Customers with active Citicus ONE maintenance agreements gain access to new and updated bases of evaluation as we develop them or provide them under licence from third parties (eg the ISF Standard of good practice (ISF SoGP), PCI DSS, ISACA COBIT, ISO/IEC 270001).
Customers also gain access to tools such as Citicus Workbench that help them prepare bases of evaluation of their own, or customise ones we supply.
If requested, we can also provide practical advice on developing a basis of evaluation that meets special needs or hands-on assistance with developing one. This entails:
- defining the most appropriate methods of evaluating criticality, controls, special circumstances, threats and, the business impact of incidents
- creating a series of determinations of acceptable risk
- devising a harm reference table for use by evaluators
- agreeing these with key stakeholders (including the customer's designated representative)
- finalising the basis of evaluation and documenting it
- handing it over so customer staff can set it up in their system
Our experienced staff can generally create a new basis of evaluation from existing material pretty quickly (eg within a few hours or days). Devising a new one from scratch takes longer (eg a month).
Both new and experienced practitioners rate Citicus ONE's customization capabilities highly:
It made the hairs on my arms stand on end when I saw what Citicus ONE generated from the basis of evaluation I prepared. Controls/compliance practitioner, Global foods company
It took Citicus just three days to configure Citicus ONE to conduct Privacy Impact Assessments that reflect UK privacy legislation. That's impressive and has given us a solid foundation to start from. Specialist privacy consultancy
We can provide qualified staff to plan, support or run your risk management process. Examples of the services we can provide include:
- programme planning - we can advise on the best way of establishing a risk management process within your organization based on Citicus ONE
- programme management - if you wish, we can provide a full project office to run your programme on your behalf
- risk evaluations - we can provide external resources to conduct criticality assessments or facilitate risk evaluations (eg of your critical information systems, sites or suppliers). These can be used to supplement your own staff or to assist in the transfer of skills to company personnel.
Citicus ONE can be installed and put to work easily, with no outside assistance. Its automated installation routines and outstanding documentation minimize the opportunity for error and our expert help desk helps customers resolve problems that occur.
Additional technical support is available to help customers needing, for example, to:
- migrate data from an earlier risk management system or process (which may require development of a one-time conversion routine)
- integrate Citicus ONE with an external directory (eg Microsoft® Active Directory) for user administration and / or authentication
- exchange data with an external system (eg an asset database – with Citicus ONE being the definitive source of risk ratings and the asset database being the definitive source of, say, asset names, ages, other characteristics).