) Richard Cliff 30 Jun 08 2 - Compliance achieved 2 - Compliance achieved Copyright © Citicus Limited, 2011. All rights reserved.
  17. 17. Helping all involved manage remediation activity Evaluators have two R esults of an evaluation ways of identifying the Action plan Citicus ONE remedial actions Citicus ONE needed to fix weaknesses identified by evaluations Route 1 Citicus ONE Route 2 Individual Issues can beweaknesses can linked to thebe recorded as action item (s) issues, each needed to with a unique resolve them reference Schedule of issues Copyright © Citicus Limited, 2011. All rights reserved.
  18. 18. Linking notes and comments to issues and action itemsR ecorded com m ent “Back-ups are stored on an open shelf “ (IRS 163.CC.2) Recorded notes and comments may be edited I ssue Description SI.1 Back-ups of sensitive data to express them as Issues are held insecurely or action items Issues can be linked to Priority Medium action items and their Issue status Open status updated Date raised 14th Sep 2010 automatically Origin IRS 163.CC.2 Related action(s) AP.1, AP.2 Action item s Description AP.1 Acquire fire-proof safe Description AP.2 Transfer back-up media for storing back-up media to fire-proof safe Cost $1000 Cost 0.5 man days Benefit Reduce risk of loss / misuse Benefit Reduce risk of loss / misuse Priority Medium Priority Medium Lead role J Smith, IT Procurement Lead role T Atkins, Ops Supervisor Target completion Nov 14th 2010 Target completion Nov 14th 2010 Actual completion Oct 8th 2010 Actual completion Current status Completed Current status Not yet started Copyright © Citicus Limited, 2011. All rights reserved.
  19. 19. Consolidated reporting – your personal risk metrics dashboard W hat is the risk distribution of our assets? W hat is the status of m y risk m anagem ent program m e? W hat’s the likelihood of these system s suffering m ajor incidents? Copyright © Citicus Limited, 2011. All rights reserved.
  20. 20. Consolidated reporting – key risk drivers Citicus ONE risk dashboard The ‘clickable’ scatter diagram shows the contribution of individual evaluations and enables you to see what’s driving risk in particular regions of the chart 100% SR42.1 75% SS42.3 Criticality 50% SS42.4 IR42.2 25% IR42.7 IR42.5 0% SS42.6 0% 25% 50% 75% 100% Average of other risk factors Copyright © Citicus Limited, 2011. All rights reserved.
  21. 21. Consolidated league tables show where the key risks lieCiticus ON E ranks targets of evaluation in descending order of risk Top 10 entries Control Special Level of Business Colour codes Targets of evaluation Rank Criticality weaknesses circumstances threat impact indicate the danger SecurNet (RS151) 1 100% 76% 86% 50% 25% posed by each Credit card processing (RS156) 2= 75% 100% 57% 100% 50% component of risk: Global email (RS49) 2= 75% 100% 57% 100% 50% Boston data center (RS191) 4 75% 100% 29% 100% 75% High London data centre (RS155) 5 75% 94% 71% 100% 50% Med Global intranet (RS150) 6 75% 94% 86% 75% 50% Low Supplier data (RS124) 7 75% 94% 71% 100% 25% HQ LAN (RS67) 8 75% 88% 57% 100% 100% You can Pacific data centre (RS131) 9 75% 88% 71% 75% 25% control Group EIS (RS148) 10 75% 82% 100% 100% 75% colour and Bottom 10 entries sorting Relationship mgt (RS156) 136 25% 6% 43% 50% 25% Group payroll (RS167) 137 25% 0% 29% 50% 0% ePurchasing site (RS160) 138 25% 0% 0% 50% 25% Prices database (RS142) 139 0% 100% 29% 75% 25% UK sales information (RS12) 140 0% 82% 43% 100% 25% UK standby net (RS136) 141 0% 65% 14% 50% 0% Boston Order Proc. (RS190) 142 0% 59% 29% 100% 50% European data centre (RS46) 143 0% 47% 57% 50% 0% LaForce site LAN (RS101) 144 0% 41% 14% 100% 25% Erland site LAN (RS42) 145 0% 24% 14% 100% 25% Note: Names have been changed to preserve confidentiality but ratings are genuine Copyright © Citicus Limited, 2011. All rights reserved.
  22. 22. Compliance trend reports provide a timeline of compliance statusCompliance with a specified standard can be tracked as a trend line. You canplot the overall status of all controls in the employed checklist or focus on anindividual control area of interest. Copyright © Citicus Limited, 2011. All rights reserved.
  23. 23. Examples of successful practice Copyright © Citicus Limited, 2011. All rights reserved.
  24. 24. Global branded food manufacturer Global program driven IT assessments use by strong, personable FIRM+ Criticality programme manager assessments + Risk (2 people at centre, 3 ~ 1,200 evaluations since 2005 scorecards supported in regions) based in  1,000 criticality assessments by ISO 27000 Group Compliance & standard of practice  200 ‘deep dive’ risk assessments Controls  17 control areas  150 controls Business applications IT infrastructure IT assessments embedded in system development and IT Business Areas Business procurement processes “By implementing a business oriented and processes of risk units systematic riskassessment process, real Programbenefits can be achieved Sites Projects entered for as compliance and excellence in security requirements Information can be quickly satisfied Suppliers Integrity without unnecessary and other parties award, 2009 burden ,and resources properly allocated Software currently being configured with throughout the checklists that enable evaluation of: organization”  Food defence practices  Compliance with bribery/child labour COLLABORATIVE DEVELOPMENTS laws (for Dow Jones Sustainability index) Supplier risk capability  Suppliers Data exchange  Particular business processes Copyright © Citicus Limited, 2011. All rights reserved.
  25. 25. Global tobacco company Global program driven IT assessments initially by strong, personable used FIRM+ programme manager Criticality (2 people at centre) ~ 2,500 evaluations since 2004 assessments + based in IT; 50 trained Program being extended to cover Scorecards supported local co-ordinators) by home-grown factory automation standard of practice  17 control areas  100 controls Business applications IT infrastructure “With a portfolio of more Standard of practice than 500 computer turned into a ‘smart systems supporting checklist’ in 2009 diverse business Business Areas Business driven by user- processes of risk units functions and controllable attributes application/data owners across the world, ad hoc assessment for policy Sites Projects compliance and IT governance needed to Citicus ONE be replaced with Suppliers employed as ‘system and other parties systematic and of systems’ transparent information risk management processes. “ Characteristics of COLLABORATIVE DEVELOPMENTS systems recorded as Attribute sophistication attributes Risk management metrics Copyright © Citicus Limited, 2011. All rights reserved.
  26. 26. Other large-scale Citicus ONE implementations Completed Geographical Program Customer evaluations scope Bases of evaluation management Insurance/ >18,000 70+ countries Criticality assessments, 3 at centre, 1+ local financial Scorecards + 2 home-grown co-ordinator in every services checklists (~60 control items) business unit Global 2,300 150 countries Criticality assessments, 2 at centre, 5 regional brands Scorecard + home-grown ‘smart’ co-ordinators, 15-20 checklist (~100 control items) local co-ordinators Insurance/ 1,200 North America Criticality assessments, 3-4 at centre. No financial Scorecard + ISF SoGP. Harm local co-ordinators services reference table being used for other areas of risk. Some tweaks needed. Central 600 30+ Ministries ISF Health check used for 2-3 at centre, 1-2 Government in major Ministry-level evaluations. local co-ordinators in Canadian ‘Smart’ checklists based on each Ministry province ISF SoGP used for information systems Copyright © Citicus Limited, 2011. All rights reserved.
  27. 27. About Citicus Limited Copyright © Citicus Limited, 2011. All rights reserved.
  28. 28. Who we are Citicus Limited was formed in 2000 to provide Simon Oxley world-class risk management software products Managing director  Headed information security departments at National and supporting services Power and Reuters  Took both companies into ISF Wholly-owned by its directors and staff and served on ISF Council 1992-94  Heads Citicus management Based in UK (London, Cheltenham) team and leads our commercial activities  Oversees our relations with Exclusive, worldwide right to sell FIRM automation standards-makers (eg ISF, – reflecting Citicus directors’: BSI-ISO, ISACA)  long-standing involvement with the Marco Kapp Sian Alcock Director Director Information Security Forum (ISF)  lead role in the development of this ground- breaking risk measurement and management methodology Relations with customers based on a collaborative way of working  Established ISF while a  Extensive experience in Our relationship with the ISF is continuing (eg director of C&L’s UK consulting analysing ISF survey access to Survey data, involvement in FIRM and practice results  Author of ISF’s first standard  Developed new, IRAM development) and numerous reports on risk quantitative insights into  Chief architect of ISFs FIRM what drives risk up / down methodology  Lead author of ISF report  Chief architect of collaborative on The impact of security Supplier Risk Assessment management (SRA) project – which  Oversees design, culminates on delivery of development and delivery Citicus ONE Release 3 of Citicus ONE Copyright © Citicus Limited, 2011. All rights reserved.
  29. 29. Our customers and geographic focusCiticus ONE is currently helping customers to measure and manage the risk posed bymany thousands of systems in over 150 countriesRepresentative customers Main activity Where based Banking US, Saudi Arabia, UAE Consumer products Netherlands, Switzerland, UK, USA Energy UK, Germany Government Canada, Ireland, UK, Netherlands Insurance France, USAWe support deployments all IT and professional services Germany, Scandinavia, Switzerland, UK, USAover the world via training andservices delivered from the UK. Manufacturing France, Netherlands, ScandinaviaWe can orchestrate global Telecommunications Kenyasupport if needed. Copyright © Citicus Limited, 2011. All rights reserved.
  30. 30. Citicus ONE is based on solid, factual evidenceCiticus ONE Release 3 is the end-product of an unrivalled volume of research - conducted by thefounders of Citicus Limited for and / or in conjunction with leading organizations around the world. Results of this research over the last 20 years are illustrated below. Example: The ISF 1998 survey involved over 1,000 people:  in-depth analysis of 800,000 facts about by 969 surveyed systems, including the controls applied to them, incidents they suffered and other key characteristics  intensive review by practitioners  provided major insights into what drives information risk 969 survey questionnaires: 61,000 pages (would make a pile 8 metres high) ISF: Information security Forum We developed the FIRM risk management methodology for and in conjunction with the Information Security Form (ISF). It reflects all the above research and is automated by our Citicus ONE software. Release 3 extends FIRM to cover all areas of operational risk. Copyright © Citicus Limited, 2011. All rights reserved.
  31. 31. FIRM risk management methodologyDeveloped by founders of Citicus Limited for and in conjunction with the InformationSecurity Forum (ISF) in 2000FIRM Implementation Guide FIRM Supporting material Revised FIRM Scorecard (2000) (2000) (2005)  The problem  Terminology, concepts and  Rearranged presentation  Key challenges role definitions  Updated content to align  The methodology  Operational tools with other ISF tools (eg  6-step implementation  Examples of successful SoGP, Healthcheck, IRAM) process practice  Advice on making selective improvements Copyright © Citicus Limited, 2011. All rights reserved.