Citicus ONE uses web-based data collection forms - including asset criticality assessments and risk scorecards underpinned by detailed threat and vulnerability checklists - to ensure that objective and consistent data is recording identifying risks to business applications, IT infrastructure and outsourced services.

Citicus ONE is available as both an installable software product and as an in-the-cloud-hosted service. The on-premise solution is supported on MS Windows Server 2003 or above, MS SQL Server 2005 or 2008, and requires IIS and XML Core Services.

Citicus ONE supports a proportionate risk management process using a phased approach to risk management. Phase 1 is the criticality assessment, where one will assess the criticality of each of the evaluation targets. Phase 2 evaluates the risk posed by critical targets of evaluation by completing risk scorecards using a risk workshop. Phase 3 focuses on the owners of the tasks completing scorecards and remediation plans.

This is an assessment-based risk tool that uses a balanced risk score card methodology. The tool is used to create evaluations for targets, such as business applications, IT infrastructure, suppliers and site-type targets. Assessments are delivered automatically or in scheduled fashions. The risk metrics used are based on five determinants: control weakness, criticality, level of threat, business impact and special circumstances. Risk levels are tunable for one's specific environment. Citicus One comes with some built-in control frameworks supporting ISO27001, PCI-DSS, Information Security Forum (ISF) Standard of Good Practice (SoGP) and COBIT.

Assessments deliver evaluation results that create individual "issues" or "action plans" for follow-up or remediation activities. Citicus ONE will help users link the issues with action items to establish the required control improvements to remediate or manage risk. Interdependencies among assets can be recorded so that risk dependencies can be tracked. There is a workflow/remediation capability under the issues section to assist with this effort.

The dashboard that consolidates the output from the evaluation effort provides a clean, graphically driven summary of one's risk status. Users of this tool have a visual into their overall risk score, a graphic displaying a summary of the five determinate risk factors, and a helpful scatter diagram summarizing risk drivers by criticality. Dashboard and reporting is role-based and integrated with Active Directory or CA SiteMinder for user management. Inter-reporting is provided at multiple levels from "owners" of individual assets on the ground to top management who require an overview of risk and compliance for a business unit or the entire enterprise. Reports include dashboards, risk and compliance league tables, heat maps, trend reports and risk dependency maps.

The documentation is integrated with the software and is efficiently laid out. Standard eight-hours-a-day/five-days-a-week support is included in the first year price and costs 18 percent thereafter. There are no optional levels of support available beyond standard.