Citicus ONE vR3.2
Strengths: This is a strong business policy, compliance and regulatory risk management tool with great reporting.
Weaknesses: The interface was not hard, but was very busy. Not strong on remediation recommendations.
Verdict: The tool offers a very nice risk picture with a dependency map, with strong built-in control of the regulatory framework.
Citicus ONE establishes an efficient and continuous process for measuring and managing information risk and compliance across the organization. It helps establish the criticality of business systems and IT infrastructure and tracks how the measured risk tracks with the defined acceptable level.
Citicus ONE monitors compliance with standards, internal policies, regulatory requirements and legislation. It offers built-in control frameworks including ISO27001, PCI-DSS, ISF, ITIL SoGP, COBIT, SOX and Basel II. Additionally, any local policies and regulations can be readily imported. We were impressed with the drill-down capability of the tool to map an identified risk right down to the individual requirement in the policy document.
The tool uses web-based data collection forms, including asset criticality assessments and risk scorecards, underpinned by detailed threat and vulnerability checklists. These ensure that objective and consistent data is recorded, identifying risks to business applications, IT infrastructure and outsourced services. The tool and the supplied content for developing the criticality assessments were very powerful.
Reporting is provided at multiple levels from "owners" of individual assets on the ground to top management who require an overview of risk and compliance for a business unit or the entire enterprise. Reports include dashboards, risk and compliance league tables, heat maps, trend reports and risk dependency maps. The dependency spider maps were very useful in linking the various elements of the risk to the critical resources. The spider map links in graphical fashion the five risk factors - control weakness, special circumstances, business impact, level of threat and criticality.
Remediation planning is supported through recording risk and compliance issues and the specific action required to resolve these. Actions can be assigned to individuals and costed and tracked to completion.
Offered as a hosted SaaS subscription or as a deployed software solution, the offering has an SQL server backend with IIS/.Net front end. There is an automated installation that installs and configures the initial product. Eight-hours-a-day/five-days-a-week support is provided for the first year and includes phone and email access.
This solution provides a lot of content and capability for the price in the business risk space.