Standard Chartered Bank is implementing UK-based's Citicus' Web-based technology, One, to detect, monitor and manage risk affecting its global IT systems.
The vendor says Citicus One will help the bank to measure and analyse information risk and focus investment and resources where they are most needed.
The product is based on the Fundamental Information Risk Management (Firm) methodology for managing information risk, published by the Information Security Forum.
The system collects structured data on IT resources - such as business applications, computer installations, networks and system developement activities - and consolidates it to provide an enterprise-wide perspective of IT risk.
Citicus One automatically quantifies and analyses the data to provide high-level risk charts, status reports and risk league tables based on five key factors - criticality, level of threat, business impact, special circumstances and control weaknesses.
Standard Chartered will initally use Citicus One across five different core systems spread geographically, ranging from a major mainframe-based branch banking system in Hong Kong to a mid-range front-office system for high-value trading and foreign exchange. If these initial trials are successful, the bank plans to roll the product out to its 50 top tier line-of-business applications globally.
John Meakin, group head of information security at Standard Chartered, says the product allows the bank to take a more dynamic and flexible view to determine the level of security controls required based on vulnerability, threat and impact: "Citicus One allows us to capture risk data and take an aggregate view of information security risk across the enterprise as well as to measure the impact of risk in one system on other related systems - so called dependency risk."
Meakin adds that the Web-based tool is easy to deploy and use by both business and IT staff and its graphical reporting functionality allows users to deliver clear presentations of risk and impact analysis.
Citicus says although banks have experience in the areas of market and credit risk IT or information risk is a relatively new discipline, but initiatives such as Sarbanes-Oxley and Basel II are driving the demand to identify areas where information risk is unacceptably high.
Simon Oxley, MD, Citicus, says: "With Citicus One, IT and security managers can go to the board and present strong and well-supported cases to target and optimise expenditure on security controls to reduce risk and achieve IT governance objectives."