Citicus ONE R3.2
Strengths: Strong business policy, compliance and regulatory risk management tool. Great reporting
Weaknesses: Interface was very busy. Not strong on remediation recommendations
Verdict: Good risk picture with dependency map. Strong built-in control/regulatory framework
Citicus ONE establishes an efficient and continuous process for measuring and managing information risk and compliance across the organisation. It helps establish the criticality of business systems and IT infrastructure and tracks how the measured risk tracks with the defined acceptable level.
It also monitors compliance with internal policies, regulatory standards and legislation. Built-in control frameworks include ISO 27001, PCI DSS, ISF, ITIL SoGP, CobiT, SOX and Basel II. Additionally, any local policies and regulations can be readily imported. We were impressed with the capability of the tool to map an identified risk right down to the individual requirement in the policy document.
Citicus ONE uses web-based data collection forms, including asset criticality assessments and risk scorecards underpinned by detailed threat and vulnerability checklists. These ensure that objective and consistent data is recorded, identifying risks to business applications, IT infrastructure and outsourced services. The tool and the supplied content for developing the criticality assessments were very powerful.
Reporting is provided at multiple levels from owners of individual assets on the ground to top management who require an overview of risk and compliance for a business unit or the entire enterprise.
Reports include dashboards, risk and compliance league tables, heat maps, trend reports and risk dependency spider maps. These were very useful in linking the various element of the risk to the critical resources. This map links the five risk factors of control weakness, special circumstances, business impact, level of threat and criticality, in graphical fashion.
Remediation planning is supported through recording risk and compliance issues and the specific action required to resolve these. Actions can be assigned to individuals, costed and tracked to completion.
Citicus ONE is offered as a hosted SaaS subscription or as a deployed software solution. The deployed solution has an SQL server backend with IIS/.Net front end. There is an automated installation that installs and configures the initial product. Support on an 8/5 basis is provided for the first year and includes phone and email access.
This solution provides a lot of content and capability for the price in the business risk space.