UK company Citicus Limited today gave the go-ahead for its first collaborative development programme (CDP1). The aim of the programme is to develop a robust, Web-based version of the automation needed to implement FIRM (Fundamental Information Risk Management) - the ground-breaking methodology for managing information risk across an enterprise developed in conjunction with the Information Security Forum (ISF). The programme is supported by 15 leading enterprises from around the world.
Explaining the decision, Simon Oxley, Managing Director of Citicus said:
"We believe that FIRM is the world's best method of managing information risk. The ISF deserves full credit for its development. We're now taking the next step which is to develop the software needed to implement FIRM effectively. We're delighted at the support forthcoming from our launch partners, who'll help us pin down requirements. In return, they'll gain early access to the automation, on terms that reflect their special contribution - which we really appreciate."
What is FIRM?
FIRM is fully-worked methodology for managing information risk systematically across enterprises of all sizes. It provides an informed, graphical view of information risk that both business and IT people can relate to; incorporates a constructive process for driving risk down to a level defined as acceptable by top management; is rigorous, measurement-based, and totally business-oriented.
What makes FIRM so special?
Citicus Director, Marco Kapp - the chief architect of FIRM - highlights key features of the methodology:
"FIRM is special because it's based on 10 years of statistical research into what makes business-critical information systems 'go wrong', and a deep understanding of how to motivate and equip 'owners' to drive risk down. Simplicity and impact are key. Although there's sophisticated number crunching going on behind the scenes, we made the fact-gathering easy; and devised great-looking risk charts and league tables that decision-makers can relate to. They're designed to encourage action - that's what FIRM is about."
Sian Alcock, is the Citicus Director who oversees the technical aspects of the programme. She comments:
"We've already distributed prototype automation - it's out there working - but it's fiddly to distribute and not really suitable for large-scale use. By redeveloping for the Web, we can hide the complexity and focus on giving users high-value information about their level of risk and how to drive it down. They'll get their results immediately through their browsers; thus there's no client-side software to install. This makes it much easier to implement an enterprise-wide risk management programme".
The software will be optimised for ease of installation (there will be no client-side software to install); ease of use (in order to minimise the need for education / training of busy 'owners'); and adaptability (eg it will be easy to customise and will support enterprises of all sizes/shapes).
Launch partner involvement
Launch partners will identify their special needs, help determine development priorities, provide feedback on designs, help in testing and contribute more widely through informed discussion in working sessions. A schedule of the 15 launch partners is set out below.
CDP-1 Launch partners
- Allen & Overy
- Barclays Bank
- British Airways
- Computer Sciences Corporation
- Old Mutual
- Pharmacia Corporation
- ST Microelectronics
- Standard Bank of South Africa
- Stora Enso
- Syngenta International
- A leading manufacturer
- A leading bank
- A leading electronics company
Hans Carlbring from Pharmacia Corporation explains his involvement:
"Pharmacia is a first-tier global pharmaceutical company. Our IT security support must provide a high degree of automation, available to the global businesses. From joining the CDP-1 programme, we expect a robust version of the automation needed to roll-out FIRM across the enterprise, so this key risk is managed via our intranet".
Christian Thunberg from Stora Enso adds his perspective:
"We employ 45,000 people. Our IT environment consist of a global WAN with some 400 LANs, six main computer centres and 15,000 Users. I believe that FIRM will make it possible for managers at all levels - for the first time with good quality - to measure the critically of their information systems, and their vulnerabilities; to put a figure on the costs of the problem; and evaluate the result of the security work we do within the IT environment. FIRM has a positive approach which is necessary for the success of any security undertaking of this magnitude. Automating it will make it possible for me to really live up to my responsibility as Group IT Security Manager".
Bernard Orians, representing global law firm Allen & Overy, comments:
"I was part of the ISF work group for FIRM, so it's a logical next step to join CDP-1. The … automated tools which will make the process of implementing and running FIRM so much easier!".
For more information, contact:
Simon Oxley, Marco Kapp or Sian Alcock, Citicus Ltd
Tel: +44 (0)20 7203 8405