Citicus ONE vR.35
June 03, 2013
From $15,000 annually for SaaS, or $25,000 perpetual license for initial deployment.
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Reporting, visualization of risk data for all levels of users. Scales to handle large environments.
- Weaknesses: None to note.
- Verdict: Strong assessment-driven risk tool.
Citicus ONE is an integrated system for organizations to automate their IT governance, risk and compliance management processes. The tool uses an asset-based risk assessment approach. Citicus One can be used as an efficient, constructive and continuous method of measuring and managing information risk - and other areas of operational risk - across an enterprise. It can be used to conduct tens, hundreds or thousands of risk evaluations, and keep them up to date efficiently.
The tool is available as both installable software and as an in-the-cloud, hosted service. The on-premise solution is supported on MS Windows Server 2003 or above, MS SQL Server 2005 or 2008, and requires .NET 3.5. For user management, the on-premise solution is fully integrated with Active Directory.
Assessments deliver evaluation results that create individual "issues" or "action plans" for follow-up or remediation activities. Assets can be imported via a simple object access protocol (SOAP)-based web service from configuration management database (CMDB) tools or other data sources. Citicus ONE will help link issues with action items to establish the required control improvements to remediate or manage risk. Interdependencies between assets can be recorded so that risk dependencies can be tracked. There is a workflow/remediation capability under its "issues" section to assist with this effort.
The user interface (UI) makes it easy to configure the control assessment framework using one's own local security policies and regulations, or one can use the built-in control libraries covering areas such as ISO 27001, PCI-DSS, Information Security Forum's Standard of Good Practice (ISF SoGP), NIST, vendor assessment/third-party, physical security and SCADA requirements. The process is completely UI driven with no coding necessary. A simple pull-down menu drives the entire process. Remediation planning is supported through recording risk and compliance "issues" and the specific action required to resolve these. Actions can then be assigned to individuals, budgeted and tracked to completion. The completion of remediation activity automatically updates compliance and risk ratings. As well, incident-reporting templates are available and can be customized to one's needs. Using remediation and incident management tools, one can quickly automate the linking of actions to specific controls. Users can generate a risk scorecard by asset.
Reporting is a strength of this product. It is role-based, so it's easy to deliver an executive dashboard or a more detail-based homescreen for an analyst. Reports are largely graphical and interactive. The visualization capabilities of the product are well done.
New features in v3.5 include an automated workflow capability for assessment and remediation functions. Also new are analytics to provide a prediction of likelihood of incidents. The prediction capability does not deliver a risk number, but rather a ranking based on the status of various controls.
The documentation is integrated with the software and is cleanly laid out. Standard 10-hours-a-day/five-days-a-week phone, email and web support is included in the first-year price and is 18 percent thereafter. There are no other levels of support available beyond standard. - ML
Sign up to our newsletters
SC Magazine Articles
- Long list of devices believed to be affected by NetUSB vulnerability
- Scammers target oil companies with sneaky attack
- CareFirst BlueCross BlueShield breached, more than one million individuals notified
- Study: Employees acknowledge risky security behavior, continue to engage in it
- Hack of airplane systems described in FBI docs raises security questions
- Hackers exploit Starbucks auto-reload feature to steal from customers
- Study: Nearly all SAP systems remain unpatched and vulnerable to attacks
- Former Nuclear Regulatory Commission employee arrested for alleged spear phishing campaign
- Millions of WordPress websites vulnerable to XSS bug
- FireEye first cybersecurity firm awarded DHS SAFETY Act certification
- Thousands of Bellevue Hospital Center patients notified of data breach
- Study: 86 percent of websites contain at least one 'serious' vulnerability
- Investigation ongoing in reported multimillion member Adult FriendFinder breach
- Report: $19M breach settlement between MasterCard, Target terminated
- FTC gives thumbs up to companies that cooperate during breach probes