Citicus ONE vR.4.0
Strengths: Visualization tools, enhanced workflow tools.
Weaknesses: Custom reporting needs to be done outside of the tool.
Verdict: Very good solution for enterprise risk and compliance management.
Citicus ONE is an integrated system for organizations to automate their IT governance, risk and compliance management processes. It is an assessment driven tool that uses web-based data collection forms to collect asset, risk and compliance data. The tool gives asset owners on the ground insights into the risk and compliance status of their areas of responsibility and practical guidance on driving risk down. It also provides top management with an overview of the risk and compliance status of their critical operational assets and processes.
Users can easily configure the control assessment framework based on their local security policies and regulations or can use the extensive built-in control libraries covering areas such as ISO27001, PCI-DSS, ISF SoGP, NIST, vendor assessment/third-party, physical security and SCADA requirements. This version has full support for industrial control and real-time processing systems, including the updated content for DHS and NIST.
Citicus ONE uses a common, research-based approach for evaluating risks of different types enabling all enterprise risk data to be brought together into a single, consistent picture. With the workflow tools users can select which targets of valuation to assess; identify owners and set them up as users of the system and quickly control the role-based access they will have; issue criticality assessments, risk scorecards and checklists that owners and others can complete online; automate the risk management process and the email-integrated workflow capabilities that includes alerting to manage the response process; and consolidate collected risk and compliance data into informative results for all stakeholders. The process is completely UI driven, and simple pull-down menu controls drive the entire process.
Remediation planning is supported through recording risk and compliance issues and the specific action required to resolve these. Actions can be assigned to individuals, and then costed and tracked to completion. Completion of remediation activity automatically updates compliance and risk ratings. Incident reporting templates are available and can be customized to one's needs. Using remediation and incident management tools users can quickly automate the linkage of actions to specific controls.
Reporting has been updated in this version. Reports are largely graphical and interactive and include dashboards, risk and compliance league tables, heat maps, trend reports and risk dependency maps. Too, there is great detail in the dashboard format, which is nicely laid out with drill-down access to detailed data. The entire workflow functionality was redone and new in this version. The changes have made the product easier to use and help you quickly leverage the power of the tool
Citicus ONE is available as both an installable software product and as an in-the-cloud hosted service. It runs on Microsoft Windows Server 2008 and requires Microsoft SQL Server 2005/2008. It also is fully Active Directory integrated to allow for easy user import into the tool.
The documentation is integrated with the software and is nicely laid out. Ten-hours-a-day/five-days-a-week software support and maintenance (including software upgrades) for the first 12 months is included in the initial license fee. Thereafter, software support and maintenance is charged at 18 percent of the license fee. For hosted (SaaS) implementations, software support and maintenance is included in the annual service charge.