We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byKeagan Watlington
Modified over 2 years ago
Citicus Limited www.citicus.com Citicus ONE: Background information
Copyright © Citicus Limited, 2011. All rights reserved.Page 1 Introduction Citicus™ ONE is a customisable, web-based application system which enables you to: reliably measure the risk posed by your enterprise’s mission-critical information systems in meaningful, business-oriented terms manage information risk across your enterprise efficiently. These slides provide useful supporting information. Specifically, they: Explain what ‘information risk’ means and how it relates to other areas of risk Reveal key statistics that underpin Citicus ONE Present the theory of control embodied by Citicus ONE Explain key terms (information incidents, controls, information resources) Show how information risk relates to other areas of risk Provide background information about the FIRM methodology which is applied by Citicus ONE and explain the relationship between Citicus and the Information Security Forum Other presentations in the same series explain: what Citicus ONE can do for your organisation Citicus ONE’s technology, deployment options, pricing, capabilities and supporting services ‘Information risk’ is the chance or possibility of harm being caused to a organization as a result of a loss of the confidentiality, integrity or availability of information Years of research and practical experience has made Citicus ONE the world’s most advanced tool for measuring and managing information risk successfully.
Copyright © Citicus Limited, 2011. All rights reserved.Page 2 What is ‘information risk’ exactly? Information risk is the chance or possibility of harm being caused to a business as a result of a loss of the confidentiality, integrity or availability of information Probability of suffering harm Nature and level of harm The 3 key properties of information to be protected Exists in varying forms: held in people’s heads communicated face-to-face recorded in deeds and other securities entered into, stored, processed, transmitted and presented via IT The method of protection depends on the form taken by information Citicus ONE focuses on managing the risk posed by IT-based information since that is the largest and fastest growing segment of the problem in most organizations.
Copyright © Citicus Limited, 2011. All rights reserved.Page 3 How information risk influences other business risks Borrowings and investment positions Projected rates of interest Projected cash flows External developments Sales forecasts Forecast expenditure Actual sales and expenditure Key variances Information risk status reports Identity of key assets (equipment, facilities and employees) Status of continuity arrangements Market risk Market risk (ie factors beyond the control of management such as interest and currency rates) Financial risk Financial risk (eg uncertainties about projected earnings or expenditure) Operational risk information risk Operational risk (eg information risk, theft, fraud, loss of facilities or key employees). Information risk Information risk is an increasingly important component of operational risk Information risk intensifies all other business risks Sound information is needed to manage each category of risk. Thus, managing information risk well is essential.
Copyright © Citicus Limited, 2011. All rights reserved.Page 4 Key statistics: The harm caused by information incidents can be substantial £200 million of sales lost $105 million could not be recovered 5,000 customer queries unanswered 20,000 emails permanently lost $400,000 stolen confidential data belonging to key business partners destroyed 40 fraudulent fund transfers from client accounts 3,100 wrong entries on customer accounts $5.25 million of IT equipment destroyed and business data unavailable for 4 weeks 4,000 staff disrupted A sample of 253 worst-case incidents reduced the value of the businesses concerned by $1.4 million, on average. Impact of identified incidents included: Details of major incidents extracted from It could happen to you: a profile of major incidents; Information Security Forum, 2000 and analysis of 253 worst-case incidents published in Driving information risk out of the business; Information Security Forum, 1999.
Copyright © Citicus Limited, 2011. All rights reserved.Page 5 Key statistics: Good controls drive down the volume of incidents 135 259 0 100 200 300 Average number of incidents suffered over a year Citicus analysis of some 210,000 incidents affecting 844 information resources covered by the Information Security Forum’s 2000-2002 Security Status Survey. Information resources with controls in good, all-round condition Information resources with controls NOT in good, all-round condition The average number of information incidents 1 suffered a year by an information resource 2 is halved when controls 3 are in ‘good, all-round condition’ 1, 2, 3 For definitions of these key terms, see the slide entitled Other key terms
Copyright © Citicus Limited, 2011. All rights reserved.Page 6 Key statistics: Why reducing the volume of information incidents is important Citicus analysis of incidents affecting 844 information resources covered by the Information Security Forum’s 2000-2002 Security Status Survey. Information resources categorized by number of incidents suffered over a year % that experienced a MAJOR incident over a year Eliminating minor information incidents is important, since the chance of suffering a MAJOR incident climbs as the number of minor incidents increases 0% 20% 40% 60% 80% 11-5051-100 1 2-10100+
Copyright © Citicus Limited, 2011. All rights reserved.Page 7 Controls that are in ‘good, all-round condition’ reduce the probability of experiencing MAJOR incidents by more than a factor of three Analysis of incidents affecting 663 information resources covered by the Information Security Forum’s 2000-2002 Security Status Survey. 63% 0% 25% 50% 75% % of information resources that suffered a major incident over a year Key statistics: Good controls slash the odds of suffering major incidents Information resources with controls in good, all-round condition Information resources with controls NOT in good, all-round condition 20%
Copyright © Citicus Limited, 2011. All rights reserved.Page 8 Key statistics: Good controls lead to big savings $0.74m $0.05m $0m $0.5m $1.0m Average financial impact of worst-case incidents suffered over a year Analysis of 244 worst-case incidents for which financial data was provided covered by the Information Security Forum’s 2000-2002 Security Status Survey Information resources with controls in good, all-round condition Information resources with controls NOT in good, all-round condition Controls that are in ‘good, all-round condition’ also dramatically reduce the financial impact of worst-case incidents Together, these statistics shown that information risk can be slashed by ensuring controls comply with generally-accepted good practice
Copyright © Citicus Limited, 2011. All rights reserved.Page 9 Citicus ONE implements a coherent theory of control for information risk Detect incidents that slip through Prevent threats materializing as incidents, as far as possible Facilitate recovery from incidents Loss of confidentiality, integrity or availability of information Threats to the confidentiality, integrity or availability of information: unintentional deliberate Impact on the business Business system Information PREVENTION CONTROLS RECOVERY CONTROLS Policies and standards Ownership Organization Risk identification Awareness Service agreements User capabilities IT capabilities System configuration Data back-up Contingency arrangements Physical security Arrangements for protecting information - grouped into control areas Access to information Change management Problem management Special controls Audit/review DETECTION CONTROLS Citicus ONE promotes achievement of a balanced system of controls. This is the key to success in keeping information risk at an acceptable level Business requirements (including requirement to protect information)
Copyright © Citicus Limited, 2011. All rights reserved.Page 10 Definitions of other key terms Controls: policies, methods, procedures, devices or programmed mechanisms designed to protect the confidentiality, integrity and availability of information (eg user capabilities, data back-up), or that otherwise influence the level of protection provided (eg training and supervision of IT staff). Information incidents: events (or chains of events) that compromise the confidentiality, integrity or availability of information eg: malfunction of software or hardware loss of services, equipment or facilities overload human error unforeseen effects of change other undesirable acts. 'Ownership' not easy to pin down as information is used for different purposes in individual systems 'Ownership' generally easy to identify Business impact easy to assess Computer installations Communications networks Systems development activity Business applications Business impact hard to assess if multiple applications are supported INFORMATION IT-based information resources:
Copyright © Citicus Limited, 2011. All rights reserved.Page 11 Citicus ONE implements FIRM – a ground-breaking risk methodology FIRM is a ground-breaking methodology for managing information risk across an enterprise published by the Information Security Forum (ISF): Problem definition (why information risk management processes often fail) The key challenges FIRM methodology Implementation process Terminology, concepts and role definitions Risk management diagnostic Operational tools Examples of successful practice FIRM IMPLEMENTATION GUIDE (86 pages) SUPPORTING MATERIAL ( 120 pages) the methodology is based on extensive statistical research into the effectiveness of controls applied to thousands of mission-critical systems and is supported by continuing analysis of the massive body of statistics collected by the ISF as part of its core activities it distils lessons learnt and examples of successful practice from some of the world’s most advanced users of IT its chief architect, Marco Kapp, is a co-founder of Citicus Limited and other Citicus directors also contributed to its development. Citicus has the exclusive right to develop and sell automation which enables organisations to implement the FIRM methodology. FIRM stands for Fundamental Information Risk Management:
Copyright © Citicus Limited, 2011. All rights reserved.Page 12 Unique, collaborative relationship since October 2001 Commitment to work together on on-going development of FIRM and related activities (eg ISF’s FIRM training workshops for Members, Citicus input into ISF IRAM project) Independent company, founded by world’s top experts on FIRM Develops and sells automated risk management tools and supporting services Citicus Limited Citicus has exclusive, world-wide right to develop and sell FIRM automation, including its extension to e-commerce Citicus pays a royalty to the ISF on each sale of Citicus ONE Citicus offers Citicus ONE to ISF Members at a 12% discount Information Security Forum An international association of over 250 leading organisations Funds a practical research programme in information security, including development of FIRM methodology ISF owns the published FIRM methodology and extension to e-commerce ISF receives a royalty on sales of Citicus ONE ISF Members obtain Citicus ONE at a 12% discount Citicus Limited’s relationship with the Information Security Forum (ISF)
Copyright © Citicus Limited, 2011. All rights reserved.Page 13 About Citicus Limited Formed in 2000 to provide world-class automated risk management tools and supporting services Offers Citicus ONE - the world's foremost tool for driving down information risk (ie the business risk posed by mission-critical, IT-based information systems) and other areas of risk Continuing relationship with the ISF (eg on IRAM and FIRM development) Exclusive, worldwide right to sell FIRM automation - reflecting Citicus directors’ lead role in the development of this ground-breaking ISF risk methodology Provides the training and support needed to deploy Citicus ONE, plus advice / assistance with implementations either directly or via our Implementation partners RecognitionSelected customersPartners
Copyright © Citicus Limited, 2011. All rights reserved.Page 14 For further information You can contact us at Citicus Limited either directly or via our head office: Direct contact Simon Oxley Emailsimon.firstname.lastname@example.org@citicus.com Tel +44 (0)1729 825 555 Marco Kapp Emailmarco.email@example.com@citicus.com Tel +44 (0)1306 742 072 Sian Alcock Emailsian.firstname.lastname@example.org@citicus.com Tel +44 (0)20 8870 9279. Head office Citicus Limited Holborn Gate 330 High Holborn London WC1V 7QT. Emailinfo@email@example.com Webwww.citicus.comwww.citicus.com Tel+44 (0)20 7203 8405 Fax+44 (0)20 7203 8409. Our Implementation Partners will also be pleased to help you. Their contact details can be found at www.citicus.com www.citicus.com
Simon Oxley Managing Director Citicus Limited, London Information risk and compliance management An approach based on real-world statistics.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.
Copyright © Pearson Education Limited Control and Accounting Information Systems Chapter
Copyright © 2015 Pearson Education, Inc. Control and Accounting Information Systems Chapter
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.
1 Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Tivoli Software from IBM Storage Resource Management Webcast
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
Copyright © 2015 Pearson Education, Inc. Computer Fraud Chapter
Chapter 1 Business Driven Technology MANGT 366 Information Technology for Business Chapter 1: Management Information Systems: Business Driven MIS.
Security and Control Soetam Rizky. Why Systems Are Vulnerable ?
© 2004 Managing the Information Technology Resource, Jerry N. LuftmanChapter 5 - Slide 1 Chapter 5 IT Processes Managing the Information Technology Resource.
Copyright © Pearson Education Limited Computer Fraud Chapter
Chap 8: Administering Security. Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
The Public Sector and Xtremesofts AppMetrics Working Together to Maximize Application Availability for Government Servants and Citizens Web Site:
CHAPTER 2 TYPES OF BUSINESS INFORMATION SYSTEM. INTRODUCTION Information System support business operations by processing data related to business operation.
ICT6221 Chapter 5 IT Processes Paula Goulding. ICT6222 Chapter Outline Number of processes in IT Strategic, Tactical, and Operational layers of IT.
Phases of BCP The BCP process can be divided into the following life cycle phases: –Creation of a business continuity and disaster recovery policy. –Business.
Avancee Research TM What matters other than Quality? ©Avancee Research Outsourcing Private Limited Sample Content Project on Market Capitalization & Enterprise.
Understanding the IT environment of the entity. Session objectives Defining contours of financial accounting in an IT environment and its characteristics.
OECD World Forum Statistics, Knowledge and Policy, Palermo, November
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
CHAPTER 03 E-business Infrastructure. Learning objectives Outline the hardware and software technologies used to build an e-business infrastructure within.
Data Center Management Microsoft System Center. Objective: Drive Cost of Data Center Management 78% Maintenance 22% New Issue:Issue: 78% of IT budgets.
S4: Understanding the IT environment of the entity.
Copyright © 2015 Pearson Education, Inc.14-1 International Business Environments & Operations 15e Daniels ● Radebaugh ● Sullivan.
Welcome to the ICT Department Unit 3_5 Security Policies.
McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 40 The Stock Market Crashes.
When you have completed your study of this chapter, you will be able to C H A P T E R C H E C K L I S T Explain how banks create money by making loans.
1 Strategic Meetings Management 101 Lynda Garvey. SMMC Strategic Meetings Consultant.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
© 2003 The McGraw-Hill Companies, Inc. All rights reserved. Leasing Chapter Twenty-Six.
Slide 4.1 Chapter 4 Annual Report: Additional Financial Statements.
Protect critical information with a smart information-based-risk management strategy. Prepared by: Firas Mohamed Taher.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
FMS. 2 Fires Terrorism Internal Sabotage Natural Disasters System Failures Power Outages Pandemic Influenza COOP/ Disaster Recovery/ Emergency Preparedness.
ATTENTION This presentation breaks down the purchasing process into 6 steps, which are then detailed in the subsequent slides. While responding from either.
Copyright © 2013 Pearson Education 13-1 International Business Environments & Operations 14e Global Edition Daniels ● Radebaugh ● Sullivan.
Security Controls – What Works Southside Virginia Community College: Security Awareness.
Risk Management Dr. Clive Vlieland-Boddy. Managements Responsibilities Strategy – Hopefully sustainable! Control – Hopefully maximising profits! Risk.
Introduction to Internal Control Systems Introduction Internal Control Systems Definition Framework Preventive, Detective, and Corrective Controls.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Copyright © 2013 Pearson Education, Inc. publishing as Prentice Hall 13-1 International Business Environments & Operations 14e Daniels ● Radebaugh ● Sullivan.
Vision: A strong and capable civil society, cooperating and responsive to Cambodias development challenges 1.
© 2017 SlidePlayer.com Inc. All rights reserved.