Cyber Security The CISO Quick Start Guide Enterprise Security Operations

Cyber Security: ESORMA Quick Start Guide
Published by Aldwych Factors Ltd
Copyright © 2020 David White, Mustafa Ahmed
All rights reserved. No portion of this book may be reproduced in any

form without permission from the publisher, except as permitted by
U.K. copyright law.
For permissions contact: enquiries@esorma.com
Disclaimer: CISM® is a registered trademark of ISACA®. Our materials

have been developed independently and are not endorsed, sponsored,
delivered by or connected with ISACA®.
Disclaimer: CISSP® is a registered trademark of the International

Information Systems Security Certifications Consortium (ISC)2®
Inc. Our materials have been developed independently and are not
endorsed, sponsored, delivered by or connected with (ISC)2®, Inc.
Disclaimer: TOGAF® is a registered trademark of The Open Group.

Our materials have been developed independently and are not
endorsed, sponsored, delivered by or connected with The Open Group.
Accompanying book resources available here:

https://esorma.com/freegifts.html
This publication is designed to provide accurate and informative
information on the subject matter for entertainment purposes.
The author makes no representation, warranty or claims as to the

actual accuracy or completeness of the information contained.
This book is sold on the understanding that the authors are not
rendering services or offering advice through this book. The concepts
and ideas may not be suitable for your circumstances. You should
consult with a qualified professional advisor where appropriate.
You agree to assume all the risk of your business endeavour and the
authors shall not be liable for any loss of income, profit or any other
commercial damages or any emotional or psychological distress.
ESORMA Contents
Contents
W elcome 1
Cyber Professionals
Business First
1
2
Effective Control for Cybersecurity Practitioners Is A Must 3
Very Serious Outcomes Occur Often, Easily, By Mistake 4
Circumstances May Differ 5
How The 8 Practical Domains of ESORMA Can Help You: 6
Summary 11
F oundation 13
What ESORMA Is And Is Not
Every Business Has A CISO
14
18
Where To Start? 22
Learn While ‘Doing’ 24
This Quick Start Guide Is Here For You 25
Continuing Professional Education 25
Practical And Pragmatic 25
The Common Problem 26
Loose Frameworks Are More Adaptable 27
Is Security A Cost? Or An Enabler? 27
The ESORMA Membership 28
Wait There’s More! 28
What Alternatives Are There? 29
The Well-Architected GRC Framework 31
The Key Domains 32
ESORMA Summary 33
E SORMA Domain #1: Scope

How scoping is done
Categorisation:
38
39
35
Classification 39
Tools 40
The Information Asset Register 40
Geo-Mapping Tool 41
Information Flow Map 42
Fishbone Diagram 44
Case Study 44
Summary 45
Domain #1: Scope Questionnaire 46
ESORMA Contents
E SORMA Domain #2: Priority

Two Ways To Measure Risk
Human Risk Factors
51
52
53
Key Tools 54
Job Rotation 56
Job Segregation 57
Key Risk Stages 58
Threats and Vulnerabilities 59
Risk Assessment & Prioritisation 61
The Five Major Components of Quantitative Risk Analysis 61
How To Calculate Risk 62
How To Invest In Safeguards Efficiently 65
Associated Safeguard Costs 66
Risk Registers 67
FREE Bonus Chapter Resource 70
Summary 71
Domain #2: Priority Questionnaire 72
E SORMA Domain #3: Evaluate

Business Impact Analysis
The objective of the BIA is to help you in several areas:
75
77
78
Timing 78
Priority 78
The Benefits of Using A Form Driven Approach 79
Understanding Through Interviews 80
Business Procedures 81
Information Systems 82
Real Assets 83
RISK Appetite 84
Genuine Business Benefits 85
Impact Statements 86
Timing 87
Risk Treatment 88
Risk Acceptance Framework 90
FREE Bonus Chapter Resource 91
Summary 92
Domain #3: Evaluate Questionnaire 93
ESORMA Contents
E SORMA Domain #4: Enable

Tools 100
Risk Communication
97
100
Risk Awareness Checklist 101
Documentation 101
Compliance 102
The PDCA: PLAN - DO - CHECK - ACT Walk through. 102
Resource Management 103
Controls 105
Common Challenges To Security Programme Implementation 105
Summary 106
Domain #4: Enable Questionnaire 107
E SORMA Domain #5: Harden

Pre-Planning
Clarity
112
113
111
Capability 114
Disasters Happen 116
Business Continuity and Disaster Recovery (BC/DRP) 116
Business Continuity Management Lifecycle 117
Disaster Recovery 118
Disaster Recovery Plan Lifecycle 119
BCM/DRP Objectives 119
Summary 120
Domain #5: Harden Questionnaire 121
E SORMA Domain #6: Monitor

How monitoring is conducted
Strategy
125
127
127
Programme 128
Analysis 128
Response 129
Tools & Walk-through 130
SIEM 130
Continuous audit module 131
Manual audit logs 132
Heartbeat monitoring 132
Penetration Testing 133
Control objective evaluation 134
Summary 134
Domain #6: Monitor Questionnaire 135
ESORMA Contents
E SORMA Domain #7: Operations

What is the alternative to a SOC?
Good security is invisible.
139
140
143
The Who ? 144
The How ? 145
The What ? 145
Tools 147
Case Studies 149
Summary 150
Domain #7: Operations Questionnaire 151
E SORMA Domain #8: Comply

Geographic locations
Contractual obligations
155
156
157
Organisational principles 158
Optional standards 159
How compliance is done 160
Compliance tools 161
UCF (Unified controls framework) 161
CCM from the CSA 161
ESORMA GRC 162
Case studies 162
Summary 163
Domain #8: Comply Questionnaire 164
C hange Is Needed 169
E PILOGUE 173
The Book Plan
The ESORMA Platform
176
176
Introducing The Authors 177
Mustafa Ahmed 177
David White 181
Special Thanks 184
Courses and certification 184
ESORMA Welcome
Welcome
Cyber Professionals
Today being any type of cyber professional is tough.
This is surprising since in many enterprises the cyber

professional is the only person protecting the business from
genuine threats and attacks.
Life is made more difficult when political games are being

played to suit other business agendas and as a result,
increasingly security is an area seeing cuts. Yet security is one
of those areas where real value can be delivered to a business
given half a chance.
Indeed the cyber professional is often underrated by

management due to the focus on cost and not reward. Yet
cyber professionals are the modern hero of most businesses,
saving enterprises from attacks on a daily basis. Keeping
the business from stuttering and from the brink of failure.
Ensuring maximum uptime and minimum downtime, by
making sure both defence and recovery options are in place
and operational.
Whether you are in this position, or not, you will value many
of the practical suggestions in this book as they are available
to you for little to no cost. Talking of no cost, there is also a set
of online resources available for readers of this book that you
can access for free at https://ESORMA.com/freegifts.html the
site was originally a resource created just for this book, but
now offers much more.
If achievable within your environment you are likely to want

to increase your enterprise overall security, strength, posture
1
ESORMA Welcome
and capability. These are three major additions you can add to
ensure enterprise risks are covered.
Another worrying area for many cyber professionals is

personal as well as enterprise risk.
While company directors are ultimately liable, it does not stop

them from holding their cyber professionals accountable if
caught out.
A partial, if not complete solution is to engage with the

management team using their own language, providing
information about security in terms they can understand,
specifically risk / return propositions rather than threat
analysis and other technical details that clearly demonstrate
success, yet often fall on ‘deaf’ ears.
If the management team can’t immediately understand the

information presented, they will not take it into account and
so a big part of the ESORMA process is to consider carefully
how success, effectiveness and results are communicated.
There are key details which can make a big difference to your
protection, perceived success or failure.
Business First
As a business first, enterprise class risk management
architecture ESORMA was designed for cyber security
practitioners focused on implementation.
There are many good works and certifications available for

cybersecurity that cover a lot of theory, such as CISSP and
CISM, much of which we are not ashamed to say underpin
the practical processes outlined here. So knowledge of these
or any other security certification will be helpful to a security
practitioner in addition to experience in the field.
2
ESORMA Welcome
The authors have delivered certification programs to

hundreds of cyber security professionals over the years and
have run their own IT departments and implement their own
security measures.
However, most professional certifications, usually as a result

of their sheer breadth of topics, contain limited suggestions to
help the cyber practitioner with implementation.
Effective Control For Cybersecurity

Practitioners Is A Must
Today’s cyber practitioner is largely left alone to interpret
cybersecurity practices according to their own experience
and this leads to a range of approaches to cybersecurity
implementation with a tendency towards strong technology
solutions.
There is nothing wrong with employing strong technology

solutions to control technological problems. Especially when it
comes to networks and network traffic, as indeed these should
be closely controlled and managed where possible.
However, there are many other areas beyond technology

which may be less controlled by automation. Areas such as
footfall, perimeter security, access and, employee controls.
Many may see these areas beyond technology being outside of

their remit. An advantage of the certifications is they provide
insights into the wider breadth of understanding required of
security which is outside of the normal confines of IT.
In effect, IT controls, while essential, still leave many areas

open for intruders and attacks to take place which must
be controlled for security to be effective and for the overall
security posture of an enterprise.
3
ESORMA Welcome
Very Serious Outcomes Occur Often,

Easily, By Mistake
It has been noted with increasing frequency over many years
that human issues have contributed greatly to the volume and
scale of breaches.
Breaches continue to occur despite systems being in place as a

result of checks not being carried out competently. Or, when
the controls themselves become obsolete and ineffective.
The point is the blame is often attributed to human error,

when in many cases it is the humans doing what is right by
them and the processes being wrong for the business. This
can easily occur when security processes and procedures are
changed.
Employees have been fired and fined, only for charges to be

reversed and for compensation needing to be paid, leading to
unnecessary costs, nightmare employee relation’s and further,
ongoing public embarrassment.
It is for these reasons that some companies never fully recover

from a breach.
For instance, the transfer of data from one system to another

may be required as a result of commercial requirements. Yet
security constraints may be found to be so strong to cause
operators to find a workaround without understanding the
security implications of the act until it’s too late.
It turns out that ignorance can be a defence, when it is the

company’s duty to protect and make information safe.
4
ESORMA Welcome
Circumstances May Differ

Certification students often ask about how safety and
protection may be deployed, the answer may be known if not
by the trainer, then from another student. The point is that
deployment protection is hardly covered and to a large extent,
CISOs are left to their own devices, literally.
Businesses need to know they are covered and may believe

their CISO is delivering very well across their enterprise and
not realise all the areas that may be missed. Clearly, breaches
are not just continuing, but amazingly, despite billions worth
of investment by enterprises for ongoing protection and
operations centres, breaches continue to occur.
It transpires there is a uniform system of implementation

missing from the operational arsenal of the vast majority of
enterprises. A uniform system of implementation is found at
the core of ESORMA.
We have designed our methodology to be flexible and to be

operated to suit each person who puts it into operation. This is
to avoid the business being reshaped or constrained to suit the
architecture of the framework. The framework is deliberately
loose to accommodate a wide range of business needs.
However, we are open to change and feedback as the

ESORMA architectural framework grows and evolves.
Indeed, the chapter you might have seen first in a previous

version of this book was called ‘Change Is Needed’. That
chapter remains the same, however it is now situated after the
domains section as feedback told us readers were interested in
knowing what the domains could do for them first.
So without further ado:
5
ESORMA Welcome
How The 8 Practical Domains of

ESORMA Can Help You:
Domain 1: Scope
The process of scoping is necessary to save time and money
to continuously identify the task ahead and break down
the mountain of work that is, frankly necessary. Not only
necessary, but continuous, as an enterprise is always changing
and so priorities are always in flux, and threats also change.
You might also consider increasing staff awareness, and

help them to become more conversant with the idea of
scope, so they can act as your eyes and ears too. You can’t
be everywhere all the time. This one act can dramatically
increase the amount of enterprise protection and increase your
organisation’s overall protection capability.
Enhanced capability should lead to less downtime. This could

become a sales asset used to ensure enhanced customer and
client satisfaction.
For ongoing protection please review domain 6: Monitoring.
The objective is to review the value of an issue in order to

eliminate risk, costs and unnecessary processes, in turn, to
simplify, speed up and create a solution with enhancements.
We start by eliminating unnecessary elements that may have
been accepted in the past, by reviewing and discarding what
is irrelevant. In turn, we should be able to reduce complexity
and eliminate actions, or steps and as a result, define solutions
to address or, better still, eliminate risks and find efficiencies.
6
ESORMA Welcome
Domain 2: Priority
You may already be comfortable with the concepts of
quantifiable and qualitative risk assessment. Yet are you clear
on what needs to be communicated to whom to help you
to drive the enterprise forward and give you the means to
adequately protect it?
Risk Appetite is an impossibility for most to understand and

accept, until it is too late. Then when risk most certainly lands
in your lap, you will probably wish you had been able to find
a way to calculate and demonstrate an acceptable level of risk.
Doing so can help provide you with a level of protection if a
game of blame follows through.
In this domain, we lay out how you can calculate the risk
appetite of your enterprise and its clients.
Prioritisation and triage are primarily conducted to focus on

the essentials to help prevent unnecessary wastage on less
critical areas and provide further opportunity for refinement,
again to reduce or eliminate risk and costs further, to find
elegant and simple solutions with speed enhancements as well
as cost reduction.
Domain 3: Evaluate
When you are aware of the risks and it is time to add
protection, what process do you use to adequately compare
and select appropriate controls for a given risk scenario?
This domain will help you answer this key question. You may
also consider how you might integrate the controls into a
business continuity and disaster recovery plan.
7
ESORMA Welcome
Such a plan is designed to minimise disruption for operations,

customers and clients to ensure the quickest return to business
operations. You will find a plan outline waiting and ready for
you to build on and adapt.
Quantitative and qualitative analysis can highlight the most

valuable assets of your organisation to help put controls in
place. We can avoid wasting time in less effective areas and
spend more time in areas of most concern. In turn, more
quickly and efficiently raising the overall protection of the
business.
Domain 4: Enable
Well thought out business cases are made based on an
evaluation before program and projects are started, saving
from wasted resources and ill-thought-out initiatives.
Many enterprises would benefit if more security professionals

were able to put together a risk/reward business case in the
language signatories can understand, digest and act upon.
Such a business case normally requires a shift in language
away from business security issues to focus more on
operations, customer and client outcomes, even to the point of
demonstrating the impact on the bottom line profits.
There are four key factors that a good risk /reward case could
include: 1) what can be eliminated from a process. 2) How
processes can be reduced and simplified. 3) How to create or
adjust it in order to afford the protection required. 4) what
key factors would be improved? For instance by what factor
would security be raised and what value would this bring?
Or what speeds could be improved and how this would have
a bearing on time to market, service quality or assurances
offered to clients as a result. How would these enhancements
raise the profile of the company, enhance sales or customer or
client satisfaction?
8
ESORMA Welcome
Domain 5: Harden
Hardening is about implementation and is a process that
must deliver on core objectives. It is important to show how
implementation will bring about cost savings, improvements,
and avoid or reduce downtime.
Business managers may agree with all the benefits of the

change program. Yet they often defend operations and
not allow implementation for fear of delay and potential
damage and the subsequent effect on customers and clients.
Reassurance is required and should be part of the risk/reward
proposal.
Without communication of results, in their terms, it becomes

increasingly difficult to persuade or even educate the
management team on the effectiveness and results of their
security investments achieved to date.
In turn, this can ensure further progress is denied, to the

potential detriment of the business.
It helps management greatly to see the benefit of security to

operations, customers, clients and profits as their goal is to
smooth operations, satisfy clients and improve the bottom
line. The more you can deliver to their agenda, the stronger
security an enterprise may employ.
Domain 6: Monitor
In an ideal world automation should be part of each control
and most often this is the case. However, someone, or several
people who work at the sharp end, where controls are
employed could also manually observe behaviour and help to
keep track of the control to ensure operations are effectively
maintained.
9
ESORMA Welcome
Often a fundamental change can occur to render a control

inadequate, and yet the automation will still show it as
a fully functioning control. On the ground though, the
implementation of new processes may mean it is has been
superseded rendering the control and its monitoring a waste
of time and money.
In addition, many controls create new weaknesses that also

need to be understood and monitored carefully. The objective
must be to ensure a breach does not affect operations and in
turn is seen as a calculable, demonstrable benefit to clients,
delivering additional levels of assurance to them.
Management is interested in learning and understanding the

value of monitoring in four ways: A costed record of what
has been eliminated, how much risk has been reduced, the
benefits created as a result of monitoring and how standards
or effectiveness have been raised and shared with the wider
organisation, again, as far as is practical, delivered with
financial information.
Risk reports or threat numbers are not generally interesting

to management teams as they simply expect the monitoring
team to manage all of that. A single line item may be useful
in a report, perhaps with a summary paragraph in order to
demonstrate comparative effectiveness.
Domain 7: Operations
Changes, incidents and audits can all bring about tangible
differences to operating procedures.
There are activities you can implement to help to keep the

business requirements in sight at all times while ensuring
high levels of cybersecurity are maintained and adjusted
accordingly.
10
ESORMA Welcome
Eliminating waste is an area of keen focus in operations.

We can be creative where it is possible to specifically raise
speed and quality by employing better security controls.
A key aspect of operations is always financial profitability.

It is imperative we deliver the most results for the least cost.
This information provides insights into what to look for, what
to measure and what to report back.
Often the best option is to harness existing assets. This, an

option that is readily available, quick and easily possible for
most businesses.
Domain 8: Compliance
The key to compliance is to stay on top of change. Systems
and processes can change or become non-compliant. The
objective is to eliminate time lag, reduce complexity and make
compliance easy to manage and understand.
These updated systems need to continually comply.
Part of the compliance objective is a business should continue

to improve and enhance its capability. Awareness campaigns
can be very helpful to maintain a close watch on compliance
needs by harnessing the eyes and ears of employees,
customers and clients.
This can be seen as a business differentiator as customers

and clients can see more while competitors care less. These
additional-value effects create awareness and raise the
security and profile of the organisation. Board and business
managers would benefit from understanding how such a
campaign would affect the rest of the business, especially if
your presentation could demonstrate risk and rewards.
11
ESORMA Welcome
Summary
The game-changing ESORMA approach is straightforward,
comprehensive and can be applied to all areas of an enterprise
whether technology focused or not to ensure comprehensive
protection, simplification, potentially increased speed to
market, modernisation and real customer and client benefits.
This Quick Start Guide is designed to get you going

quickly, so you can discover short term, low cost, and rapid
cybersecurity wins for your enterprise.
If you are in a hurry and want to make progress quickly,

jump to domain 1 and work through the short exercises at the
end (each domain has similar exercises ready for you). This
way you should find areas where you can make immediate
improvement quickly.
If you have the time take a few moments to read through

the next chapter: Foundation to uncover more about why
ESORMA is truly a commercial and industrial game changer.
Thank you for investing your money, time and energy into
this Quick Start guide, we hope to hear of your success. Don’t
forget to go visit the books’ accompanying resource website:
https://ESORMA.com/freegifts.html
12
ESORMA Foundation
Foundation
“There’s Always A Bridge To Success”
Y our first question is probably: “is this for me?”
The answer is probably yes if you are interested in operations

management, a security officer, director or owner of a business
of any size, large or small, local or international, consumer or
business focussed.
If you are interested in finding ways to reduce enterprise

and personal risk, costs, increase effectiveness and make
cybersecurity easy for others to grasp. This is for you.
ESORMA bridges the gap between Governance, Risk and

Compliance and demonstrates how security can benefit
business operations by reducing costs, increasing speed and
strengthening security all round.
It also helps to solve communications issues across the board

and helps you to focus on the needed results. Plus, there is a free
to access online portal full of supporting tools.
So is this for you?
If you are in any way connected with the operational success of

a business, its Governance, Risk or Compliance then yes.
The biggest complaint most have in these areas is lack of, or

poor communications issues resulting from poor transparency,
the apparent wildly differing needs of the business, where few
of us have the budgets or even the authority we need to do the
job properly and effectively. However, there is a way forward.
13
ESORMA Foundation
It’s tough and we hope to smooth out some of the wrinkles to

help you find the essential harmonies in your enterprise.
What ESORMA Is And Is Not

We want to be very clear: ESORMA is an Enterprise Security
Architecture framework that supports business processes to
administer security implementation. It does not replace any
other framework. It is also vital for you to have a sound body
of knowledge to support you. ESORMA is designed to make
your life easier in practice and security implementation more
effective and comprehensive.
ESORMA is also not a replacement for CISSP, CISM or any

other security training course. They are all great, often highly
regarded and contain a lot of very useful content that provide
essential underpinning knowledge.
Neither is ESORMA a new NIST or ISO accreditation and it does

not replace them either.
ESORMA is a straightforward process that wraps around

Governance, Compliance, Operations, and, of course, the
business itself. Whether you plan to apply NIST, ISO 27001 etc;
Cyber Essentials, or any other security standard.
There are a couple of game-changers. The big issue is that once

you have adopted a standard, or taken a course, studied it and
become certified, you are on your own to implement it. As a
result, practitioners can go in any direction and tend to go in
directions they are already familiar and comfortable with.
Some security practitioners are experts in network topology and

can install extensive network protection, a useful skill. Others
may come from a compliance background and may be better
at managing organisational issues, also useful. The truth is that
both skills are necessary, and this is rare to find.
14
ESORMA Foundation
The game-changer is the simple eight step process that can be

considered in all areas of business whether it has a technology
bias or not. There are two great positive outcomes, first that a
uniform process can be applied that considers both technology
and human requirements and second anyone in the business
can generally understand process.
When the business is focussed on the process technology is

considered an enabler necessary to be applied for success.
Process itself has clarity that others, particularly management
who have to sign off on security, can understand.
However, the clarity of understanding is further extended so

security has an output for operations, to deliver speed, and, or,
simplification in addition to the desired protection delivered
in a compliant manner while succeeding also on the goals of
enterprise governance needs and interests.
There is also an output for business management that should

extend to sales, customers and clients too, as with added
uptime, increased speed, and simplification risks should
be reduced and assurances and savings achieved that can
either lead to increased profits, price reductions or enhanced
warranty. A business will find it has increased options as well as
protection.
In older and multigenerational enterprises this is very

important, as often skills are lost over the years due to
retirement or personnel changes that can leave a business with
little or less knowledge about earlier processes.
For example, due to the craftsmanship and skills required it

is impossible to build the extremely efficient rocket engines
that powered the US mission to the moon as this was before
automation became a part of modern manufacturing. So today,
despite the blueprints, the knowledge, and skills are lost forever.
15
ESORMA Foundation
In short, many businesses operate not knowing exactly why

or even how they do what they do, as they often live by the
maxim: “if it ain’t broke, don’t fix it”. To an extent this makes
sense and yet legacy systems often suffer from not being ‘green’
or for reasons of governance or compliance need to be changed
or reinvented.
Legacy systems also tend to be open from a security standpoint.

They exist in many of the most modern and advanced
organisations and continually pop up as companies grow
through acquisition. There is no easy fix. IT is an element that
must be considered in mergers and acquisitions to achieve
satisfactory conclusions.
Legacy systems can include mundane areas like access control,

crucial to security and data protection. Perimeter defences that
may be beyond network edge protection. Lighting, temperature
control and other infrastructural items. Especially those located
across multiple sites of wide-ranging ages.
The authors are aware of a fabled telecoms room situated in

a frontal formal building with a protected facade, where for
reasons of legacy all telecoms come into the organisation.
It is the site of a very well known, centralised government

institution with a massive finance department that manages
billions in payments and receipts. The telecoms site is
unmanned, only telecoms engineers visit. There is some very
old copper equipment down there. Added to this, there is a
rumour, the vault is haunted.
It is not difficult to see the risks and the reason why staff don’t
like to go there. A perfect scenario that every hacker on the
planet would wish for. It cries out for modernisation. Yet it
would appear no one would like to take the disruptive risk and
so as it “ain’t broke”...
16
ESORMA Foundation
It might not surprise you if it came out the site had been hacked
years ago. Especially if the rumours were circulated in order to
protect this cosy environment.
This exists in an otherwise modern, forward thinking, well

funded government enterprise. It was staff in the security
department who told the author, with much hilarity and
incredulity. This type of scenario is common.
Clearly, in this case, they did not feel they had the authority
or, it would seem, the ability to make the changes necessary
to protect the organisation, the key task they are assigned to
deliver on.
Something has to change here.
No doubt we will have to wait until a serious breach is

uncovered and another year or two passes, potentially for the
risk to develop into a breach! If it is a risk. The circumstances
certainly appear high risk.
The first thing we would do is to follow domain 1: Scope. Go

visit the location in question, take stock, record the event and if
risks are identified, or not, make an entry into the risk register to
record our findings and potentially take photographs.
The risk register should be reviewed with the business in

accordance to governance requirements in a comprehensive and
compliant manner.
The main role that ESORMA helps is the Chief Information

Security Officer (CISO). It would be normal for a CISO to focus
on their area of expertise, to show quick results. This can be
to the detriment of other parts of a business and the overall
business as a result.
17
ESORMA Foundation
Every Business Has A CISO
Nowadays, every organisation has assets to secure, and, one

way or another, has a Chief Information Security Officer: a
CISO, whether they know it or not. Even if no one has the title,
the role exists. So what is going wrong?
Most often a CISO sits under IT, which is not necessarily ideal
as IT is not the whole picture. In smaller companies, it may well
be yet another role for the owner or CEO. Ideally, a CISO should
report directly to the board, as ultimately the board will carry
the can and the board needs to understand the importance and
value security can deliver first hand.
Either way, many see cybersecurity as someone else’s

responsibility, when in fact we have a shared responsibility.
Everyone needs to be vigilant and more of us need to be aware
of vulnerabilities and how they exist in every area of business in
terms of physical and operational environments, internally and
externally, from clients and suppliers too.
18
ESORMA Foundation
Plus, as the textbooks tell us and as we know in practice, there

are gaps between governance, risk management, compliance
and other areas of the business such as sales and operations.
Management seems to want to hand it over, almost as a

necessary evil. They have either suffered an attack or feel it is
only a matter of time before they get one and tasking IT seems
to be an appropriate way to hand off the activity.
A board director’s idea of ‘Hardening’ might simply be to hire

a good CISO to work with IT. This is probably not the case from
every other person’s perspective.
A methodology to link Governance, Risk and Compliance to

help people involved in all 3 areas communicate and cooperate
has got to be a great idea. Especially if the objective is to create a
comprehensive and efficient security architecture
If strategic plans exist that stretch across an enterprise to suit

the objectives of the business, it’s management and governance,
then it must be possible to deliver on them in an operational,
compliant and cyber-secure manner. Strategy drives tactics and
tactics drive operations. All the elements are expected to work
together in harmony and so who could ESORMA be for?
Everyone involved...
It is the missing link, it bridges across the most crucial areas of

the business to make it all work and at its heart is Plain English,
built in to commend vital, straightforward communication.
We all want to simplify the work involved, and this framework

is based on just eight steps to encourage ‘muscle memory’ to
be applied to every aspect of the business. Quick wins will
invariably be found, many will cost nothing to implement.
19
ESORMA Foundation
CISOs commonly tell us they are the budget. In other words,

there is no budget apart from their salary.
Nil budgets may make some sense in the short term, as a lot can
usually be done at little or no cost by harnessing existing assets.
The first step is to scope, the second is to prioritise and this may
help you identify the budget you need for the future after quick
wins are identified and potentially delivered.
If you can map quick wins to clear business objectives, chances

are budgets may be won to continue your success.
The first thing to do is always to scope out what you have. You
may find conflicting information. It is common to find what a
ledger says is different from what is in the field. Often, only a
manual process will bring this information up to date.
Invariably it is useful to consult with operational staff and

colleagues, for many this is where the biggest bang per buck
lies. Most of our colleagues are keen to help, they just need to
understand more about what they need to do, it is inexpensive,
indeed, done well can deliver huge additional returns.
To increase returns on existing investment and provide accurate

and up to date information are two ways to impress business
owners, satisfy governance and ensure better compliance.
These two examples can be built upon and we will quickly

show how cybersecurity is an enabler, a driver of efficiency,
that produces economies, creates a more resilient business and
provides greater assurance to clients which in turn can lead to
competitively enhanced propositions.
20
ESORMA Foundation
A CISO needs to talk the language of the business and

show governance and compliance goals are being met while
improving the underlying business. A CISO becomes the active
bridge between business, governance, compliance and risk.
No matter what we might think of the behaviour of our

management, it is they who have responsibility. If a breach
occurs, it occurs under their watch. The buck stops with them.
In addition, a breach may cause damage to operations and this

in turn, could affect clients. A breach, could concern client data
and this could break a bond of trust that has existed for years
and seriously affect relationships as well as reputation. Big risks.
In a recent interview, an experienced CISO explained:

‘Risk flows both ways’ Mike Osman MSc
Clients or suppliers may be the route an attacker takes

to infiltrate our business and this expands our purview
dramatically. Through this we start to see how sensitive risk can
be to an organisation, we have to not only check what we do, we
have to check what our suppliers and clients do, deliver to us
and forward processes onward.
Luckily, in terms of IT, many of us are comfortable with terms

like ingress and egress. Yet these terms might not resonate with
business directors, governance and compliance officers and
many other colleagues who may not have them heard before
and so not understand the meaning of these words.
What I hope to have described is the scope of cybersecurity is

not just about problematical emails, or even internal technical
issues. There is much about our environment, internally and
externally that we need to be concerned about including how
we communicate with each other.
21
ESORMA Foundation
Where To Start?
There is so much to consider. The next question many ask

is “where to start?” In the case of an actual breach, or the
heightened likelihood of a breach, the answer may be moot.
Start plugging the dam!
Otherwise, as the picture serves to demonstrate, start with data.

The CISO may discover what is really happening once in. Quite
a risk, you may wonder if the real risk is you might be in the
process of being set up as the fall guy.
This is the process that should be followed to reduce risk as fast

as possible. This is where the ESORMA framework takes shape
and stands for Enterprise Security Operations Risk Management
Architecture.
The framework is designed to enable communication, trust and

understanding by communicating the need for risk management
across the business in ways that bridge operations, governance,
compliance and security requirements.
22
ESORMA Foundation
A professional cybersecurity officer needs to be able to stand

back, even in the heat of the fire, take stock and make the right
decisions. There are tools to help the process and there are
solutions to deliver results in more than one way. Without these,
some of the best intentioned initiatives are delivered under
pressure which can make situations worse.
Processes associated with cybersecurity need to be embedded

and become ‘muscle memory’, an automatic reflex.
First, take stock, scope the lay of the land, understand what is
really going on and then prioritise in order to ensure the most
important issues are resolved to reduce the amount of loss as
soon as is practical.
We cannot go back in time and fix a breach when it has

happened. We can, however, identify the effect and minimise
the loss and protect assets. Sometimes a simple solution is to
turn equipment off, at other times, this is simply not possible,
nevertheless, effective decisions have to be made.
During the time before a breach takes place, measures must be

put in place to minimise the effects of a possible breach.
Thus we must scope out the need, prioritise, evaluate potential

solutions and then enable potential solutions. There is often a
requirement for discussion with key personnel and an actual fix
or remedial action to harden the area of concern.
Thereafter we need to monitor the implementation to ensure it

remains operational and does not suffer from new risks. We also
need to operate our security, usually from a central point and
we need to make sure we continue to comply with all the needs
of the business.
23
ESORMA Foundation
All in all, tall orders. However this is the practical process

of what needs to be done, over and over and it needs to be
communicated across to operational teams, to governance,
compliance and to management.
In the communication, the mistake is for those who are

focussed on implementation to communicate technical details
and potential or actual breach events or threat numbers.
Unfortunately, this kind of information means nothing to most
recipients.
Business managers expect attacks to be repelled. They often

appear to not want to know how. Business managers are more
likely to be interested in how processes can be streamlined or
modernised, or, how more resilient the business is than it was?
What guarantees or warranties can now be offered to clients as a
result?
As an aspiring security professional, you will know your job is

never done. Yet the application of security concepts deployed in
management terms will make your life easier.
ESORMA is not a replacement for knowledge, certifications,

skills or systems like CISSP, CISM, or NIST, ISO 27k or Cyber
Essentials and it does not replace years of experience either, it is
complementary and should help you to smooth the way.
Learn While ‘Doing’

Most of what you will find here you should know or discover in
the real world, hopefully, eventually, anyway. The point is that
few certifications share enough of the approaches or show you
how to bridge the gap to the practical and pragmatic.
If you are not certified you will find the domains covered
appear in most of the good certification programmes and so
offer the chance to learn more about them while doing.
24
ESORMA Foundation
Most certifications refer to what you should do, few provide

insights into getting things done. This frameworks methodology
will help you to develop muscle memory for how all the parts fit
together.
This Quick Start Guide Is Here For You

The great news is this guide is developed to help you to crack
on. No hotel, travel costs or annual fees, the quick start and the
tools are free to access, download and use.
Continuing Professional Education

If you are, or do get certified to a professional security
programme you will probably need to maintain your continuing
professional education (CPE) and require to acquire CPE
Credits to demonstrate your commitment to ongoing subject
matter learning.
We recommend tracking all the time you spend on your

ongoing education as it not only helps you calculate CPE it can
form the basis of a good reference point of what you did and
when.
The objective will be to track your access and use of information

to provide a monthly record to certificate the time you spend on
your CPE relevant activities.
Practical And Pragmatic

There are many practical and quickly actionable processes to be
found within this quick start guide. Not everything you can and
should do is included, just some of the most essential activities
you ought to review are listed. There is more available in the
associated common body of knowledge (CBK). This guide has
been produced to let you see a little behind the curtain, enough
for you to get going, to get results in the short term, quickly.
25
ESORMA Foundation
Pragmatic, as we try not to be too clever. The people behind

ESORMA, Mustafa Ahmed and David White are both fans of
Plain English. We have, as far as we can, eliminated jargon.
It is this focus on Plain English - and focus on overview rather

than technical detail that really helps to bridge the gap across
the business in terms of implementation, governance and
compliance as it is best to communicate understandably in the
language of the recipient.
For instance, the technicalities of all three specialist areas,

governance, risk and compliance, coupled with the speciality
of the business can easily conspire to thwart simple
communications between each of us, even though we are all on
the same side.
The Common Problem

Simple everyday communication is a genuine and common
problem in small business as well as departments of large
enterprises.
In most companies and departments, you have both the added

burden of trying to do a lot with very little resources and the
issue of marking your own homework, which can also be
problematic.
It is not possible to completely eliminate these problems. It is

our objective to encourage and inspire you to create custom
solutions to suit your real-world commercial needs in such a
way to eliminate the ‘typical’ problems.
This means as implementation experts we spend less time

explaining the technology and instead talk in a language to
satisfy the business, the interests of compliance and governance
and in turn release more time for implementation which
should provide you with more opportunity to overcome
26
ESORMA Foundation
communication issues.
Loose Frameworks Are More Adaptable

Where possible it is always better to follow the business and
not a given framework. You should always start from the centre
with scope and then take any direction according to your real-
world needs. You can step through in any order to suit you.
On the other hand, if you see an area needing your attention

you should start with scope and jump to the attention area
to help you succeed in your objective. For this and other
reasons, there is no other well-architected GRC framework like
ESORMA.
Is Security A Cost? Or, An Enabler?

Many businesses approach security reluctantly and see it is
an expense, although increasingly enlightened organisations
see security as an enabler. A few see enhanced security as an
opportunity for more and higher profit-making.
Most businesses avoid costs, as they are in business to make

profits. Spending money on cybersecurity surely reduces profits
as it is a cost. Or is it?
Some companies, either as they have suffered from an attack,

or because everyone else has suffered an attack, enter into
cybersecurity as a reluctantly defensive fact of life. They hardly
see the topic enthusiastically, as it can be expensive, and often,
from their perspective, is ongoing.
However, a more resilient business is likely to offer reliability

and make warranty offers better than others as they are more
certain of their ability to continue to deliver to clients. This can
be a major selling point in some industries, especially where
trust and reliability is a big factor.
27
ESORMA Foundation
The ESORMA Membership
The membership portal is free to access and you will get a set
of accompanying resources for this quick start guide including
a checklist for each domain area of this guide and access to the
‘Actions Manager’, where actions can be assigned and more.
Our membership network allows for peer to peer focus

and discussion of best practice, an ability to share methods,
processes and ideas to overcome classic communications
dilemmas.
You can get access to all this and more by visiting https://
ESORMA.com, click on the ‘free gifts’ navigation link.
Wait There’s More!

However, let’s not get too excited, what you see here is the
ESORMA quick start guide. There is so much more to be found
in the Common Body of Knowledge (CBK). We thought it best
to start with this quick start version, to show a working system
in order to demonstrate easily and quickly how the ESORMA
framework can work for you.
28
ESORMA Foundation
Additional information and training are available to support

implementation which is likely to be a requirement for some
business managers and cyber professionals.
We look forward to your feedback and welcome your questions

via the ESORMA portal.
What Alternatives Are There?

There are not any real alternatives.
There are a number of common heavyweight and well-

regarded governance frameworks. They tend to fall into one
of two camps, some are underwhelming when it comes to
cybersecurity implementation as they were developed years ago
and are often to be found lacking in this area as cybersecurity
has been tagged on as an afterthought and is simply not core.
requiring a lot of invention, interpretation, understanding and
creation (often from scratch) or, in some cases, they are the
opposite, far too deep and complex.
Most frameworks are ideally suited to groups of people or

teams who share a common understanding of the business
operation in the same language who recognise the need for best
practices, these tend to leave the cybersecurity practitioner cold.
Unfortunately when it comes to cybersecurity, while most will

share a common understanding of business operations, few
understand technical implementation requirements and this
is where it gets sticky for most, often the left and right hands
are simply blind to each other and this can make life tough to
monitor, manage, audit and verify.
No wonder so many breaches continue to occur, as more often

than not it is the basics that seem to get missed.
29
ESORMA Foundation
ESORMA does not advocate specific technology solutions to

common ailments, those decisions are still for you to decide.
It is preferable for a specific solution, strategy or process to

be created that is custom made by you for you and due to
comprehensive objectives coupled with your professional
implementation capability should leave few areas unconsidered.
You will find you will design, build and expand your
organisation’s level of competence over time in any case.
There is a need, therefore, for a straightforward, well architected

plain and simple security architecture and framework that does
away with unnecessary terminology, verbosity and complexity
to bridge the gap between Governance, Risk Management
and Compliance to enable an organisation to communicate its
mission and to follow an effective framework or process plan,
to ensure uniformity and consistent protection across a business
in both the high and low tech areas of a business to protect data
assets from all angles.
Game-changing, Cost Saving, Innovation

Most technical security is expensive. Yet cybersecurity, or more
clearly stated: information security, is not technical and so does
not always require technical investment.
Technical security can often be achieved by paying attention to

system settings such as firewalls, and in smaller businesses or
departments are often more secure than other more complicated
solutions. It is possible to take the risk out of systems through a
redesign to conclusively eliminate the risk.
Thus we can innovate and find cost savings business managers

have always hoped to find rather than continue to increase
costs. On occasions when expenditure is required, we are better
to position investment in terms of risk and reward.
30
ESORMA Foundation
The Well-Architected GRC Framework

ESORMA stands for Enterprise Security Operations Risk
Management Architecture.
An agile architecture, methodology and framework designed

to help you manage Governance, Risk Management and
Compliance with just eight domains.
Management teams need to communicate effectively with

cybersecurity practitioners and vice versa. An agile process is
expected to deal with a constantly changing threat landscape. It
is clear as scope is always applied to all domains first.
Tuned for fast actionable solutions to real-world problems

without the clutter to ensure modern enterprises are as
protected as they can be.
In essence, the practitioner can quickly develop an action plan

and business managers will be assured of underlying value
activity is undertaken in a compliant and auditable manner to
both manage risk and deliver real-world business benefits to
customers.
The whole point of this GRC framework is to make life easier

for the practitioner, to enable understanding across the board,
to make savings for the enterprise and to increase and find
efficiency while enhancing sales and providing customer and
client assurance of quality and sustainable reliability.
31
ESORMA Foundation
The Key Domains
S ecurity is complex
enough in itself without
needing to be further
shrouded in a cloak of
mystery, we hope you
recognise the simplicity of
this visual star approach.
It always starts from
the middle through
understanding Scope.
Priority - from all the

information you have, the
first thing to work out is
your priority.
Evaluate - evaluate potential solutions as often one may well

satisfy a range of priorities
Enable - whether it is a device needing activation or colleagues

needing information.
Harden - attacks are frequent, the key is to protect against them.
Monitor - primarily an operations and compliance function,

yet business management is generally very interested in the
assurance offered and many like to present the service and
facility to assure clients, in turn, too.
Operate - someone, and in small businesses, that may be you,

needs to ensure all systems are operating and responded too.
Comply - a subject so important, compliance deserves its own

domain area.
32
ESORMA Foundation
ESORMA Summary
We did not want to put forward another 3 by 3, 9 by 9 or 3D grid
to work through as many frameworks provide those and when
you get to know them, they tend to fill you with fear and dread
rather than the hoped-for clarity.
In any case, a grid does not suit ESORMA, as in the main, no

matter what you do, even though there are eight domains,
you always start in the middle with a constant need to Scope,
whether the issue is small or large. If you are not Scoping,
chances you are not coping.
The ESORMA star is undeniably simple to understand, does not

go unnecessarily deep and is certainly not too complex either.
The ESORMA domain star is designed to simply show

everything starts from a scoping exercise and could go into any
of seven directions of which all parts of this well-architected
GRC framework resides. The objective is to suit the project you
have in mind, not the ESORMA GRC framework.
Equally, there is no insider language or unique and new

conventions. There is nothing new to learn or to confuse
others with. If any language is to be followed, it should be
the language of the organisation. As a convenient framework,
ESORMA provides the basis to include all parts of your
business within while taking care of security.
These are some of the many ways ESORMA is a game changing

cyber strategy, here are four more: exclude, decrease, design
and enhance.
We applied this first to the entirety of ESORMA and then we

decided to expand it to encompass every domain. This way we
found at least 8 (domains) times 4 areas of difference. You will
see as you read through, in many cases, there are even more.
33
ESORMA Foundation
Added to these initial game changes we started to look to see if

we could add more value in a way that most enterprises would
be able to easily assess they would be likely to get a lot more
output for a lot less investment. This again we feel we have
been successful in as the emphasis is on communication and
understanding at a business rather than at a technical level.
A value focus allows for highly technical solutions and

encourages results to be communicated on a risk / reward basis
and encourages cyber security to be seen as a cost saver and
business builder rather than an activity that gets in the way,
erodes profits and slows things down.
If in practice we succeed in helping an enterprise achieve in

any one of the areas we have applied focus to then we will have
something game changing.
Don’t forget to pick up your tools at https://ESORMA.com/

select the ‘free gifts’ navigation item for all the free gifts that
come with this free guide.
We look forward to your feedback, suggestions and applications

of ESORMA, we envisage regular updates. It is a work in
progress, it can be moulded to your needs if you tell us what
you want from it.
David White and Mustafa Ahmed, London and Manchester,

2020
In the next chapter, we will try to answer the biggest set of

questions most cyber practitioners have most often: where to
start...
34
ESORMA Scope
ESORMA Domain #1: Scope

“If you are not scoping, you’re not coping!”
W herever you are in the

world of governance,
risk management or
compliance, there is one
thing for sure: you will be
looking around, you will
be reviewing either the
work you have done, work
completed recently, looking
for improvement, or looking
for circumstantial change.
There is a constant need

to review. Some of us review annually, some quarterly,
others monthly and then there are those who review minute
by minute. It may be something you do that is measured,
instinctive, checklist driven or based on intuition and
experience, everyone performs reviews in different ways.
To reduce ambiguity and for the sake of simplicity we like

to call it one thing: scoping. Its rate of constancy will vary
according to your priority. The need to continually be alert,
to scope is a given, it should be part of everyone’s role,
generally, the more eyes alert and awake the better.
As you can see from the ESORMA star diagram, Scope, the
focus of this domain chapter sits firmly in the centre. This is
because no matter what you do, whatever problem you face,
no matter how much of a hurry you are in, you always start
with Scope, it can ensure your accuracy and efficiency.
35
ESORMA Scope
Scope is not only the domain of the security practitioner

but a lot of the responsibility also falls upon the governance
function. In an emergency you have to understand where you
stand and weigh up the merits of what you face before taking
action, the same goes for all other stages and applies to every
asset from people to systems and equipment.
Please note: This quick start guide is not designed to be

comprehensive, the guide is here to get you going quickly. At
the end of this chapter you will find a simple questionnaire
for you to complete in order to help to build a custom action
plan to suit your needs.
“I already have my Info-sec certs, and I’m

conversant with creating solutions but
I’ve just been given the role of a security
architect, where do I start?”
It’s not the first time a delegate on a bootcamp has asked

this question and its certainly not something unique to
the information security industry but it does highlight the
need for clearer and simpler hands-on guidance. Many
who are normally used to providing solutions for different
architecture domains will sometimes be promoted to a
lead or chief architect role and have to take on the vast
responsibility of designing, modelling and documenting
security architecture as well as managing it and overseeing its
implementation.
The TOGAF (The Open Group Architecture Framework)

standard is quite versatile and is often adapted for
Information Security Architecture, even though it isn’t
primarily an ESA (Enterprise Security Architecture)
framework. It is designed to be much more than that.
36
ESORMA Scope
Of course we try to point professional students in the right

direction but there is only so much security guidance and
consulting you can do when you have a room full of delegates
waiting for you to teach a general Enterprise Architecture like
TOGAF. So I have always wanted to work on a more practical
framework to point them to. A way to try and make it easier
to break down the huge and daunting info-sec task and to
limit its scope to the essentials and then grow outwards from
there. This is why we start here with Scope as a clear scope
will save you time. Scoping will help you to cope, by breaking
larger architectural tasks into practical, manageable chunks.
It is always good practice to find out what is within scope or

out of scope for the immediate task at hand. The practice of
scoping should become an automatic ‘muscle memory’, key
skill activity ready for use and application on every occasion.
It is embedded into the heart as domain #1 for this very
reason. It is possible to quickly apply scope to every aspect
of enterprise security whether the issue is simple or complex,
especially, as we all look for quick wins.
However, it needs to be understood that senior management

have determined to understand, define the scope of and
document the assets the organisation has and what needs to
be protected and how much effort and money they are willing
to expend in protecting it.
Determination is one thing, doing it may well be your job and

if you are new in the post, the chances are the ideas, concept
and objectives are sound, yet in practice, everything may have
fallen behind the objective curve.
37
ESORMA Scope
Scope is usually formalised by commissioning the production

of an asset register. Most organisations will have some sort
of listing of their assets together with their location and
value of the asset mentioned. Such lists are often found in IT
departments and may also exist in the purchasing department
too. Usually if there are more lists, they will be different.
Plus, you will also want to seek out a staff list with their
responsibilities. Usually missing is data.
Data, as a mobile asset of an organisation which requires

enterprise owners and managers to understand their data
has value. Value needs to be documented together with its
location and details of where it may be moved.
How scoping is done

Scoping data first and foremost entails understanding the
types of data received or created and stored by an enterprise
and categorising it. After data has been categorised it will
need to be classified based on its value (to the organisation),
its criticality and its sensitivity.
38
ESORMA Scope
Categorisation:
Some examples of types are:
• Personal data
• Proprietary sensitive data (trade secrets, patents, IP and
copyrights)
• Proprietary non-sensitive data (publicly available)
Classification
Corporate classification of data usually looks something like
the following (though the labels may differ):
• Strictly Confidential (For some individuals only)
• Confidential (for a particular corporate group only)
• Internal (for everyone inside the organisation only)
• Restricted (can be share with selected third parties outside
of the organisation)
• Public (for public consumption)
A combination of categorisation and classification is used to

determine how much effort (and money) needs to be spent to
protect data.
39
ESORMA Scope
Tools
Many different tools and methods can be used to do scoping
of data. The examples shown are usually found to be the most
useful for the task:
The Information Asset Register

Information Asset Register (listing data and contractually
responsible owners and custodians)
You may already have asset registers in place for computer

hardware and physical equipment so extending them to
include information assets is not going to be too difficult.
Just like physical assets, information needs be located,

evaluated and have its owner, value, location and
classification all listed next to it. If it includes Personal
information then more elements have to be recorded such as
whether the enterprise is a controller, processor or both of the
data asset. This can be done in a spreadsheet or in an online
tool.
40
ESORMA Scope
Geo-Mapping Tool
Geo-Map (Shows where in the world the data is stored)
Greg Mahlknecht CC BY-SA 2.0
With information being a non-physical and ‘mobile’

intangible asset, knowing where each data set is stored
is important for compliance reasons as well as logistical
and performance reasons. Are local data centres being
used or remote? How does that impact the risk. Cloud
computing makes it even more complex with replication and
fragmentation of data across multiple data centres.
A tool for looking at where data is on a geographical map can

help establish control over it at least at the documentation
level.
41
ESORMA Scope
Information Flow Map

Information Flow Map (tracks where the data flows within
and outside of the organisation)
Aadils96 CC BY-SA 4.0
It is important to know where information travels inside or

outside of an organisation. An Information Flow Map tracks
this movement and allows you to see which mobile assets
move around and subsequently risk to them can be analysed
and assessed.
42
ESORMA Scope
Corporate Role Calculator

Corporate Role Calculator (to determine if you are a
controller or processor or both)
The Corporate Role Calculator is a list of questions or a

checklist that can be used to determine if you are a controller
of data or a processor or both according to the local or
international data privacy laws.
The ICO in the UK have made this easy by providing

the checklists as can be seen here: https://ico.org.uk/for-
organisations/guide-to-data-protection/guide-to-the-general-
data-protection-regulation-gdpr/controllers-and-processors/
how-do-you-determine-whether-you-are-a-controller-or-
processor/
43
ESORMA Scope
Fishbone Diagram
Fishbone Diagram (showing all different reasons for a
classification)
KellyLawless - CC BY-SA 3.0
A fishbone diagram (sometimes called an Ishikawa diagram

or cause & effect diagram is used to analyse causes of risk
etc. Usually a threat to information can come from multiple
sources. This tool can help document all the causes of an
effect (risk) and aids an information security practitioner in
determining what mitigation to apply if needed.
Case Study
Download the original case study pdf from the ESORMA
Portal at https://ESORMA.com select the ‘free gifts’
navigation item for all the free gifts that come with this free
guide.
44
ESORMA Scope
“This study describes a tested model that

key constructs to consider when assessing
the value of organisation information
security assets. The research focuses on
practitioners and researchers in IT security
field and try to contribute significant
knowledge on information security value
chains in an organisation. The authors
have proposed an evidence-based model.
It combines theoretical work with real-
world scenarios for assessing information
security values in an organisation.”
Summary
In this chapter we looked at what scoping is, who is
responsible and why it is necessary.
We looked at the methods and tools used for the scoping

process and gave a walkthrough of how to use these tools to
scope the data of the enterprise. We mentioned a real-world
case study to understand how data value is calculated and
we mentioned how all of this can be made simpler using
the framework tools available within the book section of the
ESORMA portal.
~~~
Once the scoping is done the risks that apply to the scoped
data can be calculated and evaluated using tried and tested
techniques. This is all covered in the next ESORMA domain
#2: Priority.
45
ESORMA Scope
Domain #1: Scope Questionnaire
O ur first question that is

desperate for an answer
is where are we now? What
has happened to cause us to
review scope?
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________
What preceded this situation?

______________________________________________________
______________________________________________________
What activity do we expect to follow up with?

______________________________________________________
______________________________________________________
Why are these our conclusions, what evidence do we have?

______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
46
ESORMA Scope
How would we categorise the data, if any involved?
• Personal data
• Proprietary sensitive data (trade secrets, patents, IP and
copyrights)
• Proprietary non-sensitive data (publicly available)
Notes:
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Authorised Personnel:
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
How would you classify the security level?
• Strictly Confidential (For some individuals only)

• Confidential (for a particular corporate group only)
• Internal (for everyone inside the organisation only)
• Restricted (can be share with selected third parties outside
of the organisation)
• Public (for public consumption)
Notes:
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
47
ESORMA Scope
Authorised Personnel:
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Which tools will we use or refer to?

• Information Asset Register
• GEO map
• Information Flow Map
• Corporate Role Calculator
• Fishbone Diagram
• RACI
Other:
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Please note you can buy additional printed copies of the

Workbook Only version of the ESORMA Quick Start Guide
online, should you want to run a workshop or measure
progress over time. Here: https://www.amazon.co.uk/dp/
B08C94SLSP
48
ESORMA Scope
P lease register online for all the online goodies that come
with this quick start guide:
You will find: Case Studies, Checklists, Graphics, Templates,

Calculators, the latest PDF of this guide and a separate
questionnaire designed to help you design and record your
personal, custom plan of action.
Register here: https://ESORMA.com select the ‘free gifts’

guide.
You will also learn how to get your own custom branded
questionnaires and how to organise one to one training,
support or consultancy and custom on site, or open, hotel
based training events.
You will also get access to a suite of tools that should help you
in your ongoing ESORMA journey.
Take Scope Training & Earn 10 CPEs

Our one day ESORMA ‘Scoping Master Class’ combines
cybersecurity, management, architecture, operations,
communications and project management skills and rewards
delegates with ten CPEs. One for each hour spent in class
and three for taking the Scope Assessment. Find out more at
ESORMA.com/training.html
49
ESORMA Scope
Next Up...
The next chapter is about setting priorities. There are several
scenarios you will face, for instance what to do in the face of
an actual attack, plus, how to define a solid defence strategy
during quieter times.
For good measure we touch on safeguarding assets of the

mechanical and the human kind.
There are a couple of methods you are probably already

familiar with designed to help you asses risk levels. You will
also find employee suggestions you may want to implement
to ensure segregation and avoid collusion.
50
ESORMA Priority
ESORMA Domain #2: Priority

“The difference between urgency and
importancy*”
J ust about everywhere is

frantic, some of us are
actually under fire, there are
operations rooms managing
tens of thousands of threat
attacks per day. Cyber theft is
big business, especially when
there is a lot at stake.
The reason for all the pressure

and tension is simple, just
one successful attack can be
devastating.
So much is going on, clear heads are needed and these are
usually set by those who take a perspective view and who can
see the whole and from it all are able to see order and therefore
assess priority.
Prioritisation is essential, whether you are looking from a

governance, risk management or compliance perspective, each
needs to be delivered on for consistency to be achieved and
most importantly to make sure as we close down one threat
vector, we don’t even momentarily open up another, new one.
However, sometimes, when we are actually under attack, we

need to prioritise in triage mode. Triage mode means we need to
work fast, maintain a cool head, have strong, in depth scenario
knowledge where preparation can be a life safer.
51
ESORMA Priority
Understanding and managing risk is key to the stability of

an enterprise. The objective is to sidestep or overcome risks
before they occur. Risk is a way of measuring uncertainty
of an endeavour. An endeavour can include health, well-
being, wealth, property, production and service delivery. Risk
measurement can help us to prioritise, usually the simple
equation is the more there is likelihood of loss, the more we
have identified an opportunity to lock down.
Two Ways To Measure Risk

Risk is so diverse it can be difficult to measure and so
measurement is typically done using either quantifiable or
qualitative methods. Quantifiable methods are obvious as they
are numeric.
A quantifiable method may be a weight or a value for instance.

Whereas a qualitative method may be a view such as small,
medium or large, cold, warm or hot, where you do not actually
know specific temperatures, sizes or weights, yet we can
estimate a spectrum of them using a rough comparison based
on human knowledge, experience, and intuition.
In practice qualitative measurement is fast to do and as a result

inexpensive too. Whereas quantitative methods may require
items to be carefully weighed or counted, for prices and weights
to be looked up, or to be assured by a third party, all these
activities will add time to the process and invariably, time is
money.
As risk is measurable it can be apportioned and different assets

can be compared to each other. However, the risk practitioner
should also consider human factors that affect risk and these are
vital to assess.
52
ESORMA Priority
Human Risk Factors

Incorrectly, humans are seen as the weakest link in security
scenarios. This has to change. If a colleague can see the sense
to a security precaution and yet is in a hurry, that person may
circumnavigate, avoid, subvert or disable security controls
in order to get the job done, perhaps for a perfectly innocent
reason, perhaps not. A person with a grievance who feels
unreasonably treated may develop a deliberate intention to
cause damage, delay or exposure.
Human error, deliberate or accidental can occur in all areas of

security. We must be very concerned about access given to staff,
the scope of their operation and their ability to control their
environment and the data within it.
Mundane Job Descriptions are an important step in the design

of a security solution as they help security practitioners to
be clear about the controls that each role has access to. The
objective is to distribute control over a range of employees so
no one person has complete control and subsequent changes to
controls will require the scrutiny and acceptance of more than
one person.
In defining Job Descriptions we define Job Responsibilities and

this determines what access each role would have to resources,
devices, systems and services. The role must be granted access
privileges related to the tasks needed to be undertaken. We
focus on the principle of least privilege, where we provide only
the amount of access necessary for the job to be done, nothing
more.
A potential problem exists in most businesses where managers

have significant access permissions they don’t need or use.
Business owners, Directors and Managers are often sought out
and targeted for this reason.
53
ESORMA Priority
Key Tools
There are a range of key tools available to security managers
that largely involve no cost and no technology. They include
Least Privilege Access, Job Rotation, Job Segregation, Candidate
Screening, Employment Agreements and Policies, Non-
disclosure agreements, non-compete agreements, on-boarding
and most importantly: employment termination. These can
greatly help you to form priority based formal processes that
delineate and assist in the enforcement of exactly what your
staff and colleagues can and cannot do.
You may think that highlighting employment termination as

an important tool for a security manager is a bit harsh, it is,
I wanted to get your attention for a very good reason. Most
businesses ignore this step and allow staff to leave with assets,
on full pay (sometimes for months and in some cases years) and
full access.
Even with these benefits remaining former staff are likely

to be highly disgruntled, further annoyed by their personal
experience of waste and loss. If they were not prepared to take
out their grievances before their employment was terminated,
they may now be. They have even been left with all the means
they need: money, equipment and access.
Think about this a little, these are people who know your
secrets, they know how your systems work, they may know
where your most valuable data is and if they know all this, they
may even know who will benefit the most from it (here’s a clue -
it’s not you) and who your biggest competitor is...
Many of the tools you need probably exist within your firm’s
standard terms of employment, yet they should be understood
and implemented correctly, particularly employment
termination.
54
ESORMA Priority
Disconnection from controls should occur before the person is

due to be terminated, which in the case of areas of sensitivity
should occur immediately a decision to terminate is made, as
it is vital to disallow system changes, outages or exposure after
notification has been given.
There are many employees whose employment is terminated

who continue to get paid and continue to have the use of
enterprise equipment and systems because termination
procedures were not followed.
In recent months and years senior executives continue to

leave enterprises of all sizes and types including from local
government and utility companies, often as a result of a row
with a senior executive. These people often raise the prospect of
a PR disaster, so all is done to keep the problem from the press
and often, as a result from the enterprise itself.
Imagine senior executives, on full pay, the highest pay, with

authority and the highest level of access freewheeling in an
open market, angry. It happens regularly, causing millions of
loss every year. You can imagine the difficulty as this is a very
real problem that the majority of senior execs will not want to
admit to, yet it happens all the time. Someone has to let them
know it can happen and they need to know you are there to
reduce the exposure hopefully before it becomes a problem.
Not only is it appropriate to ensure all items are returned and

access denied it is also an opportune time to remind the exiting
employee of the agreements they made on joining the enterprise
and they should clearly understand what information is
considered sensitive.
55
ESORMA Priority
Some of the more cavalier types may not realise or appreciate

they must not use or share this information in the future.
In fact they may make a point of selling this information to
future employers and those who pursue this path forward
as their modus operandi can pose as large future risk to any
organisation. It is so important that these areas must be locked
down, internally at the very least, as soon as possible. This also
applies to middle management too, who are used to holding the
keys and to flexing their power muscles.
Job Rotation
Job Rotation is a technique that builds in both redundancy and
security. Job Rotation is often referred to as Cross Training in
the UK. Having more than one person able to undertake a role
ensures a business will experience less downtime as they have
a range of colleagues who are able to undertake the required
roles in case of illness or incident. In addition, moving people
from one role to another ensures best practices are maintained
and reduces the occurrence for fraud, theft, sabotage and
information misuse. Cross Training enables peer auditing and
protects against collusion.
In smaller companies this may not be possible and the only

person to rotate with is the owner or CEO. This may be the case,
the principal still applies and if staff are informed this could
be a possibility, then it may be all you can do to put a stop to
events before they happen.
56
ESORMA Priority
Job Segregation
Similarly Job Segregation is about separating key activities,
especially those that depend upon another to operate effectively.
For example, the person who enters invoices should not also
be the person who pays them. An obvious example, yet in
small accounts departments still common, similarly for stock
management. In the case of software development, software
developers should not be the only person to test their software
as the chances are that ‘difficult’ areas may be overlooked.
Not everyone is a criminal or has criminal tendencies, however

people change, people are influenced, people become aggrieved,
circumstances change and staff are not the only culprits.
Contractors, partners, suppliers and customers have varying

attitudes and abilities too. While the vast majority are stable,
honest and earnest, they can all change, both in consumer and
corporate scenarios.
For example, electricity meters are often bypassed, false meter

readings supplied. This is so common, even today, we have
meter readers visit homes and commercial properties who not
only read meters but also visually review measuring systems for
tampering.
57
ESORMA Priority
Key Risk Stages

Risk is made up of a series of elements. Understanding each
element can help us employ protection where needed which
invariably leads to efficiencies due to increased up-time.
Businesses are under threat all the time. The volumes of threat
vary widely, in the case of most enterprises threats occur at the
rate of tens of thousands a day. A threat in and of itself is not
necessarily a problem.
A threat is in effect a side effect of a weakness. Attackers may be

the cause of thousands of threats, or they may occur naturally
at any time of day, using any medium, they may be random, or
they may be patterned. Threats exploit Vulnerabilities which
if successful result in Exposure. The risk is the likelihood of a
threat exploiting a vulnerability (known as impact). So the type
of vulnerability and how often it can occur will determine the
exposure, in that it depends upon what is being attacked, what
the vulnerability is as to whether, when and how much sensitive
data is exposed or not.
By looking at our systems and by looking at the threats we

receive we can assess the types of vulnerabilities we might have
to deal with and determine the potential exposure. When we
identify risk we can mitigate it by employing safeguards that
are designed to protect from risk the assets that continue to be
endangered by ongoing threats. We are only concerned with
threats to determine what assets are being threatened so as to
harden the protection and increase the power of the safeguards
we employ to protect them.
58
ESORMA Priority
Threats and Vulnerabilities

Part of risk management is to identify and examine threats.
Not all threats are IT related and not all threats target IT
vulnerabilities. For instance user errors are not intentional and
may occur. It is important that we learn of them, not only to
ensure they don’t happen again, also we want to make sure
if they do the resulting damage is as minor or uneventful as
possible.
The majority of threats tend to come from remote sources,

yet these are not necessarily the most dangerous. Many
are IT driven, criminal activities by authorised users, social
engineering, former disgruntled employees, intentional attacks,
illness, epidemics, pandemics (see Human Risk Factors above),
viruses, cascade errors, buffer overflows, privilege abuse,
processing errors, programming errors, equipment failure,
temperature.
Then there is the misuse of data, changes to data classification,

data handling errors, manipulation, intrusions, inspections and
restrictions, loss of data and business interruption.
Many business interruptions can be planned for in advance, for

instance, natural disasters may result in supply or access being
denied or to operational units being shut down due to outages.
So, in situations determined as critical, alternative power
solutions may be investigated and invested in.
These may be rare, yet existential events are best planned for as
they tend to be catastrophic. For instance in any 24 hour period
there are thousands of deaths, road traffic accidents, hundreds
of fires, floods, power failures, plus the odd earthquake and
eruption too.
59
ESORMA Priority
Chances are hopefully, they will miss you, yet they happen
daily and just one of them can hurt not only your business, but
many other businesses that you work with and you may suffer
from the knock on effect of someone else’s difficulty especially if
your enterprise operates within a vast but tight interconnected
supply chain, as most businesses do nowadays.
Following a risk analysis you would follow with a Business

Impact Analysis to identify the most important parts of the
business, like the body focuses on the blood supply to the
heart and brain in the case of trauma, an enterprise should
focus similarly to its most important organs and in the case of
disaster, as a result of the threat and the vulnerability prepare
alternative supply lines and be prepared to switch to a new
location and continue in the face of a dire emergency.
As well as measuring risk quantitatively and qualitatively, you

will also want to calculate how much time you have. How much
time it takes to restore data from backups in an emergency,
how much data is backed up and in turn to be certain that
you have a backup of the backup and to know how long it
takes to undertake a complete restore and to know if that is an
important consideration. For instance to restore a production
line, you may only need to know what is being processed at the
time of failure in order to restore the process elsewhere.
60
ESORMA Priority
Risk Assessment & Prioritisation

Ideally the rule of thumb in assessing risk is to try to employ a
measurement process that is standardised so Risk Assessments
can be compared and prioritised. Quantitative processes lend
themselves to this, especially if the quantification is determined
by a currency management can understand. Provided
all risk assessments are completed to a standard method
then comparison and scale can be readily understood and
prioritisation can take place.
Most enterprises want to ensure they identify the biggest risk

and solve it first, this is because we do not want to waste time
and money protecting assets that do not present much risk and
want to focus on asset areas that present the highest risk to an
enterprise.
The Five Major Components of

Quantitative Risk Analysis
1. Asset Value (AV)
2. Exposure Factor (EF)
3. Single Loss Expectancy (SLE)
4. Annual Rate of Occurrence (ARO)
5. Annualised Loss Expectancy (ALE)
These components enable you to prioritise and then derive

comparable cost/benefit results. When you have a true and
comparable value of the risks you can compare the values in
order to prioritise, you can also compare the value to the cost of
mitigation too.
61
ESORMA Priority
How To Calculate Risk

To calculate the Asset Value (AV) each asset will need to be
valued. Assets can be valued in terms of cost of replacement or
in terms of criticality of the asset to service delivery, maybe that
is a qualitative assessment.
One way or another you must devise a standard method for

calculating AV that suits your enterprise. The more you are able
to standardise your calculation processes, the more reliable or
accurate will be the basis for future comparison. It is important
to look to do this, as there will inevitably be elements to your
calculations that circumstantially may have to be realistic
estimates and so you cannot have one rule for one thing and
a different rule elsewhere, you need to find a way to achieve a
balanced outcome. You may invent your own formula or denote
a given amount accordingly.
Here is one suggestion: It is possible to convert a qualitative

assessment into a mathematical value. For instance you
could add a multiplier of 0 if the asset has nothing to do
with production and a multiplier of 10 if it is critical to core
production.
To calculate the Exposure Factor (EF) you would need to

research the possible threats to each asset and calculate an
Exposure Factor. From this you should be able to calculate the
chances of a Single Loss Expectancy (SLE), the likelihood of an
asset being lost to a threat, and then do the calculation on an
annual basis to calculate the Annual Rate of Occurrence (ARO).
62
ESORMA Priority
With these numbers we can calculate the Annualised Loss

Expectancy (ALE). Luckily there are accepted formulas we can
use, here they are:
SLE is calculated by multiplying the Asset Value (AV) by the

Exposure Factor (EF), SLE = AV * EF. Note: EF is always a %.
The Annual Rate of Occurrence (ARO) may be well known, for

instance it may be that a component simply wears out according
to usage, so this would be easy to calculate, or someone may
know the asset is likely to fail every two or three years. Or
perhaps the manufacturer publishes a guarantee or provides
information about life expectancy of the component. When you
have the ARO, you can calculate the ALE and happily there is a
formula for that too:
ALE is calculated by taking the Single Loss Expectancy (SLE)

and multiplying by the Annual Rate of Occurrence (ARO),
ALE = SLE * ARO
For a lot of assets this can be a lot of calculations, software

and spreadsheets can help. You will find a Risk Assessment
calculator accessible from the ESORMA portal.
Download the Risk Assessment calculator from the ESORMA

Portal at https://ESORMA.com select the ‘free gifts’ navigation
item for all the free gifts that come with this free guide.
Please note: After you have prioritised your risks and

researched the mitigations and costed them for comparison,
when the mitigation is installed you will need to run the Risk
Assessment calculation again to take account of the safeguard in
order to see how the new, albeit hopefully reduced risk stacks
up.
63
ESORMA Priority
The new safeguard should change the ARO for the better. The
EF usually remains the same. Rarely would a safeguard reduce
the ARO to zero. In addition a safeguard normally introduces
additional threats as safeguards are likely to be open to attack
too. You will need to add the cost of the safeguard to the cost of
the asset when recalculating.
Safeguard costs recalculation is included within the Risk

Assessment calculator accessible from the ESORMA portal.
Don’t forget to download the Risk Assessment calculator from

the ESORMA Portal at https://ESORMA.com select the ‘free
gifts’ navigation item for all the free gifts that come with this
free guide.
64
ESORMA Priority
How To Invest In Safeguards Efficiently

When you determine a safeguard will cost significantly less than
the risk you can determine where you can most efficiently invest
in risk mitigation.
Each component must be assessed and calculated in a standard,

uniform manner, as described before and then the costs of the
safeguards are added and the calculation run again. You can
then compare the resulting figure and determine the true value
of applying the safeguard to compare the costs of your Assets to
Assets with Safeguards.
In practice this is an important assessment process as an asset

may be subject to multiple threats and each threat may require
different safeguards and each safeguard may have a different
set of costs.
In effect we have a set of calculations we can use as a base

number for the ALE with no safeguard in place and then we
calculate an ALE with the cost of each safeguard. This will then
tell us which is the most cost effective safeguard, not that cost
would be the only basis for making a selection, yet you should
certainly be aware of how the different costs, for the different
safeguards stack up, as efficiency could end up as a deciding
factor when trying to decide between one safeguard and
another, especially if budgets are limited, as they usually are.
65
ESORMA Priority
Associated Safeguard Costs

Safeguards, also known as countermeasures have numerous
costs associated including the cost of purchase, development,
licensing, installation, implementation and customisation and,
parts and labour.
In many cases there will be associated wear and tear costs that
can be calculated annually, also costs such as maintenance,
administration, operation, testing and evaluation need to be
catered for. There may also be productivity improvements or
losses.
Costs should be calculated for each safeguard so a comparison

can be made. A template for this can be found under a separate
tab within the Risk Calculator spreadsheet accessible from the
ESORMA portal.
The annual cost of the safeguard should not exceed the annual
cost of the asset.
The Annual Cost of a Safeguard (ACS) is calculated by

deducting the value of the ALE after implementing a safeguard
plus the annual cost of the safeguard from the original ALE.
ACS = ALE - (ALE + Cost of safeguard + annual cost of

safeguard)
66
ESORMA Priority
Risk Registers
Yes plural. A risk register may be divided into parts. A risk
register is not something you want to run alone. The point of the
risk register is for you and the officers of your company to be
aware of the risks to manage. At the very least you should have
an Asset register. You should have a Staff register, a Partner
register, a Supplier register, a Contractor register, Skills register,
Business Process register and so on, these may be compiled and
considered as the Risk Register collectively.
Each register should have different access requirements to help

you maintain the security of individual risk registers, as not
everyone has a need to view the entire risk register or even
the whole of one. For instance IT Directors may have access to
the detail behind their own departments, but not those of all
other unrelated departments. Yet an IT operations manager
responsible for supporting that department would.
Risk registers contain important and sensitive information.
Ideally you want a register designed to protect your data and

control who can review and edit, while keeping a record of
updates so a history is maintained. There are lot of values and
opportunities such a register can introduce, including tracking
the progress of risk reduction, it also provides a top level
benefit: the detail behind the big picture. An up to date risk
register can ensure the accuracy of assumptions made about the
enterprise ‘big’ picture and management can delegate certain
aspects of the business more easily.
An ESORMA book of Risk Assessment templates is available

from Amazon. These can be completed remotely by those on
the ground and in parallel. The completed information can be
forwarded to be entered into a centralised risk register.
67
ESORMA Priority
You would store risk assessment information and asset details

and data concerning countermeasures too. Recurring dated
activities or details about minimum service or resource levels
considered safe to work to in terms of margins of error, stock
levels etc.
For instance in the first section of this chapter we talk about

staff controls and cross training, the details and plans for these
would exist within the staff register.
Staff are assets.
You would record within an asset register the type of work

an employee is employed to perform and you would include
the training programmes that person has completed and
details about other job functions that person could take on, for
example:
Accounts Sales Purchasing

Skills Order Sales Presentation Weights &
Required Entry Writing Measures
Contract Customer Supplier
Awareness Communications Communications
Order Entry Contract
Awareness
Ms
Example
Skills Order
Entry
In the above example Ms Example is skilled in Order Entry,

this tells us it is a skill required in both Accounts and Sales
departments.
68
ESORMA Priority
An interview process could commence without further time

required for training. Potentially if Ms Example worked within
Accounts, training in Contract Awareness could provide more
opportunities for her in Accounts and potentially help her to
take on work in Purchasing too.
Ms Example would increase her asset value to the company.
Potentially this part of the Asset register would be undertaken

by the HR department. There is no need to share other parts
of the register with the HR department and so access control
techniques would be applied to the HR role that would limit
access by an HR role to only the sections of the register that
were required to undertake the work. This would be an example
of the principles of Least Privilege and Job Segregation in
practice.
69
ESORMA Priority
Case Study
Download the case study from the ESORMA Portal by
registering at https://ESORMA.com select the ‘free gifts’
guide.
FREE Bonus Chapter Resource

Download a Risk Assessment calculator from the ESORMA
Portal. Another reason to register at https://ESORMA.com select
the ‘free gifts’ navigation item for all the free gifts that come
with this free guide.
* Sometimes words fail us, especially when we are under

pressure. I once was so upset when surrounded by mosquito’s
in Sri Lanka, totally under pressure, in an exasperated,
stuttering tone I explained I was surrounded by flies with...
Spikes!
My colleagues understood my exasperation at the time and

we all laughed and miraculously the flies with spikes all flew
away. So sometimes the wrong words can work very well and
I was looking for a word to rhyme with urgency. So I invented
importancy. What do I know? Turns out it is a word according
to the Collins online dictionary...
70
ESORMA Priority
Summary
Prioritisation is key to ensure the objectives of governance, risk
management and compliance are achieved, as it puts order to
the required undertakings to ensure the biggest value to the
enterprise is achieved first.
Staff is an area of significant risk and there are a range of

techniques to employ and incorporate within working practices
and employment contracts so they may be enforced and risks
minimised.
Taking care of staff and colleagues will probably give you the
biggest bang per buck invested in security as they can employ
safer practices and they can report events from the front line.
Assets are employed in an enterprise to ensure business

operations continue and these may present individual risks. It
is especially important to protect the highest risks, to ensure a
level of resilience against disaster.
Fortunately it is possible to calculate value and the two tools at

our disposal are quantitative and qualitative measurement. We
can minimise risks with safeguards and these can be calculated
in. We can theoretically assess the cost of risk mitigation before
we commit and this helps in setting budgets and priorities too.
It is important to bring all the resulting information together

into a Risk Register that may be indexed in many ways as this
has the additional benefit of allowing management a bigger
picture operational view few appreciate.
71
ESORMA Priority
Domain #2: Priority Questionnaire
O ur first question that

must be asked is how
and why did we get here?
What has happened to

cause us to review our
priorities?
________________________
________________________
________________________
________________________
________________________
________________________
________________________

______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
What do you think at this stage will follow, what is your true
purpose, the one you have in mind?
______________________________________________________
_________________________________________________________
___________________________________________________
______________________________________________________
Generically, which will you evaluate quantitatively?

______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
72
ESORMA Priority
Generically, which will you evaluate qualitatively?

_________________________________________________________
_________________________________________________________
________________________________________________ ________
_________________________________________________________
___________________________________________
How will you ensure consistency in your assessment process?

_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
__________________________________________
Your main formulas will be:

• SLE = AV * EF - note EF is always a %
• ALE = SLE * ARO
What are your preferred selection of safeguards (most do):

_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
__________________________________________
Name the Risk Registers you will review or intend to create:

_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
__________________________________________

online, should you want to run a workshop or measure progress
over time. Here: https://www.amazon.co.uk/dp/B08C94SLSP
73
ESORMA Priority


guide.
questionnaires and how to organise one to one training, support
or consultancy and custom on site, or open, hotel based training
events.
Take Priority Training & Earn 10 CPEs

Our one day ESORMA ‘Prioritisation Essentials’ combines
delegates with ten CPEs. One for each hour spent in class and
three for taking the Priority Assessment. Find out more at
Next Up...
Now that we have prioritised, the next chapter helps us to
further add order to our prioritisation through understanding
the context of each part in terms of the evaluation of potential
protection systems.
You will also find an outline of how to tailor a business

continuity and disaster recovery plan to your enterprise.
74
ESORMA Evaluate
ESORMA Domain #3: Evaluate

“It takes genius to truly evaluate uncertain,
hazardous, and conflicting information”
W hen we see a problem,

do we step forward
and fix the first thing we
see?
Or should we step back

and calculate the risk and
evaluate it against the risk
appetite. What if there are
existing controls in place that
mean ‘doing nothing’ is a
viable option?
For example, it is often said

people are the weakest link and many mount phishing attack
tests. Do we really expect staff and colleagues to not make
mistakes when they themselves are under pressure, perhaps
working in critical conditions or saving lives. This could be seen
as a systems issue, easily solved and potentially at a lower cost
if the controls put in place made it impossible for a phishing
attack to be effective in the first place.
Evaluation applies to governance, risk management and

compliance equally as all three need to be in balance. We
might think we have a fix, yet if implemented incorrectly it can
unbalance a finely tuned enterprise and in one stroke cause
the business to take three steps backward instead of the one
intended footstep forward. Understanding risk, how we might
treat risk, the costs of risk and return on risk prevention is vital
to be crystal clear on.
75
ESORMA Evaluate
In the last chapter prioritisation was about triage and risk

assessment and this is fine if you have the time to evaluate all
risks.
However even the smallest business can have hundreds of risks

associated with it. It is easy to become overwhelmed. We need a
better place to start than simply ‘all risks’ to assess and compare.
The place to start is not necessarily with the most expensive

risks either, although this is very important information to
know and must be taken into consideration, the next level to
review, or as this domain refers is to evaluate in the context of
the business of the enterprise itself. Our objective is to start by
identifying the parts of the business that are most important to
the business owners and its customers.
Ultimately the purpose of the business of most enterprises is

to make a profit serving clients. What happens with the profit
depends on the type of enterprise you run. However from a
security perspective it is a pretty good idea to start with where
we generate incomes from as generally this is what will either
keep the business functioning or stop it dead.
Security from a client’s perspective serves three purposes.

First we want to ensure the work the enterprise undertakes is
preserved and can continue come what may, secondly we want
to protect data about our clients and third, we want to ensure
our business is protected from our clients. Risk does not travel
one way. Risk travels in every direction and risk can stop our
ability to serve clients even if the risk comes from the client, so
we need to ensure our systems are isolated and fail-safe.
76
ESORMA Evaluate
Happily, getting focused is relatively easy. The first place we

can look is at the sales ledger and from that get a view of what is
being delivered to clients and to get an understanding of what,
when and how.
The Sales Ledger alone should provide us with enough

information to prioritise where we should look for risks.
Business Impact Analysis

When we understand the business of the enterprise we can
prepare a Business Impact Analysis (BIA). A BIA is a list. A
list of assets, people, processes, stock/inventory and suppliers.
Everything that is required to make production happen
including work space, machinery and tools (they would be
included in your asset list). It matters who owns them, how
much they cost and how they are financed as all these things
have some kind of bearing on the potential risk.
Eventually your lists will start to resemble an interconnected

web and you will be able to see what could happen if one part
failed, how it would affect the operation of the business. The
risk is not the cost of the component that has gone wrong, but
the cost of the total operation that fails and the failures that
result by not being able to deliver to clients which may generate
reputational as well as financial loss.
77
ESORMA Evaluate
The Objective Of The BIA Is To Help

You In Several Areas:
Timing
How long have you got to repair and recover from failure before
production or service delivery is affected and clients find out.
How long will clients wait, if at all?
Resources - knowing what you need to have on hand as backup

can make a lot of difference to recovery from disaster, but has
cost, storage and implementation issues associated (remember
how your list becomes a web).
Priority
Not based simply on risk and cost, but based on client needs
which can affect income, client retention and market reputation.
In essence your BIA provides mission critical information and

with it you can determine plans, budget and team requirements
to recover quickly from risks that may occur. There is a lot of
added value to a business in running a BIA as you not only
review operations from a cyber perspective, inevitably you also
review from a business continuity perspective too.
A comprehensive BIA can take a long time, it is not unheard of

for a BIA to take a year to fully plan, calculate and then to put
everything in place and to test the plan, then change it and test
again.
We can’t wait a year! We need something today! Or, perhaps

more realistically as soon as possible....
78
ESORMA Evaluate
The ESORMA way is to put together a basic plan very quickly,

preferably in days.
Clearly a BIA produced in a day or two will not be

comprehensive, yet having a plan is always better than having
no plan. In most cases a simple plan is to answer the question
that if service delivery failed today, what would we have done
by tomorrow to have service delivery resume?
An answer would usually involve finding a different method or

site for production. Ultimately we would find a way to redeploy
assets. Mistakes can occur when under pressure and ‘all hands
are to the pump’.
The Benefits of Using A Form Driven

Approach
Following a form driven approach will help you to pass on
the task to others. Information can be collected, collated and
compared electronically in either a database or spreadsheet.
A form driven approach can speed things up, as many tasks

can be completed by many people simultaneously, plus can be
distributed electronically and in some cases it may be possible
to conduct interviews by phone.
Generally those that you choose to interview will value having

a copy of the questionnaire in advance of the actual interview.
Our objective is to capture information, we are not interested in
trying to catch anyone out.
Download the BIA Questionnaire from the ESORMA Portal at

https://ESORMA.com select the ‘free gifts’ navigation item for
all the free gifts that come with this free guide.
79
ESORMA Evaluate
Often questionnaires completed independently, remotely,

prior to an interview may well drive further questions. It
is a good idea to follow up a completed questionnaire as
information obvious to the interviewee, not obvious to you
will often transpire and this is often the kind of supplementary
information you need to know.
You may quickly realise at least a few day’s worth of

consumables need to be stored near to the replacement location
so that service delivery can continue.
This may lead to short term investment in stock, or it may

simply require re-allocation of stock. The associated costs
in making this short term adjustment would in effect be
the insurance premium you would pay to afford the added
protection.
Over time (potentially as long as a year) you could re-evaluate

your needs and provide locally available solutions for other key
areas that may fail or cause concern enough for delay. In turn
you will not only become more resilient to error and failure,
chances are you will develop performance enhancements too.
Understanding Through Interviews

Due to the nature of service delivery, there is usually a lot of
expertise built into the process, the amount and type of which
may only be assessed through interviews with key members of
staff. You don’t want to surprise anyone with this, as otherwise
it can be very damaging, instead you want to let colleagues
know in advance, talk to managers and teams about your
purpose and then agree specific times and supply questions in
advance of interviews.
80
ESORMA Evaluate
ESORMA has created a simple interview form you can use.

It can be found in the resources section of the members area.
You may want to take the form and to modify it to suit your
business. It is important to use a consistent approach to your
interviews and to ensure you demonstrate your focus is clearly
aimed at impact analysis and disaster recovery, as some
members of staff may find the process invasive. You also need
to be very sensitive to feedback from colleagues to ensure they
do not feel like they are simply being mined, so they may be
replaced.
Business Procedures
When people let you know what the staff do they often describe
business procedures and these are worth noting separately.
You would primarily be interested in processes that enable the
production and delivery of goods and services to clients. You
may discover these are not recorded anywhere and often, teams
are relieved that at last, recordings are being made, as clearly
processes are undertaken to the benefit of the business. For two
reasons at least:
1. A written how-to is an essential asset if your team is

somehow disabled or unable to continue in-situ and the
work has to be undertaken elsewhere.
2. In committing a process to paper, questions often arise about
the efficacy of the process.
These can often lead to process improvements that may increase

speed and reduce costs, or alert you of other important parts of
the process otherwise hidden from view.
81
ESORMA Evaluate
The key things to note are:

• What processes are undertaken by whom?
• What assets are used in the process?
• What information systems are employed?
• How much time does it take?
• How many consumable items are consumed?
• How much data is involved and where did it come from?
• How much data was altered or edited
• Do we have only what we need?
• What happens next.
Is there any waste product? What happens to that and what

happens to the data that was employed in the process? How
is that deleted and or communicated onward? We are looking
at the life-cycle of all things used in a process, tracing source,
application and destiny, especially sensitive information - data.
Usually there is a lot of potential for loss in the last stage.
Information Systems
People and business processes tend to deploy Information
Systems, although sometimes all an Information System has
to do is to print a label. Information is usually the output
and the point of output is often an area of risk, more so if
the information is identifiable. Cyber criminals look out for
snippets of information in order to collect and then to put back
together to build a bigger picture. Transactional data may
well be separate from Contact Information but may share the
same ID. Some data may be collected electronically, other data
may be recovered from printed waste. When you look, you
will often see lots of ways that data may be leaking from your
organisation and this, for most can be a very serious issue.
Imagine this happened where you worked and your clients

discovered this came from you, this could be very expensive
in terms of fines and public reputation, even if it is a business
client. Data is an asset that needs to be cared for.
82
ESORMA Evaluate
Real Assets
Your impact analysis must be end to end, so if your service is
delivered by an installation team, a consultant or put on a truck,
the assets employed from the beginning, through development,
manufacture to delivery must all be accounted for, as without
them, if a disaster struck the business would be stuck.
You may discover, in order to ensure production continues to

flow, you not only require replacement equipment you may
need additional raw materials, storage, handling and processing
too. All this may be required to keep the line flowing in the
event of a critical, central failure.
Your BIA will then provide a detailed analysis of the kind of

things that can go wrong, the relative costs, related timing
issues and so on. With this information you will have a picture
of the kind and cost of risk management strategies required. It
will then be up to the management of the enterprise to choose
to make an investment or not. Ultimately investment is always a
business decision.
83
ESORMA Evaluate
RISK Appetite
There are certain things where you cannot arrive at an easy
figure in terms of costs, a quantitative figure and as referred to
in Domain 3, you may have to use qualitative methods (Low,
Medium, High or Critical Impact) instead.
Once you have assessed a level of impact you will need to

determine how to deal with the resulting risks. Addressing
risk is often an expensive proposition, although in some cases
you may well have a no cost solution. Common sense normally
dictates a quick implementation of those. Those that cost add
up and the total figure may be more than your enterprise is
prepared to pay and this becomes a matter of risk appetite.
In effect the enterprise will accept some risk, as it cannot afford

to deal with all risk. How to assess Risk Appetite is often a
puzzle. I cannot offer a definitive answer, however, like waiting
for a bus I can offer you three suggestions and you can choose
which one to take. Assets should include everything almost:
mobile phones, computers, printers, cranes, trucks, weighing,
stamping and other machinery. You need a list of staff by role
and by name, similarly suppliers.
84
ESORMA Evaluate
Genuine Business Benefits

Most businesses have grown organically and the chances are
the kind of review undertaken for your BIA has never been
undertaken before and as a result no one person has a single
view of the operation of the business to such a detailed degree.
As a result the BIA may assume more importance to the

organisation, not only allowing for disaster recovery, but also a
streamlining of activities and possible cost and time reductions
too, these are usually hidden benefits not always apparent from
the outset.
The lists of all the things you need to include can easily be very
long with complex interconnections. In the short term you need
a plan and so your BIA will be an abridged, necessary shortened
version as it is better to have a plan than none at all, even if it is
slightly wrong and incomplete, that is the point of the BIA, so it
can be scrutinised, so all the people involved can review it and
provide more detailed updated and accurate information, this is
one reason for a BIA to take a year to be produced.
85
ESORMA Evaluate
Impact Statements
For every item on every list, you need to write down what
would happen if it was lost, damaged, destroyed or somehow
disabled. Calculate the knock on cost too. This will then enable
you to add a further comment about a potential remedy. In
most cases a remedy is very likely to cause changes to your
production or service cycles as it becomes obvious that certain
things can be fixed or resolved even before they go wrong.
1. Financial Limit. You may simply determine or be given a

budget to work to. You will need to prioritise and fit within
that.
2. Present your case and let the board decide. After all it is their
decision, your role is to advise, and make recommendations.
3. Look around and see what has been done in the past, to get a
feel of what is considered acceptable and what is not.
The first option is not always as black and white as it seems,

there is also grey. A fixed budget is simply not appropriate to
every situation as if the management, having allocated a budget,
had not appreciated the level of risk they face, they may well
agree that a higher budget is needed.
The first option is perhaps heavy handed too, it could be a

massive budget compared to the cost of the needed solution and
therefore could be inefficient. Also a small problem of a loss to
a Phishing scam of £3000 may be easily affordable, yet not if the
person caught was the CEO of a security firm, this could have
reputational repercussions.
86
ESORMA Evaluate
In all cases the ESORMA recommendation would be to put

costly solutions to the board. After all security and related risk
appetite will always be a business decision and it is important
that the business backs and supports security implementations.
Timing
We can’t leave this domain without talking about timing and
in particular, down time, for instance: Maximum Tolerable
Downtime (MTD) is an important time consideration, one of
an important handful. For each business process, you need
to assess the MTD, the time after which a process becomes
unrecoverable, irreversible (and often fatal). This is not easy
to know, yet it must be attempted as it is a piece of crucial
information and may simply be a best guess, or could be arrived
at by talking to clients, in terms of how long they could wait.
If you were a commodities service provider your MTD may well

be zero. This requires a permanent backup site that is capable
of delivering a full level of service immediately. This is called a
hot site. If on the other hand you have some time, albeit limited
time available you may then have what is known as a warm
site available, everything is current, in place and just needs to
switched on and within the time available, time enough to get
up to power or speed required to satisfy clients.
Finally there is the cold site. Nothing is switched on, yet the
minimum necessary to provide a backup site is on hand that
could provide cover in an emergency.
Depending on your business you may also decide to have

backups to the backups too. As when the main site goes down
the same problem that triggered the failure may occur again.
87
ESORMA Evaluate
As well as the MTD, we also have the Recovery Time Objective

(RTO). The RTO is a time period that should be shorter than the
MTD and is the amount of time you have to get back up services
working for you.
The cost difference between running hot, warm and cold sites
is usually a lot, the reason is down to the RTO. You may decide
on compromises in order to reduce costs although it still enables
you to recover within the RTO you define. Different solutions
will take different amounts of time and this can vary the costs
incurred a lot.
Another important timing feature is Recovery Point Objective

(RPO). The RPO usually refers the maximum amount of data
the business can afford to lose and can recover if there is a
system data failure. Again, this will depend on the criticality
of the business process in question. Sales may have an RPO
of thirty days as you keep paper copies, patient data may be
a matter of 15 minutes as you provide service to clients in
15 minute intervals. It is a critical amount of time that your
business has in order to recover its data and this will vary
according to each individual business process.
Risk Treatment
When reviewing risk there are just four methods to treat risk
with, they are:
1. Risk Acceptance
2. Risk Avoidance
3. Risk Mitigation
4. Risk Transfer
The first, Risk Acceptance is the easiest, as quite simply you see
the risk and do nothing, by default the business is said to accept
the risk.
88
ESORMA Evaluate
However, if the risk remains inherent in prior service deliveries,

the future risk is not necessarily avoided and for those you must
decide on one of the other three risk treatments to deal with
risk, this may include accepting the risk #1 (Risk Acceptance).
The second, Risk Avoidance is to see the risk that you face and
to reorganise the business process in order to avoid taking the
risk altogether, this means the identified risk element is deleted
from the business process, so it does not exist anymore and
therefore cannot be a risk and is avoided, permanently.
The third response is Risk Mitigation. A risk may be mitigated

with a countermeasure, modifying the process or eliminating
risky processes. A mitigation may be controlled in order to
prevent or reduce risk exposure. Some controls will regulate
flow and may help to minimise risk, some controls are built
to compensate for events as they happen and they may be
contractual, procedural or technical corrective controls.
Finally you can respond with Risk Transfer. This is where a risk
is transferred to a third party. Insurance is an example. Note
the whole risk is rarely transferred. The risk continues to exist,
in the case of insurance should the risk take place you may be
paid a financial consideration which may help to compensate
for the occurrence of risk but would not solve the risk and the
risk could occur again. Equally a business process such as the
chopping of wood may be outsourced. This would eliminate the
danger of an employee being harmed by a wayward Axe, yet
this type of accident could still occur at the outsourced location
while someone went to work on chopping your wood.
89
ESORMA Evaluate
Risk Acceptance Framework

Unlike Risk Appetite, Risk treatment may be easier to manage
with a straightforward Risk Acceptance Framework
Level of Risk Decision Made

Low Locally
Medium CIO
High CIO, CISO
Severe Board
The ability to evaluate events and determine actions while

under fire requires a genius level of skill especially when so
much is uncertain, hazardous and conflicting, yet governance,
risk management and compliance principles all help guide
toward achieving sustainable end results and avoid critical
mistakes.
There are systems to employ ahead of time, including a business

impact analysis and staff interviews, all of which will reveal
valuable operational information, that not only helps to ensure
tighter security, a more resilient business, but is also likely to
reveal streamlining, speed and cost reduction opportunities too.
An understanding of an enterprises risk appetite will be more

clearly understood and may be applied sparingly, depending
on the underlining business and timing requirements. This in
turn will lead to a better understanding of risk itself which will
have an impact on risk management and allow the creation of
a custom risk acceptance framework to communicate risk and
increase the awareness of risk orientated issues, again to the
betterment of the business.
90
ESORMA Evaluate
FREE Bonus Chapter Resource

Download a BIA Employee Questionnaire, it is an easy to
use excel spreadsheet you can get from the ESORMA Portal.
Another reason to register at https://ESORMA.com select the
‘free gifts’ navigation item for all the free gifts that come with
this free guide.
91
ESORMA Evaluate
Summary
Evaluation is key to ensure the objectives of governance, risk
management and compliance are achieved, as it puts order to
the required undertakings to ensure the biggest value to the
enterprise is achieved first.
Staff is an area of significant risk and there are a range of

techniques to employ and incorporate within working practices
and employment contracts so they may be enforced and risks
minimised.
Taking care of staff and colleagues will probably give you the
biggest bang per buck invested in security. They can employ
safer practices and they can report events from the front line.
Assets are employed in an enterprise to ensure business

operations continue and these may present individual risks. It
is especially important to protect the highest risks, to ensure a
level of resilience against disaster.
Fortunately it is possible to calculate value and the two tools at

our disposal are quantitative and qualitative measurement. We
can minimise risks with safeguards and these can be calculated
in. We can theoretically assess the cost of risk mitigation before
we commit and this helps in setting budgets and priorities too.
It is important to bring all the resulting information together

into a Risk Register that may be indexed in many ways as this
has the additional benefit of allowing management a bigger
picture operational view few appreciate.
92
ESORMA Evaluate
Domain #3: Evaluate Questionnaire
O ur first question that must

be asked is what do we
need to evaluate and why?
________________________
________________________
________________________
________________________
________________________
________________________
________________________
________________________
________________________
What led us here?

______________________________________________________
_________________________________________________________
___________________________________________________
______________________________________________________
Where do you think we are going? What will follow?

______________________________________________________
_________________________________________________________
___________________________________________________
What assets are used in the process?

______________________________________________________
______________________________________________________
______________________________________________________
What information systems are employed?

______________________________________________________
______________________________________________________
______________________________________________________
93
ESORMA Evaluate
How much time does it take?

______________________________________________________
______________________________________________________
______________________________________________________
How many consumable items are consumed?

______________________________________________________
______________________________________________________
______________________________________________________
How much data is involved and where did it come from?

______________________________________________________
_________________________________________________________
___________________________________________________
How much data was altered or edited?

______________________________________________________
______________________________________________________
______________________________________________________
Do we have only what we need?

______________________________________________________
______________________________________________________
______________________________________________________
What happens next, will you accept, mitigate, avoid or transfer

the risk? Why and how?
______________________________________________________
______________________________________________________
______________________________________________________
_________________________________________________________
___________________________________________________
_________________________________________________________
___________________________________________________
______________________________________________________
94
ESORMA Evaluate



guide.
events.
Take Evaluate Training & Earn 10 CPEs

Our one day ESORMA ‘Evaluation Methodologies’ combines
three for taking the Evaluate Assessment. Find out more at
95
ESORMA Evaluate
Next Up...
Now that we have evaluated, the next chapter is about enabling.
The question is do you know who, how and what to enable?
The surprising answer is often money!
Next up we start to look at the language you might use and

the aspects of deployment the paymasters are most interested
in. Invariably the answer is different to what you may be most
interested in.
96
ESORMA Enable
ESORMA Domain #4: Enable

“A business and it’s team only deliver when
they are enabled”
D o you have the authority?
Do you supply the process of

authority?
Most situations in Governance,

Risk Management and
Compliance are about giving
someone the authority to do
something.
As you can see Enable is

preceded by Evaluate and
followed by Harden you will
have to authorise activity to get here and move forward. This
means it is decision time.
Typically we will supply guidance or information to support

colleagues. At this time we may find there is a need to activate
operations or a device or a system. These actions are almost the
exact dictionary definitions of the word Enable, which is why it
really is the perfect name for this domain.
This domain is about deciding upon, implementing, testing,

and re-evaluating security controls. While security controls
are thought to be mostly technical in practice, there are many
situations where systems and processes by their nature are
procedurally based and require a lot of manual input, not
always continuously, sometimes only at key points in time.
97
ESORMA Enable
In previous chapters we developed a good understanding of

the business and reviewed and prioritised risk, undertook risk
and impact assessments and now we know if we are to transfer,
avoid, accept or mitigate those risks. In the case of mitigation
we control the risk by installing safeguards or countermeasures.
One of our key tasks after a control is installed is to test to
determine if it is effective or not and then to re-run our risk
assessment as we may discover our control does not perform as
expected.
Invariably a mitigation will introduce new risks and the process

of re-evaluation will identify them. It is best practice for the
new evaluation to be undertaken by anyone who did not select,
install or customise the initial mitigation, to help to eliminate
bias and oversight.
At some point during the scoping and subsequent risk

prioritisation process the enormity of the task will present
itself. The focus in the short term should be to close down and
minimise as many of the big risks as we can, quickly. Once we
are assured they are dealt with then we need to look toward a
wider strategy of implementation. It is not straightforward.
98
ESORMA Enable
There are a lot of risk categories that range from the technical
to the structural. However there are common principles, for
instance: risk management follows a life-cycle process, as shown
and for each of the risks you need to determine the periods
for assessment and continuous improvement, invariably these
essential, vital activities need to be undertaken by the front line
team that use the equipment and systems.
For implementation to be effective a keen understanding of the

way the business operates, staff process responsibilities and
client needs is required. There is a lot to take on that needs to
start with an understanding of management support and range
across the mission, the culture, practices, structure, finances, and
risk appetite of the business in order to make recommendations
that fit with these sometime conflicting interests. Where conflicts
arise, they need to be resolved.
In practice you will need to perform a gap analysis and consult

with staff, management and potentially clients to manage their
wants and needs, to make sure they are on board with the
process and support the need to enhance security especially
as they can be constructive in the fulfilment of the objective to
minimise risk. This will require external factors to be taken into
account and often as not external suppliers in the supply chain
too.
A risk management strategy would identify all credible risks

and would map them to the following three factors:
1. The risk appetite of the business

2. The enterprise’s ability to build defences and absorb losses
3. Regulatory and legal requirements
99
ESORMA Enable
The key to success for practitioners is to identify potential data

issues rather than IT issues. This will help to position solutions
as key to enabling positive protection, improving up-time as a
result of minimising risk of data exposure and financial loss.
Tools
A lot of the tools required for implementation reside in the
form of a risk register, stakeholder register, supplier register
and process register. These are essential to map out how the
operating parts of a business are interconnected, as it is likely
that each person in a chain will have a different view of what
and how it needs to be done.
From a practical perspective you will need to seek a lot of

understanding and agreement to the plan. Some will exert little
pressure, whereas others will be passionate about protecting
their part of the business process, understandably. Effectively
the risk manager becomes a relationship manager in this
context, as you will be reliant on your relationships being able
to agree quickly to a plan that needs to be implemented.
Risk Communication
General proposals for change and detailed proposals for
implementation invariably require communication. Sometimes,
the numbers of people involved require a road-show approach
to take account of all the views and / or to communicate what
needs to be done pre or post implementation simultaneously.
Staff and colleagues will be strongly interested to know

how changes will impact their role, how it will improve the
enterprises ability to deliver to its clients and relationships with
each other and their relative autonomy.
100
ESORMA Enable
Risk Awareness Checklist

The main goal of risk awareness is to ensure enterprise business
decision makers are aware all enterprise decisions carry risk and
risk should always be considered and managed, with controls
put into place from the beginning. A common industry term
for this is to ‘bake-in security’. Security managers (CISO’s) have
a consulting role with other business managers who want to
ensure security is baked in with the security manager offering
advice on how in a specific situation control may be achieved.
As the security manager providing consulting services in

this matter you need to listen clearly to the business needs
and sensitively understand how this may affect other areas
of business and how the objectives fit into the overall pattern
of the enterprise so the solutions suit others and are easy to
implement, support and maintain.
Your Risk Awareness checklist:
• Who is your audience (managers, IT staff or end-users?)

• What is your message (activity, policy, procedure?)
• What is the expected result? (Compliance, change, reduced
costs, increased speeds?)
• How will you communicate (meeting, Intranet, email, letter,
workshop, etc.?)
Documentation
In all cases documentation is required. Documentation that
records current state and future state, enough to perform a gap
analysis. Before and after a risk assessment. Before and after the
implementation of countermeasures. Risk registers constitute
and contain documented notes. Proposals and acceptances,
business case development, business impact analysis and cost
estimates.
101
ESORMA Enable
Compliance
All risk related implementation must be completed in a
compliant manner.
The level of compliance should be predetermined by the

management of the enterprise, time-lines and milestones should
always be pre-established.
Information security compliance requirements should also be

clearly defined.
Compliance should be integrated into new policies, procedures

and operations and success metrics of any and all new
initiatives, baked in from the beginning. See the final ESORMA
domain for more on Compliance.
The PDCA: PLAN - DO - CHECK - ACT

Walk through.
In the PLAN stage you would design, plan and initiate your
information security programme. You would determine a
strategy, set policies, goals, objectives and practices as necessary
to manage risk. In the DO stage you would execute your
information security strategy and integrate it into organisational
practices. In the CHECK stage you would undertake an
audit to determine if your plan was operating correctly to
your statement of applicability and identify opportunities for
improvement. In the final ACT stage you would create and
track anomalies in order to correct defects in order to prevent
accidents and to ensure continuous improvement steps are
taken for improvement of the PLAN. You would make decisions
on risk accordingly to transfer, mitigate, accept or avoid risk
and commit resources.
102
ESORMA Enable
PDCA is part of a Total Quality Management (TQM) system

Aligned with enterprise goals you should deploy Key Goal
Indicators (KGI’s) with Critical Success Factors (CSF’s)
and Key Performance Indicators (KPI’s) to make sure your
implementations go to plan and continue to work as expected.
Setting KGI’s, CSF’s and KPI’s in advance can show if an

implementation is working correctly and continues to provide
assurance over time, enabling testing and guided maintenance.
Every time there is a KPI you can employ KGIs above and
below the KPI to ensure your control keeps to close parameters
and triggers an alert before danger levels are reached.
Resource Management
A significant proportion of the implementation of an
information security programme will focus on Information
Technology. For most companies this means legacy systems.
Going forward we see more and more companies move to the

cloud and so there are these two aspects to deal with, which are
quite different, although the security objectives, controls and
compliance requirements largely remain the same.
As a result Information security officers need to know a lot

about IT in terms of legacy systems and increasingly require
cloud deployment experience too.
However there are legacy systems and then more legacy

systems, all of different types and as the internet has been with
us for more than two decades many legacy systems are linked to
the cloud.
The point is that most system infrastructures are likely to be a

hybrid. In many ways the way to view systems is as if a black
box, what data goes in, how and where does it come out?
103
ESORMA Enable
The following diagram is an attempt to map the risk quadrant

associated with a range of different types of cloud systems
whether the infrastructure is private, hybrid, shared with a
community or public.
104
ESORMA Enable
Controls
Implementation of controls is largely determined by your
strategy. There are Preventative, Detective, Corrective,
Compensating and Deterrent controls and you have to decide
in each case the type of control to deploy. Your strategy will
depend on your level of acceptable risk and risk tolerance
in the circumstances. The controls can be applied to people,
technology and processes, often in combination. For example
access control.
Where possible controls should be automated as this will

help to ensure users cannot bypass them. You also want to
determine how they should fail, whether they fail open, as in a
fire exit, or closed as in access to a database or network. There
are a range of principles you could employ, Least Privilege,
Compartmentalisation, Segregation of Duties, Transparency,
Trust and Zero Trust. There are three principle methods:
Managerial (administrative), Technical and Physical.
Common Challenges To Security

Programme Implementation
Most common issues come about as a result of the following:
• An organisational culture typically being resistant to change

• A perception that more security will make life harder for
staff
• Limited value of subjective measurements
• Failure of strategy
• Key elements missing from the plan
105
ESORMA Enable
Summary
Security is effective when it is enabled, and in turn, security
is effectively an enabler. Security needs to be an organised
practice for it to be effective and this domain describes the
many ways that a business can be enabled as a result of security
technologies and procedures.
There’s balance required between human and automatic

controls and this domain describes many of the tools at
the security practitioners disposal that can help maintain
the balance from governance, through risk management to
compliance and on through to deployment.
The checklists, communication suggestions, documentation

and the Plan Do Check and Act walk-through provide insights
into how to practically orchestrate a Total Quality Management
System with the suggestions that KGI’s, CSF’s and KPI’s can
help you automate the management in real time.
The domain ends with an overview of resource management

concepts and how to judge risk from a birds-eye-view
perspective, to specific suggestions about manual controls
you can put in place and the common challenges that most
enterprises have to face.
106
ESORMA Enable
Domain #4: Enable Questionnaire

be asked is what or who do
we need to enable and why?
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________
What led us here?

_________________________________________________________
___________________________________________________
______________________________________________________
______________________________________________________

______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
What can you find that might help you to judge the risk appetite
of the business?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
107
ESORMA Enable
Is the enterprise more interested in building defences or

absorbing losses?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
What regulatory and legal requirements must the business

comply with?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Name the Risk Registers you need to refer to:

______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Who is your audience (managers, IT staff or end-users?)

______________________________________________________
______________________________________________________
______________________________________________________
What is your message (activity, policy, procedure?)

______________________________________________________
______________________________________________________
______________________________________________________
108
ESORMA Enable
What is the expected result? (Compliance, change, reduced

costs, increased speeds?)
______________________________________________________
______________________________________________________
______________________________________________________
How will you communicate (meeting, Intranet, email, letter,

workshop, etc.?)
______________________________________________________
______________________________________________________
______________________________________________________
What Critical Success Factors do you consider worthy of

achievement?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________

109
ESORMA Enable


guide.
events.
Take Enable Training & Earn 10 CPEs

Our one day ESORMA ‘Enable Master Class’ combines
delegates with ten CPEs. One for each hour spent in class
and three for taking the Enable Assessment. Find out more at
Next Up...
Now that we have enabled, the next chapter is about hardening.
The question is are you constantly, frantically hardening or are
you satisfied with your plan? Stan?
Success information passed back is best delivered in the

language of the business. This will maximise acceptance of the
current project and vital to ensure future projects are agreed.
110
ESORMA Harden
ESORMA Domain #5: Harden

“Only resilient organisations survive”
W ith thousands of
attacks a day, it
is highly likely that as
a security officer you
will spend some time
considering the types of
attacks you get.
For some, it may be the total

focus, for others, you may be
the only person that has any
handle on security at all.
Either way you want to know that nothing is going to get

through... The process of protection against attacks, that turn
into threats as they exploit vulnerabilities is called hardening.
Confidence in our systems comes through thorough hardening.
It is interesting to note that when we review our vulnerabilities
we can start to see the lines of attack that attackers could take
and with that vision we can pick out the route an attacker may
take and block it.
The key to security, the reason why we need it is so that the

business is more resilient to attack. It is vital that a business can
power on and serve its customers, acting responsibly, protecting
its employees and providing income or wealth to it’s owners.
111
ESORMA Harden
The specific order is human life first and everything else

afterwards as determined by the business managers of the
enterprise.
Resilience is the result of good planning and planning is always

an activity that is undertaken first, ahead of time, it is in this
way we can ‘bake security in’. The idea of governance and
compliance is to provide a plan to ensure that processes are
followed that deliver on expectation and ensure that resilience
planning among other things is undertaken properly.
Pre-Planning
The Business Impact Analysis (BIA) as covered in Domain 3
of ESORMA is a pre-planning exercise, designed to help build
in resilience to the business by providing an alternative plan
should something go wrong with service or product delivery.
Spin off’s from the development of the BIA caused by process

reviews often lead to process improvements and simplification,
which may speed production, increase quality or conformity
and ensure lower costs. One or all three of those benefits could
be the result, as well as increased resilience. Most businesses
would be delighted to take just one of those!
It is possible to do more than simply create a BIA, for instance

the BIA will help you ensure Business Continuity (BC) and
Disaster Recovery (DR). Your technology teams should be
building systems with resilient architecture as standard.
This means if a major component fails, the failure will be

detected, an alert signalled which in turn triggers a replacement
process, this happens in the case of load balancing for instance
with servers, standard practice, yet ordinarily expensive, a lot
less so in the cloud.
112
ESORMA Harden
Local storage should be backed up on fault resistant backup

systems, the expectation is your primary systems will in the
main never fail, yet of course at the most difficult time, they do.
A hot backup should be on standby, ready to kick in to take

over as the new primary data source. This then will need a
backup.
It becomes tricky and expensive as for every backup system

costs are incurred. Yet those costs should be compared with the
possibility of total or partial system failure and with this we
should also review the MTD, RTP and RTO calculations also
described in Domain 3: Evaluate.
Clarity
It is important to both avoid failure and to recover from failure
to have systems in place with adequate documentation. One
thing to consider is when things do fail there will be extra
pressure on the systems and personnel, both of which may
be subject to further failure. Mechanically, or electronically
component failure could put more pressure on existing
components and in turn this may increase the temperature and
potentially other components can suffer if they exceed their
normal operating ranges too. Thus, chain reactions can start
where one thing fails which causes further related failures.
Similarly for people!
Human failure is more likely to happen when people find

themselves under pressure too. We have every intention of
doing the right thing, but sometimes in a panic we do the
exact opposite with the best of intention. It is vital we all have
adequate documentation available and remedies are proven,
tested and have clear instructions accessible clear enough to be
followed by a novice.
113
ESORMA Harden
It is also vital to make life super easy for staff to operate when
under fire.
In essence we are looking for accurate and clear documentation.

Ideally we want to have common and established standards
with basic configuration instructions provided in all instances.
It is imperative colleagues are trained and rehearsed, this will

ensure better performance and confidence under pressure.
We need to understand required skills and we need to be certain

the staff work on a process with ability outside of normal scope
scenarios. We need to ensure we have clear change management
processes, so when a change occurs, documentation is updated
as well, and kept in sync.
Staff need to be very familiar with the tools available to them

and know how they should be configured for each of the tasks
they may have to perform. Often it is the little details which are
crucial to maintaining operations. We do not want to leave the
little things to guesswork when we are under pressure, as small
mistakes can create big difficulties.
Capability
It is normal for an enterprise to expect to improve capability
over time as it moves from unpredictable processes to
predictable to increased staff expertise and systems are
enhanced, refined and ultimately optimised. Capability can be
reflected in a number of ways.
Originally developed at the Carnegie Mellon University the

Capability Maturity Model Integration is designed to reflect the
stage of an enterprise in an easy to measure scale of 1 to 5 as a
benchmark.
114
ESORMA Harden
1. CMMI of 1: Initial, denotes unpredictable processes, often

poorly controlled and reactive.
2. CMMI of 2: Managed, managed processes, yet still reactive.
3. CMMI of 3: Defined, developed, custom processes, proactive
4. CMMI of 4: Quantitatively Managed, measured and
controlled.
5. CMMI of 5: Optimised. Where the focus is on improving
business processes further.
You should find the ESORMA framework will help you to move
from a CMMI of 1 through to a higher number and ultimately
help you through to level 5 provided you continue to review the
processes employed, your staff are proactive in their application
and collectively your organisation continues to review and find
improvements.
115
ESORMA Harden
There are lots of business benefits to following the CMMI,

including reducing costs, increasing quality, consistency and
resilience to attack.
Disasters Happen
Fires, burst pipes, server crashes, area flooding, power outages,
winter storms, even local transport issues can all have an
impact, more recently pandemics, and then there are deliberate
attacks from staff, disgruntled clients or competitors can all
produce menacing dangers.
If a business is forced to close down, or even slow down for a

few days, to some extent reputation may be damaged, as clients
irrespective of the reason do not enjoy being advised of delay.
Costs can be as high as a % of turnover, if, for instance, you
suffer a GDPR issue: up to 4% of global revenues.
However it transpires that 90% of businesses have no disaster

recovery plan, and 40% of businesses that shut down for three
days are likely to go bust within 36 months. According to
Contingency Planning & Management Magazine.
Business Continuity and Disaster

Recovery (BC/DRP)
BC/DRP processes can help you to define a plan of action, a map
of what to do, when and by whom. Having a map in time of
emergency can make all the difference. It can give confidence to
colleagues and avoid further damage committed by those who
have the best intention and take things into their own hands. A
plan means there is a step by step guide designed to focus on
the most important areas first, a lot of this can be mapped out
in a business impact analysis (BIA) as outlined in Domain 3:
Evaluate.
116
ESORMA Harden
Just having a BC/DRP strategy will help you to develop your

CMMI. Plus you should find your systems will be protected and
processes enhanced, providing a higher quality systems and
availability. The main objective is to reduce disruptive events
by considering what they may be. This in turn will probably
lead your business toward enhanced Standards Compliance
and improve leadership and executive understanding. Knowing
your uptime is likely to be increased, there are commercial
benefits in being able to offer guarantees and client assurance to
warrant you will be there for them when the need arises.
BC/DRP processes can give you a fighting chance of survival

when faced with disaster. The steps involved are usually
referred to as a Business Continuity Management Lifecycle
(BCML) as the process is continuous and subject to constant
revision, as a business, its’ customers and customs change often:
Business Continuity Management

Lifecycle
• Phase 1: Scope and plan initiation. Making a decision and
actually starting
• Phase 2: Business Impact Analysis (BIA)
• Phase 3: Plan Development
• Phase 4: Validation and monitoring
• Phase 5: Embed
When you know what could go wrong and what to protect

and why, you are in a much better position to develop a
contingency plan. If you prepare your plan ahead of time, you
leave continuity less to a wing and a prayer, and instead rely on
a series of proactive steps you have determined are viable steps
to take ahead of time. These steps will provide you with the
resilience your business would need.
117
ESORMA Harden
Business Continuity Management is a holistic management

process that identifies potential threats to an organisation and
the impact on the business if those threats are realised. In turn
you can build a custom framework to preserve the specific
operations necessary to build operational resilience through the
ability to respond effectively as a result of having the materials
required on hand.
When you have identified the key areas of concern it becomes

an easier process to measure and monitor due to the clarity
achieved.
Your BCML processes will ensure you have an early warning

system in place and compensate for decay before a critical event
occurs. Thus, your business will benefit from more uptime and
be more resilient, with client satisfaction, reputational and cash-
flow benefits.
The final phase is Embed and this can help with developing a
CMMI level 5 capability where you not only identify the process
but as a process of testing, ongoing revision and review you get
the opportunity to optimise your plan and in turn tune your
resilience where you can expect to improve quality, increase
speed and potentially reduce costs too.
Disaster Recovery
There are times when disaster occurs beyond your control,
especially if the disaster is related to a third party, or as we have
seen a few times a country wide epidemic. However it can be
a smaller local event, yet still have big implications. Every day
there are fires, car accidents, accidents at work and unintended
as well as intentional consequences, from mistakes, lateness, a
robbery or an aggravated attack for instance.
118
ESORMA Harden
Preparing for a disaster can be a hard sell, especially if the

business is led by optimists, or if the business has done well
for decades. It can be difficult for senior management to see a
disaster happening, as a disaster has never happened before,
or the business has always managed to come through. It is
potentially a complacent view. The objective is to minimise the
effects of disasters. Many events known as disasters often result
in a terminal outcome for an otherwise perfect business.
The key is to be in a position to create procedures to be followed

during and after a loss. The goal is to do what we can to ensure
that damage is minimised ahead of an event so the business can
resume normal operations as soon as possible.
Disaster Recovery Plan Lifecycle

• Phase 1: Define DRP process
• Phase 2: Document and train
• Phase 3: Test the DRP processes
• Phase 4: Activate disaster recovery procedures
• Phase 5: Maintain / optimise procedures
BCM/DRP Objectives
Processes developed should provide for immediate, accurate
and measured responses to emergency situations. Policies,
procedures, and documentation need to be created and
provided, so are available to staff during an event to aid the
recovery process in practice. A database of resources available
to aid recovery that includes additional lines of communication
and flexibility to create an ad-hoc BCM/DRP team made up
of the staff available at the time. You will also need a list of
approved vendors and probably access to vendor SLAs too in
order to know who is responsible for ensuring reduced outages.
119
ESORMA Harden
Download the ESORMA Basic BCM/DRP step by step plan from

the ESORMA Portal at https://ESORMA.com select the ‘free
gifts’ navigation item for all the free gifts that come with this
free guide.
Summary
The summary for the Harden domain is really about
preparation and planning. Most governance strategies insist on
a disaster and recovery plan as part of risk management is about
recovery as well avoidance of risk, to minimise the effects of risk
and then there are compliance requirements too.
In addition by following a strong GRC plan as outlined here in

ESORMA, a lot of the information you need already exists, or
should be to hand, for instance you will need risk registers and
a BIA to be accessible.
With clarity of purpose, documented assets and plans, a lot

of your resilience efforts could well be a matter of pulling
information together and over time. As part of the process your
organisation’s resilience will improve and your CMMI should
rise as well.
However, as with all the best plans, disasters can happen and
while we plan for you to be covered for every eventuality, there
is bound to be a freak event that does not fit neatly into your
contingency plans, so your business continuity processes will
exist in a range of areas across your business and your disaster
recovery plan should be adaptable.
Close attention needs to be paid to the Business Continuity

Lifecycle, particularly phase 4: validation and monitoring and
this will be true as a result of regularly rehearsing, testing and
enhancing the plan.
120
ESORMA Harden
The result will be less downtime and more resilience to

events. Chances are, you will increase speed and enhance
client delivery with warranties and time based guarantees too,
you may increase throughput and make more money for the
business in the process.
Domain #5: Harden Questionnaire

must be asked is what
or who do we need to
Harden and why?
________________________
________________________
________________________
________________________
________________________
________________________
________________________
________________________
What led us here?

______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________

______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
121
ESORMA Harden
Do you have a BIA in place, what and when was the last action
on it (is it complete, rehearsed, accessible and up to date)?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Are business processes adequately documented?

______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Where are you on the CMMI scale and what do you need to do
to move up at least one notch or maintain level 5?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Do you have a BCP/DRP plan? What do you need to do to start

putting one together?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
122
ESORMA Harden
What phase are you at for the Business Continuity Management

Lifecycle and what do you need to do next to move forward?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
What phase are you at for your Disaster Recovery Plan

Management Lifecycle and what do you need to do next to
move forward?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Did you know you can downloaded a copy of the ESORMA

Basic BCM/DRP step by step plan from the ESORMA Portal?

123
ESORMA Harden


guide.
events.
Take Harden Training & Earn 10 CPEs

Our one day ESORMA ‘Hardening The Enterprise’ combines
three for taking the Harden Assessment. Find out more at
Next Up...
Now that we have hardened, the next chapter is about
monitoring. Monitoring is full of risks and yet has also become
mission critical area of the business. Read on to find out why
this should concern you.
Numbers are great, but things change. The next question is are
the controls actually still as effective as originally envisaged?
124
ESORMA Monitor
ESORMA Domain #6: Monitor

“A non-functioning control becomes an
unmitigated risk in itself.”
N owadays we have
to manage mission-
critical information
technology, assure
confidentiality, integrity
and availability as a
mission critical function.
Monitoring covers a lot

of ground. Although
monitoring is primarily
an operations and
compliance function there
is an element of regular
reporting to senior management so it also intersects with the
governance domain too. This goes some way to demonstrate
the critical nature of the topic. Monitoring needs to be
carefully managed as it is also a potential area of weakness.
The threat landscape is ever changing and sitting still and

resting on laurels can quickly become an ingredient for
disaster. Having established controls for risks (mentioned
in the risk register) and implementing and testing them, it
is imperative that those controls are closely watched and
managed to ensure that they meet their objectives.
If objectives are not met for any reason then action must
be taken to rapidly fix the problem so data assets or our
colleagues are not vulnerable.
125
ESORMA Monitor
“The administrative control was in

place, on paper at least. It was simply a
segregation of duties control. The CEO, and
another director, in order to comply with
Sarbanes Oxley requirements, would have
to approve each transaction or change”.
This meant the finance director or accounts manager would

wait for the CEO and director to log in and review the
transaction or change.
It was a control put in place at a major multinational

organisation. It should have worked. But monitoring showed
it was a failed control.
It was failing due to laziness and a bad security culture.
The CEO and director were lazy and had given their
credentials to the person making the change and told him to
log in and approve it. I will let you count in your head the
amount of breaches in this scenario.
In this case though, the monitoring that exposed it as a failure

was auditing.
It shows the importance of monitoring controls that are

already in place. It may all sound good on paper but the
reality can be starkly different. Putting controls in place
should not be a tick-box exercise. They should be regularly
checked to see that they function as desired and meet their
objectives.
126
ESORMA Monitor
How monitoring is conducted

Monitoring can be conducted in many ways, the ESORMA
methodology adopts a much simplified version of NIST
SP800-137 which is comprised of the following 4 steps
(SPAR):
1. Strategy: Defining a monitoring strategy

2. Programme: Establishing a monitoring programme
3. Analysis: Analyse and regularly report findings
4. Response: Respond to those findings
Strategy
As with all elements of information security you have to plan
things in advance of trying to make changes. When it comes
to the strategy for controls you can go back to the core of
ESORMA and scope your requirements for monitoring.
This very much depends on the objectives of the controls and

the chosen controls themselves.
In a large organisation this would involve planning on how

best to monitor the hundreds if not thousands of technical
and non-technical controls in place. It can become a full time
job and it definitely needs planning.
For smaller organisations there may only be one or two

people in place who are expected to manage the monitoring.
It is about what metrics and monitoring need to be applied
and where, for the greatest effect.
127
ESORMA Monitor
Programme
Only once you know how monitoring needs to be applied can
you start looking at the gaps between what needs to happen
to optimise monitoring and what you currently have in place.
Then you can decide who needs to do what and when. You
can probably start to appreciate why a programme of works
is needed. A roadmap would be required to plug the gaps
found.
Standard architectural and project management techniques

can be used here to develop the monitoring programme. It
does not require any new techniques or tools.
Analysis
Analysing controls might be seen as a Security Operations
Centre (SOC) function as it is more than analysing logs. It is
about understanding the right logs are being generated in the
first place and the devices, processes or systems generating
the logs and information are actually functioning.
Many systems have a heartbeat function providing a fail-

safe check to confirm operational systems. Yet sometimes a
manual check is required to ensure the control is meeting its
control objectives. Proving life (via the heartbeat) is always
the litmus test when it comes to verifying the control and the
veracity of the logs it generates.
Continuous audit modules in software are another way of

checking controls are acting as they should but what about a
manual process?
128
ESORMA Monitor
Every security control with a manual process should be

scrutinised via audits to ensure that procedures are being
followed correctly and are not being bypassed or ignored. An
element of ‘Pen Testing’ and performance reviews as well as
checking recorded notes plays a large part here.
These metrics and tests should be built into the design of a

control rather than be bolted on later, to be most effective.
Response
As soon as a control is discovered not to be meeting its
objectives it becomes imperative to take action to remedy the
situation otherwise a non-functioning control becomes an
unmitigated risk in itself.
Ideally there would have been an evaluation of multiple

controls that could meet the control objectives in the risk
treatment phase and this is where the alternatives can be
looked at to see if they would perform better than the failed
control or if a completely new control needs to be found.
The security practitioner should return to the central scoping

feature of ESORMA and this time branch off again into risk
assessment and risk appetite evaluation to ascertain the need
for an improvement or replacement of a failed control.
After risk analysis and business impact analysis, either the

control has to be fixed (if possible) or a replacement control
needs to be chosen and implemented. Depending on what it
is, it could be a trivial affair to be implemented with agility
using established change procedures or it could be more
involved and may require a project or special programme
to implement. The severity and risk being mitigated should
drive the time-lines for implementation.
129
ESORMA Monitor
Tools & Walk-through

Many different tools and methods can be used to monitor
controls. The tools listed below are usually found to be the
most useful for the task:
SIEM
Security Information and Event Management (SIEM) software

collates and analyses logs for anomaly detection and alerts a
security administrator or CISO. Heavily used in SOCs.
130
ESORMA Monitor
Continuous audit module
Also known as a Computer Assisted Audit Techniques

(CAATs). CAATs are (usually software) tools for gathering
relevant evidence and empower auditors to help them
complete IT related audit assignments.
131
ESORMA Monitor
Manual audit logs
A security analyst will manually go through logs to look

for anomalies. Can be very time consuming and tedious but
might be needed for forensics etc.
Heartbeat monitoring
CC BY-SA 3.0, https://en.wikipedia.org/w/index.php?curid=6484509
Systems that function normally will generate a signal

(heartbeat) and if something goes wrong such as any essential
monitoring software or hardware a security administrator can
be alerted to the fact by the absence of the heartbeat signal.
(This is commonly built into monitoring systems)
132
ESORMA Monitor
Penetration Testing
By Re4sonkernel - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.

php?curid=88874729
Penetration testing is usually undertaken by an expert in

ethical hacking. The ethical hacker will try to penetrate a
system, software, process or facility to find it’s weak spots
and inform the client of them in a report so they can be
remedied.
133
ESORMA Monitor
Control objective evaluation
By U.S. Government Accountability Office from Washington, DC, United States - Figure 2:
Achieving Objectives through Internal Control, Public Domain, https://commons.wikimedia.
org/w/index.php?curid=52098015
Control objective evaluation is a manual process of

determining what a control must achieve based on risk
appetite. It is an important step in risk analysis and informs
a security practitioner of whether or not a control is adequate
or if it is failing.
All of these can either be created manually (more difficult)

or the tools available on the ESORMA portal can be used to
automate and simplify the whole process.
Summary
In this chapter we looked at what Monitoring is, who is
responsible i.e. Senior management should commission it so it
falls into the governance category of GRC. We also looked at
why it is necessary and the tools and methodologies available
for it.
We mentioned how all of this can be made simpler using tools

and techniques which can be collated and gathered into an
effective tool-kit for any security practitioner.
134
ESORMA Monitor
Domain #6: Monitor Questionnaire

must be asked is what
or who do we need to
monitor and why?
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________
What led us here?

______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________

______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
What metrics and monitoring need to be applied and where

(see Strategy)?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
135
ESORMA Monitor
What exists and where is the monitoring shortfall (see

Programme)?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
What logs are required for monitoring purposes (see

Analysis)?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
What safeguards to you have in place to ensure that your

systems remain operational (see Response)
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________

B08C94SLSP
136
ESORMA Monitor


guide.
Take Monitor Training & Earn 10 CPEs

Our one day ESORMA ‘SPAR Monitor Techniques’ combines
three for taking the Monitor Assessment. Find out more at
137
ESORMA Monitor
Next Up...
Now that our monitoring is motoring, the next chapter is
about your operations.
Operations is an essential process for businesses of all sizes,

yet only the bigger companies can afford a thing like a
securities operations centre. The question is what does one
of those do and what alternatives could smaller enterprises
consider?
You will learn more about what to look out for, what to
measure and what to report back.
138
ESORMA Operations
ESORMA Domain #7: Operations

“Good security is invisible. A good
framework helps make it so.”
S ecurity Operations
mainly revolve around
monitoring and responding
to information security
events, usually a domain for
a security operations team.
Not every company needs a

dedicated security operations
centre. That does not mean
smaller businesses do
not need someone taking
care of security. On the
contrary. There still needs
to be someone taking care of the bare basics of security and
promoting resilience. The only difference is that this person may
have other (usually technical) roles in the company.
When studying for my CISM exam I remember reading a story

about a bank where operations broke down simply because the
person who was supposed to take action just didn’t have the
right authority to do so.
To get clearance to shut down and restart the whole network (to
remove a memory resident virus after it had been cleaned from
the infected files). The CIO of the company was supposed to
approve such an action.
139
ESORMA Operations
The CIO was on holiday. The CEO eventually provided

clearance after he was finally able to be respond.
This cost the bank millions in losses as they had people all
around their enterprise twiddling their thumbs and unable to
work for a whole day. All because of an ill thought out and
untested operational structure.
What is the alternative to a SOC?

A well thought out and enforced Information Security Policy
is a good start. Also, a good BCP and DRP (See ESORMA free
resource section for available downloads) is something even a
smaller organisation can and should create and maintain.
There’s plenty more to consider, what follows is a list to

consider what your organisation’s security operation might look
like.
Larger organisations may have more than one team of security

operations to cater for the geographical span of their enterprise.
The design of an organisation’s security operations depends on

the scope, capacity and manpower available. So, you have to ask
yourself a few questions to determine the shape of it:
• What functions does the organisation already have?

• Is there any work duplicated by other departments such as
legal and compliance or enterprise risk management?
• Is security baked into your general organisational processes
• Who will be managing operations, a dedicated team with
a manager or is being delegated to people in IT? (Still quite
common)
• What budget is available? (Usually your salary supported by
little to none!)
• Where in the organisation does this function sit? Is it a sub-
department?
140
ESORMA Operations
• Is it better to outsource, in-source or combine the two?
If you look at the general layout of security operations in

different companies, you will find that it usually encompasses
an ongoing programme consisting of a few of the following:
• Management - Someone most have oversight to ensure

security is introduced and maintained.
• Network Security Monitoring - You can’t escape the
technical side, but you can simplify it by automation.
This could include the introduction of SIEM software to
consolidate logs and analyse them.
• Threat Intelligence - knowing what you need to watch out
for is half the battle.
• Incident Response - When things go wrong (oh! And they
will) you need to be able handle them.
• If a crime is committed, you may need experts in computer
forensics on the case, as well as law enforcement officers.
• Auditing - Whether something happens or not you should
always check the basics are in place.
Regular auditing shines a light on the realities of an

organisation’s operations instead of what is just documented
about them.
Taking all these ingredients and creating a recipe for secure

operations can be challenging but does not have to be seen
as a burden. As long as data/information security is taken
seriously by senior management and someone is assigned the
duty of overseeing it all, objectives will get completed and
streamlined improvements achieved. This can be structured by
standardising and formalising actions. Using a framework helps
and this is what this chapter is about.
141
ESORMA Operations
A CISO can get engrossed by the day to day responsibilities of

security whether technical, administrative or otherwise but at
the end of the day security operations need to align with the
corporate strategy. Security should be helping the organisation
do what it exists to do, whether adding value for stakeholders
or money for shareholders.
Most organisations do not exist to just protect data or to

perform information security operations. Security is not
usually regarded as a profit centre but as a cost centre hence
management, usually reluctantly, budget for it as an expense
that has to be incurred.
Security personnel often lose sight of financial impact and tend

to engage with management on issues related to reporting of
incidents, performance, risk etc.
Understanding the organisation from the perspective of senior

management invariably leads to an enhanced security posture.
The ESORMA framework encompasses and encourages good

communication practices between senior management and
security operations by helping each side realise the efforts of
the other and align on a strategy to help both move forward
towards a resilient organisation. The areas for focus are the
functional areas of the business and its work products which
should lead a security practitioner to ask the following, further
questions:
• What business processes are in place where data could be at

risk?
• Which processes are manual and which ones are fully or
semi-automated?
142
ESORMA Operations
• It is especially important to check where technology is used

how is it best to handle security to manage risk to data (is
there a requirement for a physical operations centre or can
the work be shared across existing departments like IT or
legal?).
• What cultural factors affect the risk?
• What is the general attitude to risk?
• Is it thought of as a major concern, a necessary annoyance or
are attitudes to it blasé?
This, once again comes down to the scope as detailed in domain

chapter one. To understand the requirements and performance
expectations and agree where technology can help simplify
things. As operations is about monitoring, we must consider
analytics and measurement.
What analytical methodology will be used and what would

make the difference between an effective security operation
and a mediocre (or even dismal) operation? A framework for
managing operations is very useful. Not least because it will
help structure and standardise operational activities, making
security integrated to an extent that it becomes almost invisible
and second nature.
Good security is invisible.

A Good framework helps make it so. The structure a framework
provides usually comes down to 3 basic elements: The ‘Who’
the ‘How’ and the ‘What’.
143
ESORMA Operations
The Who ?
The who is about establishing the number of staff required on a
day to day basis. Whether they need up-skilling or augmenting
with internal or external help or whether they can manage.
When it comes to staffing a good framework recommends the
following:
• Roles - Is it something the CISO can do alone? Who else

internally or externally can help the CISO? What authority
does the role require?
• Hiring - What is the process? Is security a factor in selection?
• On-boarding - Are people taught how to securely fulfil their
duties in a secure way right from the beginning?
• Training - How much training and awareness activities need
to be in place and how regularly?
• Meetings - Who makes decisions and how are meetings
conducted and by whom? Is senior management involved?
• Retention - There is a concept called Psychological
Acceptability where security controls that are well integrated
and more invisible become more accepted. If the controls
come in the way of the task an employee has to perform,
they will get frustrated and job satisfaction will be reduced.
Sometimes there may be the need to bring in temporary staff or

experts in for instance for carrying out forensic investigations.
Or maybe threat hunting experts that will help lock down
security where it is needed.
At the end of the day there is a need for ‘use case’ development.
Establishing who needs to do what, where, when and how is
essential to establish.
144
ESORMA Operations
The How ?
Written processes on how to achieve the goals of data security
are needed. These processes should form part of every
employee’s induction and should be contained within employee
handbooks and across the corporate Intranet.
There are many things classed as common sense or best practice

from a security perspective, and yet they reside in people’s
minds. Lack of documentation does not end well. It gives rise
to the dreaded “...but it’s always been done this way” type of
scenario and that is far from a structured or effective approach.
The how, starts from a good information security policy and

filters down to day to day processes and business continuity
and disaster recovery plans.
The What ?
What must be measured or responded to in operations?
There are tons of logs generated by both manual processes
and automated systems. Who signed into the building on
a given day? What did the firewall catch? Who logged into
an application or server or who has checked out a corporate
laptop? You get the picture.
Being able to home in on the useful information and filtering

out the chaff from the wheat is what is needed here. Please refer
to domain chapter 6: Monitoring, for more on this.
145
ESORMA Operations
What needs monitoring? What would be considered a serious

enough incident to be flagged up for remediation? Here are
some areas to consider when calculating the organisation’s
ongoing risk appetite, which in turn informs us about what
areas need to be monitored closely to prevent or reduce the
unwanted risk:
• General legal issues - Does an incident to put you in breach

of any laws and regulations? For instance, does it affect
someone’s right to privacy?
• Contract law - Is there any breach of contract caused by an
issue? It could be a matter of confidential information being
breached or information becoming prevented from getting to
those that need it.
• Standards - Has anything happened which is against the
organisation’s own corporate standards, has there been
non-conformity to any industry standards? Maybe regional,
national or even international standards have been breached.
PCI-DSS, ISO27001, NIST come to mind as quick examples.
• Financial loss - How much would the incident cost the
organisation? Does the mitigation cost more than this loss?
(As covered in the risk domain chapter 4: Evaluate )
• Reputational loss - It isn’t always financial losses but
embarrassment ensuing from a cyber security incident
also needs to be avoided. Though it could be argued that
ultimately the loss of reputation results in loss of income.
• Disruption - If the incident occurred how many lost hours
of productivity would it cost? Would it prevent corporate
operations for a limited or a protracted time? How would it
affect customer satisfaction and income generation?
However, as mentioned earlier, not everything in this list

is necessarily monitored by the CISO. There may be other
roles that have it in their assigned responsibilities, to prevent,
monitor or manage these areas.
146
ESORMA Operations
The CISO must ensure the effort is delegated and managed.
Having considered the value of a framework in organising

and structuring information security operations, it is worth
considering whether it makes sense for an organisation to invest
heavily in a ‘heavy duty’ framework like NIST or ISO or the
more lightweight Cyber Essentials.
Invariably the best approach is to cherry pick the most

applicable from these and create a custom framework that
makes sense for the size and complexity of your organisation.
Tools
Many different tools and methods can be used as part of
operations. The ones listed below are usually found to be the
most useful for the task:
SOC - Not necessary for smaller organisation but a SOC

(Security Operations Centre) normally has dedicated staff for
monitoring and responding to security incidents and issues.
SIEM (also mentioned in Domain 6: Monitoring)
147
ESORMA Operations
Security Information and Event Management (SIEM) software

collates and analyses logs for anomaly detection and alerts a
security administrator or CISO. Heavily used in SOCs.
All can either be created manually (more difficult) or the tools

available on the ESORMA portal can be used to automate and
simplify the process.
148
ESORMA Operations
Then there are the physical teams that play a part:
(CS)IRT (Computer Security Incident response team with a

plan (IRP)) Internal team responsible for dealing with incidents.
Outsourced (CS)IRT (Incident response team with a plan (IRP))

External team responsible for dealing with incidents.
Case Studies
Case study 1 : A security review of local government using
NIST CSF - Download the case study from the ESORMA Portal
at https://ESORMA.com select the ‘free gifts’ navigation item for
all the free gifts that come with this free guide.
“Evaluating cyber security risk is a challenging task

regardless of an organisation’s nature of business or
size, however, an essential activity. This paper uses the
National Institute of Standards and Technology (NIST)
cyber security framework (CSF) to assess the cyber security
posture of a local government organisation in Western
Australia”
149
ESORMA Operations
Summary
In this chapter we looked at what security operations are, who is
responsible and why they are necessary. Looking at Operations
through the lens of a well-architected GRC (Governance, Risk
& Compliance) framework it is important for operations to be
supported at the highest level of the organisation.
A CISO needs to be in place to some extent and supported with

adequate resources, both human and financial to do the job.
Only then can risk be monitored, and incidents managed to
remain compliant with laws, regulations and standards.
The importance of the CISO recognising and understanding

what the organisation wants to achieve and both corporate and
cyber strategies need to be aligned.
Questions for a CISO to ask are covered as well as an

overview of what a framework can do, how it can make
information security management easier and what the common
characteristics of frameworks usually are. This boils down to the
Who, How and What of security operations.
In ‘Who’ section, the roles needed for various organisations

were looked at depending on their size and complexity. Also,
the actions that need to be taken were covered in the ‘How’
section. In the ‘What’ section, monitoring was reviewed to show
what could be monitored in operations.
Suffice to say, operations are the most important part of security

and have to be thought about, structured and managed as
part of an ongoing security programme. Operations should be
tailored to the needs of an organisation and not be too complex,
yet they cover a vast area of the organisation and are essential to
manage properly.
150
ESORMA Operations
Domain #7: Operations Questionnaire

be asked is what or what
do we think the size of our
operations needs to be?
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________
What led us here?

______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________

______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
What alternatives have been considered?

______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
151
ESORMA Operations
What services will be included within your small or large SOC?

1. ___________________________________________________
2. ___________________________________________________
3. ___________________________________________________
4. ___________________________________________________
5. ___________________________________________________
6. ___________________________________________________
7. ___________________________________________________
What key issues do you consider to be most important for your

SOC?
1. ______________________________________________________
________________________________________________
2. ___________________________________________________
3. ___________________________________________________
4. ___________________________________________________
5. ___________________________________________________
6. ___________________________________________________
Will you have enough staff with appropriate skills. If any

describe the shortfall
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Do written processes exist for staff to follow in your SOC? Write

a summary list of what could still be outstanding
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
152
ESORMA Operations



guide.
events.
Take Operations Training & Earn 10 CPEs

Our one day ESORMA ‘Security Operations Primer’ combines
aspects of cybersecurity, management, architecture, operations,
three for taking the Operations Assessment. Find out more at
153
ESORMA Operations
Next Up...
Now that our operations are all set, it is important that we finish
off with Compliance.
Compliance should be understood from the beginning, so can

you think why compliance would be covered as the last domain
of ESORMA?
Part of the objectives of governance and compliance also revolve

around improvement and in this case it leads to increased
strength and overall capability, keep it up!
Read on to find out how and why...
154
ESORMA Compliance
ESORMA Domain #8: Comply

“Automate more and toil less”
C ompliance is all
encompassing and
although you will have
some idea about the laws
and standards to comply
to, you just won’t know
how to apply compliance
thoroughly until you have
completed all the prior
domains and still, things
could change.
Staying up to date is a
continuous process and is so important we gave it a domain of
its own.
Compliance is the third element of GRC but it is very closely

linked to the first one: governance. This is because it is up
to senior management to decide what they need or want to
comply with. Laws and regulations are a given but standards
are optional and somebody has to make the decision to select
principles and standards to be adopted by an enterprise. This
is simplified in this chapter into four distinct parts. This will
help break it down into manageable areas in a way that is not
found in other frameworks.
In order to understand the requirements of compliance senior

management need to define the following four:
1. Where the enterprise is located
2. Any contractual obligations they would like to fulfil
3. Their organisation’s principles
4. The optional standards they would like to adopt
155
ESORMA Compliance
The first two are usually dictated to us but the latter two are
more flexible. Each of these areas are briefly explained below.
Once these decisions are ascertained, you can get down

to work to ensure a suitable approach is taken to ensure
compliance.
Geographic Locations
The first obligation is to comply with the laws and regulations
of the land in which you have established a base.
Generally there are laws against computer misuse, hacking;

laws related to national security, privacy laws, those related
to trade and commerce and laws related to health and safety
and employee rights. One example is GDPR which, like many
privacy regulations, can carry hefty fines for non-compliance.
Not abiding by any of these can lead to serious repercussions

for the organisation (and for those leading it) so they are
usually taken very seriously. After all, nobody wants fines
or in the worst cases: imprisonment or restrictions on trade
affecting their operations.
From a compliance point of view it can be a nightmare trying

to keep up with all the various legislative requirements
especially if you are multi-national entity.
This is why larger companies have legal and compliance

departments that are in place to do just that. You would be
best advised to liaise with these departments to avoid overlap
of work and ensure compliance. Those working for smaller
organisations would have to get their ‘hands dirty’ and sift
through reams of legalese and regulatory documentation first
and then conclude a summary of what needs to be done from
your enterprise perspective to ensure the organisation stays
out of the proverbial hot water.
156
ESORMA Compliance
Imagine the following scenario: A company you outsourced as

your data processor further outsourced another sub-processor
company to do the work without your knowledge.
Who would be liable for a breach at the sub-processor under

GDPR?
You as the controller of course. You are responsible for the

whole ‘data-supply-chain’ You can still be fined for not doing
due-diligence here and contractually insisting on being
notified of such sub-outsourcing practices.
It is hopefully obvious at this point how easy it is to fall out of

compliance even when the culprits were someone else.
Contractual Obligations
After the direct laws of the land have been complied with we
need to consider indirect laws. Usually civil and contract law
is important to observe here. You may have many agreements
and contracts with third parties that stipulate what you can or
cannot do with data, what you must do with data and when
you can be audited to check if you are observing any of the
above or not.
For example it might not be the national law to offer a

discount to a customer but if you had signed a contract with
a customer then contract law kicks in and a breach of that
would result in legal action being taken against the affected
arm of the enterprise. This could pose a reputational and
financial risk and needs to be avoided.
157
ESORMA Compliance
Organisational Principles
An enterprise has two types of principles and both are
chosen and developed at a governance level: Organisational
principles restrict how an enterprise will carry out its mission
and architecture principles that define what type of rules will
be in place to define the type of architecture is suitable to its
strategic goals and values.
One of the corporate principles might be “we must be

environmentally friendly”. This would restrict the companies
actions and is an area of compliance that needs to be
managed.
For instance a CISO might have already have had to choose

a data centre in the EU to make it easier to deal with GDPR
compliance, now with the above principle in place there is
an additional requirement to select a ‘green’ option where
possible. Nobody is forcing the organisation to do that (if
it isn’t in the environmental legislation) but the enterprise
decides to impose the restriction on itself.
This neatly leads on to the fourth area of concern, standards

optionally adopted.
158
ESORMA Compliance
Optional Standards
Adopting optional standards to comply with is usually done
as a way of structuring compliance activities for the legal and
contractual obligations discussed above but often it can be a
distinguishing factor or matter of pride and prestige in order
to build goodwill. After all who wouldn’t want to do business
with an organisation that prides itself in having achieved
an international standard for information security such as
ISO27001 or the NIST Cyber Security Framework over one
that doesn’t. It’s all about having an impressive corporate
resumé.
Now the flexibility of the latter two areas discussed above

should be obvious. The fact that you can pick and choose
standards to comply with means you can change these easily
should they become over restrictive to the organisational
mission. Though sometimes that is easier said than done
because of the investments an enterprise might have made in
adopting them in the first place.
159
ESORMA Compliance
How Compliance Is Done

Going to the centre of ESORMA and scoping to determine
how much effort (and money) needs to be spent to protect
data is the recommended approach to achieving compliance.
Once what needs to be done to comply with laws, regulations

and adopted standards is clearly documented, it is time for
the CISO to come up with a strategy to tackle compliance in a
structured way.
For this a standardised approach should be used. The

ESORMA framework does not stipulate any particular
standards to adopt but does encourage not ‘re-inventing the
wheel’ and instead encourages using one or more of the well
established ones available such as:
• PCI DSS
• ISO 27001 series of standards (Not always the simplest to
interpret and require investment to be certified)
• NIST Standards (Usually quite clear in language and free
to boot)
• ENISA
• MCSS (Minimum Cyber Security Standard)[1]
• IASME
• Cyber Essentials
Implementing any of the above frameworks can be made

simpler and can take less effort, time and money if toolkits
such as those supplied by ESORMA are adopted. There are a
number of free tools available as well as some paid options for
those looking to automate more and toil less.
160
ESORMA Compliance
Compliance Tools
Many different tools and methods can be used to comply. The
ones listed below are usually found to be the most useful for
the task:
UCF (Unified Controls Framework)

Although the idea behind UCF is great it is a hugely complex
and very in depth and a costly undertaking. This would make
it difficult for smaller organisations to adopt. The idea is to
have a way to unify all the common security controls in a way
that can be applied against all the major standards. Not for the
faint hearted. Whilst a good initiative for larger ones, it will
most likely be overkill for many smaller organisations.
CCM From The CSA

CCM stands for Cloud Controls Matrix and CSA stands for
Cloud Security Alliance.
This helps map controls across many compliance frameworks

but is a more useful starting point for smaller organisations.
All the common controls are cross referenced and mapped
in an Excel spreadsheet and can be tailored to an enterprise’s
needs.
It must be pointed out the CCM is heavily focussed on Cloud

security controls and may need a lot of adapting to be really
useful.
161
ESORMA Compliance
ESORMA GRC
The ESORMA GRC practical and fast way is simply to
reference different clauses that apply and add it to the risk
register. In this way you would be able to demonstrate to an
auditor of the risk, how it is mitigated and how you comply.
All of these can either be created manually (more difficult)

or the tools available on the ESORMA portal can be used to
automate and simplify the process.
Case Studies
Unfortunately there are so many news articles about security
breaches that there is no need to cite one as a case study. Just
search for ‘data breach’ and you will find many examples
of non-compliance which should be taken and presented to
senior management as examples of what the business does not
want to happen.
162
ESORMA Compliance
Summary
In this chapter we looked at what compliance is, who is
responsible and why it is necessary.
We also looked at the for main areas of focus for compliance.
1. Geographic locations
2. Contractual obligations
3. Organisational principles
4. Optional standards
Some examples of standards such as ISO 27001 and NIST

were mentioned as well as some tools that may help make life
easier.
[1]. https://www.gov.uk/government/publications/the-
minimum-cyber-security-standard
163
ESORMA Compliance
Domain #8: Comply Questionnaire
O ur first question that is

always desperate for an
answer is where are we now?
What has happened to cause
us to review compliance?
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________
__________________________

_______________________________________________________
_______________________________________________________
What activity do we expect to follow up with?

_______________________________________________________
_______________________________________________________
List below the geographic locations of your enterprise

_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
164
ESORMA Compliance
List the contractual obligations your enterprise will abide by

_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
List the organisational principals your enterprise will abide by

______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
List the optional standards your enterprise will follow

______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
165
ESORMA Compliance
List the compliance tools your enterprise will employ

______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________
_______________________________________________________

B08C94SLSP
166
ESORMA Compliance


guide.
Take Compliance Training & Earn 10 CPEs

Our one day ESORMA ‘Compliance Strategies Primer’
combines aspects of cybersecurity, management, architecture,
operations, communications and project management skills
and rewards delegates with ten CPEs. One for each hour spent
in class and three for taking the Compliance Assessment. Find
out more at ESORMA.com/training.html
167
ESORMA Compliance
Next Up...
Change Is Needed.
Please help us to spread the word. Thank you.
168
ESORMA Change Is Needed
Change Is Needed
S ome businesses and enterprises have spent millions on
cybersecurity and yet many of these organisations are
exactly where breaches continue to occur.
Clearly criminals are going after the money and they seem to be
rewarded well. It is not just businesses with money, government
and educational establishments are being caught with their
trousers down too.
When we review most of the accidental breaches the root cause

often seems to be something silly, minor, usually where a policy
was in a place in an area that was ‘covered’. Usually, when a
certain activity has been constant for so long it is considered
normal until finally investigated to reveal its true horrors, by
which time millions may have been syphoned.
Often blamed is the staff. They are often wrongly seen as the
weakest link, when they are probably the strongest link! It
is invariably a business process letting staff down. Staff are
often not informed and simply rightly following an ill thought
through procedure. Feedback tells us staff are keen to do the
right thing, yet they tend not to know what to look for or what
to do.
Considering staff as part of the security team would be a big

change for many business operations executives. Yet is proven
to provide more protective power without extra budget.
Better security results are common when staff learn what to

review. You can expect reported incidents to rise. This amounts
to more opportunities to plug the gaps in the dyke. Even if the
reports are wrong it demonstrates vigilance. More eyes working
together, collaborating to seek security provides more cover,
more protection and less accidental issues too.
169
Yet security officer salaries are often the budget, for some
companies in their entirety. When more attention to detail,
or just slightly bigger budget allowances could easily lead to
business processes being streamlined and efficiencies found.
Security Officers are often given a bad rap, seen to slow things
down. When they do it is usually because development teams
tend to leave wide open doors and leave systems and passwords
exposed in online places like Git-Hub which is a notorious code
and credentials storage service owned by Microsoft that hackers
know and love.
It is about time business and enterprise officers started to

understand their responsibility. They are the ones who will be
fined and it is their customers who will ultimately pay the price.
Potentially businesses will lose face, customers and income,
from which over 50% of businesses never recover.
It’s not too late. A business can yet transform itself. It requires
security to be baked in at the core.
ESORMA has been written to show how you can bake security
into the core of your business. This book is the opening salvo,
offering a practical quick start to improve processes starting
with the alignment of communications.
It is high time the language of security firmly sits in the field

of business needs and requirements rather than security and
technological jargon.
The focus here is first on the business and secondly on an easy

to use and understand system designed as a framework to make
it easy to share and most importantly apply uniformly.
Here, each domain has it’s own workbook. The workbooks are
also published separately for you to run your own workshops.
170
The objective is to make security easier to implement, embed

and manage, to deliver more uptime and profits.
Due to its uniform and straightforward implementation

requirements it is designed to be easy to understand, fast and
processes are unusually practical.
Can you afford to wait another minute?
Do you know where to start?
Here’s a clue: turn the page, run through the foundation and
simply start with the first ESORMA domain: Scoping. There are
only eight domains to manage and you are done.
If you are familiar with the domain content the short exercise
workbooks at the end of each domain can easily be completed
in a morning. If you are a speed reader and you do not complete
the workbooks, you could speed through in about an hour. If
you are completely new to the subject and concepts of security,
you can employ desk based research to look things up, verify
the information you will find, allow for an entire day.
Our overall advice is please don’t over complicate this. Above

all else, your business needs come first. Please do your best to
stick to Plain English and avoid jargon.
The role of a security officer is to advise, or better still ask

questions and seek answers.
ESORMA training and certification is available and is useful,

as are the CPEs (Continuing Professional Education) you will
earn. However, the purpose of this guide is to get you started.
Just read through the domains and work through the workbook
exercises at the end of each domain. We hope we get you
thinking, implementing and adding more protection fast.
171
The business must always come first, the structure of this

framework is to save you time, to ensure comprehensive
protection is achieved quickly and to assist the business through
the systematic streamlining of processes.
If something has to give, for you to make this work in your

world, make it the framework, not the business!
Most of all: enjoy.
Next Up...
The Epilogue. We hope to provide some insights into what the
future might hold for ESORMA and how it should change the
conversation so more business enterprises become more secure,
save time and money.
Also we have taken the opportunity to include a little bit of

information about the authors and the services we offer.
Please help us to spread the word. Thank you.
172
ESORMA Epilogue
EPILOGUE
“Save Time And Money”
T he implementation of a
well architected security
strategy should employ
the assets of an enterprise
efficiently at a minimum
cost. Ease of management
is delivered as the result of
uniform procedures so all
involved understand what,
when and why.
The illustration displays

the straightforward eight
step framework that can be
quickly applied to every aspect of a business and for most is
instantly capable of running from muscle memory. Processes
that can spring from muscle memory are especially important
when under fire. When a breach is discovered, the right things
need to be done fast.
ESORMA is designed to implement solutions that mostly cost

nothing, very quickly. Prioritisation is key and quick wins are
possible because ESORMA follows Plain English principles, as a
result a lot of time is saved as a result of better understanding of
all those involved.
For the authors, their students and clients ESORMA has been a
long time in coming. It has been practiced, in part, in fits and in
starts, never written down in one place, always as notes in bits,
here and there. Yet when it came down to it we were quite lucid
about what the task would involve and easily able to clearly
define what we wanted to do.
173
ESORMA Epilogue
Like extreme programmers, working as an agile team, we wrote

in parallel, and it proved to be an incredibly fast and efficient
way of making progress without getting short for words. The
introduction was written first, yet it was almost the last thing
that was edited as it both shaped the rest of the book and
served as a dumping ground for all the pieces that we culled
from the future chapters when we realised that some content
applied to all. It was for instance where we delineated the eight
domains (to us they were already defined) and this then led us
to determine to create the ESORMA star diagram to try and put
a visual reference together as an aid memoir.
The point is not the diagram, or the fact it is a star although it

is ideally suited as at its centre is Scope which applies equally
to all domains and is where you always start and from there
can go in any direction. On that basis the diagram is not to be
followed, although if there is no greater priority, one domain
does lead to the next, just don’t forget to go back to scope in
between each domain. Hence the star within the star.
ESORMA is not however a framework to shoe-horn a business

into. The business, or rather the needs of your enterprise must
always come first. ESORMA merely offers a framework of
things to do and this book, this Quick Start guide is designed to
let you know of the things to do first and is deliberately light on
theory to give you time and space to focus on implementation
as opposed to waste too much time agonising on what to
implement. For that matter, all of it comes down to your choice,
in your time.
174
ESORMA Epilogue
On the basis that someone operates as the Chief Information

Security Officer, whether they hold the title or not, the features
of ESORMA are really three fold:
1. The first is this quick start guide.

2. The common body of knowledge (CBK) - massive as it
covers so much and available in a series of topics.
3. The third element is the online portal which has been born
out of an initial minimum viable product, that we think
is increasingly viable and developed using the classic CI/
CD method of Continuous Innovation and Continuous
Deployment. How long this will continue will probably be
closely linked to the CBK, and the more we add to that, the
more tools we realise we should build in.
First versions of 1 and 3 are available now, you are holding #1

and the site and portal are also up and running.
The CBK is a completely different endeavour, consisting of

six major sections, each of at least 100 pages focussing on the
theory behind the practical guidance. With more depth on the
domains, methodology, security concepts, tools, modelling and
artefacts, and capability, rounding off with certifications and
qualifications.
We appreciate so much (not all) of what is involved, we have

built up a formidable potential back log, which we seem to
make a decision on every day, as we are both building in
security from the ground up (baking it in) and anticipating the
structure of future developments and taking into account user
feedback too. In all cases, believe it or not, we find all of this fun
to do.
175
ESORMA Epilogue
The Book Plan

We anticipate more books beyond this Quick Start, there is a
CBK (Common Body of Knowledge) in the works and a series of
topic based assessments also designed to help.
ESORMA is totally focussed on how to get ‘something’ done.

Two books are available only in print: A book for 50 Risk
Resgister Templates and an event Workbook. Latest updates are
to be found on Amazon where we have set up a book series link
and from within our online portal.
The portal includes interviews and stories of implementation,

there is a community of enthusiasts developing too. It is
anticipated some of these will make it into the book series.
The ESORMA Platform

The ESORMA platform is an operational environment. A tool
that is a lot more than as a simple dashboard as it focuses on the
supply of key information, the processing of actual transactions
and the management of assets with the potential to incorporate
AI, Machine Learning and Elastic Search.
Security is of course, a very high priority and the platform

is fully compliant with different industry standards such as
ISO, PCI, SOC, IRAP, HIPAA, MTCS, C5, ENS High, OSPAR,
HITRUST CSF, and others and is resilient to DDOS attacks,
making it very secure, yet very fast with millisecond access.
Speed comes from using a serverless technology where data

is encrypted in transit and at rest as standard. The platform is
free to access at https://ESORMA.com, click on the ‘free gifts’
navigation link to register for access to tools and resources that
come with your purchase of this book, you will also be able to
review many of the tools too.
176
ESORMA Epilogue
Introducing The Authors
Mustafa Ahmed
Coming up with ideas for a framework ESORMA was the
farthest thing from my mind just a few years ago. My journey
to becoming a co-founder of ESORMA starts like it would for
anyone interested in technology but it took some interesting
turns.
Having had a keen interest in electronics and computers from

a very early age. I was fascinated by the Sinclair Spectrum one
of my primary school classmates was allowed to bring in and
allow us to play around with. I was hooked.
This interest led to me formally studying computing in college

and gaining vocational qualifications and some industry
certifications in IT from COMPTIA and Microsoft (A+, Network
+ and Microsoft Certified Professional (MCP). This eventually
led to me going to university and finally graduating with a
degree in Business Computing with IT.
Initially I found work as a repair and support technician for a

local computer shop all the while studying part time to learn
about networking and studying at a Cisco networking academy.
This helped me to become a network administrator gaining
experience in a few medium to large companies.
The technical experience coupled with certifications I was

gaining every few years gave me the confidence to start my own
computer repair business: Deltrus Ltd in 2006. The repair side
of the business was named ‘IT Call’ and provided an on-site call
out service for computer repairs.
177
ESORMA Epilogue
The business began repairing laptops which were quickly

replacing desktop computers and I took care of all the business
from the technical aspects to administration, online marketing
and website design and promotion. Along the way, I learned
a bit about SEO (ESORMA’s co-founder David White’s area
of expertise knowledge) and managed to get IT Call to the
top of Google’s organic results for the term Laptop Repairs
Manchester (my home city where I have lived all my life).
That was an interesting learning curve and my first of many

forays into the business world and entrepreneurship. When
competition from larger players started squeezing margins as
well as the 2008 recession hitting the industry hard I decided
to shut the business down and go back into the industry. This
time I wanted to specialise in information security so started by
taking a week long intensive training course on ISO27001 and
was tasked with implementing this into an organisation.
Once I was bitten by the Info-sec bug I knew it was what I

wanted to pursue. I next gained another COMPTIA certification,
namely Security+ and was busy in self-study preparing for the
CISSP exam that I really wanted to pass.
With this new knowledge I gained experience in information

security management roles as well as various technical roles
over the next few years. Receiving a phone call from a major
training organisation that had found me on LinkedIn and being
head-hunted for an information security training role was
a welcome disturbance out of the blue. (I very nearly didn’t
answer my phone that day, so things could have been quite
different). I snapped up the offer and quit my technical role at
a major Apple authorised repair centre at the time to pursue
employment in the Information Security industry. I have never
looked back.
178
ESORMA Epilogue
Teaching others about what was now my passion and helping

course delegates get through very difficult exams was and is a
very fulfilling role. A bonus gained by working for a training
organisation was I was able to do many more certifications
before I was let loose teaching them. I quickly passed my CISSP,
CISM, PRINCE2 Foundation, CCSP, CISMP, Data Privacy
and TOGAF® certifications amongst others. This opened
my eyes to frameworks currently being used in the business
world and helped me understand the whole process of change
management and digital transformation, from governance then
project planning to implementation and operations, in much
more depth
Teaching delegates over the years who were from enterprises

such as HP, Vodafone, CO-OP, Bentley, the NHS, Deloitte,
Symantec, PWC and many others gave me even more
insight into the pain points and challenges large and small
organisations face when it comes to securing data. Speaking
to CISO’s, Information Security managers, consultants and
incident management and operations teams as well as those
involved in enterprise architecture started a period of reflection
on the inadequacies of the status quo. This started a thought
process dedicated to overcoming this hurdle.
One of the most common barriers people faced when implement

frameworks such as ISO 27001, PRINCE2 and the TOGAF®
standard was the complexity and unnecessary (in my opinion)
language used in these frameworks. Most of the concepts taught
seem like common sense once you are exposed to them. I am a
strong proponent of clarity in communication and have been
positively influenced by the Plain English Campaign since
the 1990s. Often I would find that teaching about many of the
existing frameworks ended up turning me into a translator. I
was translating between gobbledegook and plain English and
the more I thought about this the more dissatisfied I became
with them.
179
ESORMA Epilogue
I knew it could be done better and in a more practical way.
So the chance encounter with a fellow trainer and now

ESORMA’s co-founder David White at a cloud security training
event being run for PWC led to us both discussing the issues
people have with existing management frameworks and the
way they were being moulded for implementing Information
security even though some of them were really not suited to the
task.
This is what led to the formation of ESORMA as a simple and

straightforward, guided framework without the unnecessary
baggage of traditional methods and frameworks. I guess the
proof is in the pudding. I would urge you to join the ESORMA
community and find out for yourself what all the fuss is about
and why feedback on this has been fantastic. You have nothing
to lose and many things (including many useful freebies and
advice) to gain. We hope to see you in the members section of
our forum soon.
Please visit https://esorma.com/memberships.html to read about

the ESORMA membership community.
180
ESORMA Epilogue
David White
I came to ESORMA through four directions, first of all for
decades, until about a decade ago I ran an IT start-up called
Weboptimiser where I pioneered Search Engine Marketing, back
in the day when there were hundreds of search engines. It is a
business that is redundant now, as there is only one to speak
of - Google and anyone prepared to lose their shirt can get to
number one, and many do. It is not a happy market.
Prior to Weboptimiser I was an electronics design engineer,

designing power supplies for early portable computers, testing
AMD chips for AMD and testing and fixing up money systems
for Mars Money, all good fun in the sun.
However Weboptimiser forced me to run my own IT systems,
run a team of consultants and to serve major clients and bag
loads of cash, it was not all bad and I loved the work. The work
then was releasing data from databases, whereas in the last
decade it has become about stopping data from being released
from databases and a lot more besides.
Clients included an A to Z of major brands from Adobe,

Barclays, Cheapflights, Disney, Ernst & Young, Ford, Granada,
Home & Away, IBM James Villas, Jobserve, M & S, Nestle,
Ocean Finance, Pattinson Brewer, Rio Tinto, Sky, Tate & Lyle,
Thrifty, Virgin Money, We Buy Any Car and many more.
Decades of working with systems, IT, business and marketing

people and most of time communicating at C level, trying to
get them to understand what we were doing and why. We were
very successful and did millions in turnover, working across
five continents at our peak with 10 offices and 60 consultants.
Halcyon days!
181
ESORMA Epilogue
I was an IT specialist where I bridged IT and client delivery.

Usually placed by the board to conduct a short term project,
when short term often meant four to six years. A fair amount
of my time was in delivering awareness programs, training,
advising, analysing and putting together work plans and
client strategies. It meant I often sat in on board meetings and
presented to the board where I learned taking ‘their’ side was
the best strategy for getting proposals over the line.
While learning to write software I picked up a few short term

gigs and helped a few people get their businesses to market,
where the objective was usually to go from a standing start to
£30k a month. I was also asked to run specific very short term
week long training programs in support of CISSP, SCCP, CISM,
CGEIT, CRISC and more for clients like Capita, Dell, MoD,
NHS, PwC and more.
Personally when I run a training session I like to dig out further

resources to support the topic. I like being thorough I guess.
I get it from my days as a consultant, not just making wild
recommendations, I actually put the legwork in to make sure
what I recommend is good for the job, as all competent people
would / should. Some of this has made it to ESORMA content,
and a lot more like it, that I am putting into the ESORMA portal
(we add lots of new stuff every week).
So when you take all these things together it is no wonder I was

keen to work with Mustafa to create ESORMA and take it to
market. I can see how my knowledge, from my past experience
can genuinely help the industry, helps CISOs and potential
CISOs and should be fun too. I really like the idea of nurturing
and supporting an online community I can see it could go far!
182
ESORMA Epilogue
I found that Mustafa and I are able to spar really well, lots of
good feelings and great ideas just rub off. We have developed a
process for exchange (by phone and email) and we set ourselves
incredible deadlines and we really deliver.
It all started after we met during a PwC training in London and

then we met in a coffee shop at Kings Cross while Mustafa was
waiting for a train home to Manchester, I live in London. We hit
it off.
Mustafa and I essentially came up with the idea for ESORMA

and wrote it out on the back of a napkin, in that Coffee shop.
Maybe Mustafa has that napkin. We came up with the name a
few days later. Then we decided to write it out and although
the overall idea was done, our ideas then started to flow. We
wanted ESORMA to be open, non-restrictive, simple and to
overcome the shortcomings of existing frameworks that try to
deal with IT and Cyber Security that have clearly been bent into
place to accommodate.
We just felt that a simple, from the ground up system needed

to be created that would work better and fit with existing
frameworks, where things like awareness are included, yet the
‘how’ is eerily missing, where meetings seem to be required yet
most meetings include people who have no idea and are only
confused by Cyber Security speak, they just want to know it
is being undertaken efficiently, competently with appropriate
benefits , they don’t want to know how or why plus they don’t
want to make multi million pound errors. Which seems to
happen a lot!
There are in my opinion a range of pretty good reasons for

ESORMA. And, I could go on!
Please visit https://esorma.com/memberships.html to discover

more about the ESORMA membership community.
183
ESORMA Epilogue
Special Thanks
In particular to their agreement to being our first Mastermind
Interviewees and for their thoughts and input into this book:
CISO: Michael Macpherson

CISO: Mike Osman MSc
CISO: Chris Gunner
Mapping Expert: Simon Wardley
Zoo Keeper: Nigel Risner
Skills Acquisition
Our range of one to three day ESORMA courses all reward
skills and CPE credits by combining aspects of cybersecurity,
management, architecture, operations, communications and
project management skills. Each one day course specialises on
individual domains.
Our two day courses reward double the CPEs and are available
configured as Foundation, Lead Implementer Bootcamp and
Refresher courses with homework and certification.
Our three day courses reward triple CPEs aimed at those who
are keen to acquire ESORMA Practitioner skills. Find out more
at ESORMA.com/training.html
Next
You can connect with David and Mustafa in a number of places
but the best place is via the books portal where you will also
discover so much more. There, the authors will answer you
personally… which may be good or not.
We hope to hear from you and your questions and potentially

answers too through the ESORMA portal. There you can get all
accompanying free gifts too, all via the website ESORMA.com/
freegifts.html. We look forward to seeing you there.
184
ESORMA Epilogue
Please Review This Book!

Reviews help authors more than you might think. If you
enjoyed this ESORMA Quick Start Guide, please consider
leaving a review on Amazon—it would be greatly appreciated—
not least because we lose all our old reviews each time we
update the book!
Help spread the word. One or two line reviews are all we are
looking for. Thank you.
If there is something we missed, a correction you would like to

suggest or anything else, please contact us via the book portal
and we will be glad to make amendments to make this a better
resource. Thank you.
185

Cyber Security The CISO Quick Start Guide Enterprise Security Operations

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Security The CISO Quick Start Guide Enterprise Security Operations

Uploaded by

Copyright:

Available Formats

Cyber Security: ESORMA Quick Start Guide

Published by Aldwych Factors Ltd

Copyright © 2020 David White, Mustafa Ahmed

All rights reserved. No portion of this book may be reproduced in any

For permissions contact: enquiries@esorma.com

Disclaimer: CISM® is a registered trademark of ISACA®. Our materials

Disclaimer: CISSP® is a registered trademark of the International

Disclaimer: TOGAF® is a registered trademark of The Open Group.

Accompanying book resources available here:

The author makes no representation, warranty or claims as to the

E SORMA Domain #1: Scope

E SORMA Domain #2: Priority

E SORMA Domain #3: Evaluate

E SORMA Domain #4: Enable

E SORMA Domain #5: Harden

E SORMA Domain #6: Monitor

E SORMA Domain #7: Operations

E SORMA Domain #8: Comply

C hange Is Needed 169

This is surprising since in many enterprises the cyber

Life is made more difficult when political games are being

Indeed the cyber professional is often underrated by

If achievable within your environment you are likely to want

Another worrying area for many cyber professionals is

While company directors are ultimately liable, it does not stop

A partial, if not complete solution is to engage with the

If the management team can’t immediately understand the

There are many good works and certifications available for

The authors have delivered certification programs to

However, most professional certifications, usually as a result

Effective Control For Cybersecurity

There is nothing wrong with employing strong technology

However, there are many other areas beyond technology

Many may see these areas beyond technology being outside of

In effect, IT controls, while essential, still leave many areas

Very Serious Outcomes Occur Often,

Breaches continue to occur despite systems being in place as a

The point is the blame is often attributed to human error,

Employees have been fired and fined, only for charges to be

It is for these reasons that some companies never fully recover

For instance, the transfer of data from one system to another

It turns out that ignorance can be a defence, when it is the

Circumstances May Differ

Businesses need to know they are covered and may believe

It transpires there is a uniform system of implementation

We have designed our methodology to be flexible and to be

However, we are open to change and feedback as the

Indeed, the chapter you might have seen first in a previous

So without further ado:

How The 8 Practical Domains of

You might also consider increasing staff awareness, and

Enhanced capability should lead to less downtime. This could

For ongoing protection please review domain 6: Monitoring.

The objective is to review the value of an issue in order to

Risk Appetite is an impossibility for most to understand and

Prioritisation and triage are primarily conducted to focus on

Such a plan is designed to minimise disruption for operations,

Quantitative and qualitative analysis can highlight the most

Many enterprises would benefit if more security professionals

Business managers may agree with all the benefits of the

Without communication of results, in their terms, it becomes

In turn, this can ensure further progress is denied, to the

It helps management greatly to see the benefit of security to