Professional Documents
Culture Documents
This book is sold on the understanding that the authors are not
rendering services or offering advice through this book. The concepts
and ideas may not be suitable for your circumstances. You should
consult with a qualified professional advisor where appropriate.
You agree to assume all the risk of your business endeavour and the
authors shall not be liable for any loss of income, profit or any other
commercial damages or any emotional or psychological distress.
ESORMA Contents
Contents
W elcome 1
Cyber Professionals
Business First
1
2
Effective Control for Cybersecurity Practitioners Is A Must 3
Very Serious Outcomes Occur Often, Easily, By Mistake 4
Circumstances May Differ 5
How The 8 Practical Domains of ESORMA Can Help You: 6
Summary 11
F oundation 13
What ESORMA Is And Is Not
Every Business Has A CISO
14
18
Where To Start? 22
Learn While ‘Doing’ 24
This Quick Start Guide Is Here For You 25
Continuing Professional Education 25
Practical And Pragmatic 25
The Common Problem 26
Loose Frameworks Are More Adaptable 27
Is Security A Cost? Or An Enabler? 27
The ESORMA Membership 28
Wait There’s More! 28
What Alternatives Are There? 29
The Well-Architected GRC Framework 31
The Key Domains 32
ESORMA Summary 33
Classification 39
Tools 40
The Information Asset Register 40
Geo-Mapping Tool 41
Information Flow Map 42
Fishbone Diagram 44
Case Study 44
Summary 45
Domain #1: Scope Questionnaire 46
ESORMA Contents
100
Risk Awareness Checklist 101
Documentation 101
Compliance 102
The PDCA: PLAN - DO - CHECK - ACT Walk through. 102
Resource Management 103
Controls 105
Common Challenges To Security Programme Implementation 105
Summary 106
Domain #4: Enable Questionnaire 107
Capability 114
Disasters Happen 116
Business Continuity and Disaster Recovery (BC/DRP) 116
Business Continuity Management Lifecycle 117
Disaster Recovery 118
Disaster Recovery Plan Lifecycle 119
BCM/DRP Objectives 119
Summary 120
Domain #5: Harden Questionnaire 121
E PILOGUE 173
The Book Plan
The ESORMA Platform
176
176
Introducing The Authors 177
Mustafa Ahmed 177
David White 181
Special Thanks 184
Courses and certification 184
ESORMA Welcome
Welcome
Cyber Professionals
Today being any type of cyber professional is tough.
Whether you are in this position, or not, you will value many
of the practical suggestions in this book as they are available
to you for little to no cost. Talking of no cost, there is also a set
of online resources available for readers of this book that you
can access for free at https://ESORMA.com/freegifts.html the
site was originally a resource created just for this book, but
now offers much more.
1
ESORMA Welcome
and capability. These are three major additions you can add to
ensure enterprise risks are covered.
There are key details which can make a big difference to your
protection, perceived success or failure.
Business First
As a business first, enterprise class risk management
architecture ESORMA was designed for cyber security
practitioners focused on implementation.
3
ESORMA Welcome
4
ESORMA Welcome
5
ESORMA Welcome
Domain 1: Scope
The process of scoping is necessary to save time and money
to continuously identify the task ahead and break down
the mountain of work that is, frankly necessary. Not only
necessary, but continuous, as an enterprise is always changing
and so priorities are always in flux, and threats also change.
6
ESORMA Welcome
Domain 2: Priority
You may already be comfortable with the concepts of
quantifiable and qualitative risk assessment. Yet are you clear
on what needs to be communicated to whom to help you
to drive the enterprise forward and give you the means to
adequately protect it?
In this domain, we lay out how you can calculate the risk
appetite of your enterprise and its clients.
Domain 3: Evaluate
When you are aware of the risks and it is time to add
protection, what process do you use to adequately compare
and select appropriate controls for a given risk scenario?
This domain will help you answer this key question. You may
also consider how you might integrate the controls into a
business continuity and disaster recovery plan.
7
ESORMA Welcome
There are four key factors that a good risk /reward case could
include: 1) what can be eliminated from a process. 2) How
processes can be reduced and simplified. 3) How to create or
adjust it in order to afford the protection required. 4) what
key factors would be improved? For instance by what factor
would security be raised and what value would this bring?
Or what speeds could be improved and how this would have
a bearing on time to market, service quality or assurances
offered to clients as a result. How would these enhancements
raise the profile of the company, enhance sales or customer or
client satisfaction?
8
ESORMA Welcome
Domain 5: Harden
Hardening is about implementation and is a process that
must deliver on core objectives. It is important to show how
implementation will bring about cost savings, improvements,
and avoid or reduce downtime.
Domain 6: Monitor
In an ideal world automation should be part of each control
and most often this is the case. However, someone, or several
people who work at the sharp end, where controls are
employed could also manually observe behaviour and help to
keep track of the control to ensure operations are effectively
maintained.
9
ESORMA Welcome
Domain 7: Operations
Changes, incidents and audits can all bring about tangible
differences to operating procedures.
10
ESORMA Welcome
Domain 8: Compliance
The key to compliance is to stay on top of change. Systems
and processes can change or become non-compliant. The
objective is to eliminate time lag, reduce complexity and make
compliance easy to manage and understand.
11
ESORMA Welcome
Summary
The game-changing ESORMA approach is straightforward,
comprehensive and can be applied to all areas of an enterprise
whether technology focused or not to ensure comprehensive
protection, simplification, potentially increased speed to
market, modernisation and real customer and client benefits.
Thank you for investing your money, time and energy into
this Quick Start guide, we hope to hear of your success. Don’t
forget to go visit the books’ accompanying resource website:
https://ESORMA.com/freegifts.html
12
ESORMA Foundation
Foundation
“There’s Always A Bridge To Success”
13
ESORMA Foundation
15
ESORMA Foundation
It is not difficult to see the risks and the reason why staff don’t
like to go there. A perfect scenario that every hacker on the
planet would wish for. It cries out for modernisation. Yet it
would appear no one would like to take the disruptive risk and
so as it “ain’t broke”...
16
ESORMA Foundation
It might not surprise you if it came out the site had been hacked
years ago. Especially if the rumours were circulated in order to
protect this cosy environment.
Clearly, in this case, they did not feel they had the authority
or, it would seem, the ability to make the changes necessary
to protect the organisation, the key task they are assigned to
deliver on.
17
ESORMA Foundation
Most often a CISO sits under IT, which is not necessarily ideal
as IT is not the whole picture. In smaller companies, it may well
be yet another role for the owner or CEO. Ideally, a CISO should
report directly to the board, as ultimately the board will carry
the can and the board needs to understand the importance and
value security can deliver first hand.
Everyone involved...
19
ESORMA Foundation
Nil budgets may make some sense in the short term, as a lot can
usually be done at little or no cost by harnessing existing assets.
The first step is to scope, the second is to prioritise and this may
help you identify the budget you need for the future after quick
wins are identified and potentially delivered.
The first thing to do is always to scope out what you have. You
may find conflicting information. It is common to find what a
ledger says is different from what is in the field. Often, only a
manual process will bring this information up to date.
20
ESORMA Foundation
21
ESORMA Foundation
Where To Start?
First, take stock, scope the lay of the land, understand what is
really going on and then prioritise in order to ensure the most
important issues are resolved to reduce the amount of loss as
soon as is practical.
23
ESORMA Foundation
If you are not certified you will find the domains covered
appear in most of the good certification programmes and so
offer the chance to learn more about them while doing.
24
ESORMA Foundation
25
ESORMA Foundation
communication issues.
The membership portal is free to access and you will get a set
of accompanying resources for this quick start guide including
a checklist for each domain area of this guide and access to the
‘Actions Manager’, where actions can be assigned and more.
You can get access to all this and more by visiting https://
ESORMA.com, click on the ‘free gifts’ navigation link.
29
ESORMA Foundation
You will find you will design, build and expand your
organisation’s level of competence over time in any case.
31
ESORMA Foundation
S ecurity is complex
enough in itself without
needing to be further
shrouded in a cloak of
mystery, we hope you
recognise the simplicity of
this visual star approach.
It always starts from
the middle through
understanding Scope.
32
ESORMA Foundation
ESORMA Summary
We did not want to put forward another 3 by 3, 9 by 9 or 3D grid
to work through as many frameworks provide those and when
you get to know them, they tend to fill you with fear and dread
rather than the hoped-for clarity.
34
ESORMA Scope
As you can see from the ESORMA star diagram, Scope, the
focus of this domain chapter sits firmly in the centre. This is
because no matter what you do, whatever problem you face,
no matter how much of a hurry you are in, you always start
with Scope, it can ensure your accuracy and efficiency.
35
ESORMA Scope
36
ESORMA Scope
37
ESORMA Scope
38
ESORMA Scope
Categorisation:
Some examples of types are:
• Personal data
• Proprietary sensitive data (trade secrets, patents, IP and
copyrights)
• Proprietary non-sensitive data (publicly available)
Classification
Corporate classification of data usually looks something like
the following (though the labels may differ):
• Strictly Confidential (For some individuals only)
• Confidential (for a particular corporate group only)
• Internal (for everyone inside the organisation only)
• Restricted (can be share with selected third parties outside
of the organisation)
• Public (for public consumption)
39
ESORMA Scope
Tools
Many different tools and methods can be used to do scoping
of data. The examples shown are usually found to be the most
useful for the task:
40
ESORMA Scope
Geo-Mapping Tool
Geo-Map (Shows where in the world the data is stored)
41
ESORMA Scope
42
ESORMA Scope
43
ESORMA Scope
Fishbone Diagram
Fishbone Diagram (showing all different reasons for a
classification)
Case Study
Download the original case study pdf from the ESORMA
Portal at https://ESORMA.com select the ‘free gifts’
navigation item for all the free gifts that come with this free
guide.
44
ESORMA Scope
Summary
In this chapter we looked at what scoping is, who is
responsible and why it is necessary.
45
ESORMA Scope
46
ESORMA Scope
• Personal data
• Proprietary sensitive data (trade secrets, patents, IP and
copyrights)
• Proprietary non-sensitive data (publicly available)
Notes:
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Authorised Personnel:
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Notes:
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
47
ESORMA Scope
Authorised Personnel:
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Other:
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
48
ESORMA Scope
P lease register online for all the online goodies that come
with this quick start guide:
You will also learn how to get your own custom branded
questionnaires and how to organise one to one training,
support or consultancy and custom on site, or open, hotel
based training events.
You will also get access to a suite of tools that should help you
in your ongoing ESORMA journey.
49
ESORMA Scope
Next Up...
The next chapter is about setting priorities. There are several
scenarios you will face, for instance what to do in the face of
an actual attack, plus, how to define a solid defence strategy
during quieter times.
50
ESORMA Priority
So much is going on, clear heads are needed and these are
usually set by those who take a perspective view and who can
see the whole and from it all are able to see order and therefore
assess priority.
51
ESORMA Priority
52
ESORMA Priority
53
ESORMA Priority
Key Tools
There are a range of key tools available to security managers
that largely involve no cost and no technology. They include
Least Privilege Access, Job Rotation, Job Segregation, Candidate
Screening, Employment Agreements and Policies, Non-
disclosure agreements, non-compete agreements, on-boarding
and most importantly: employment termination. These can
greatly help you to form priority based formal processes that
delineate and assist in the enforcement of exactly what your
staff and colleagues can and cannot do.
Think about this a little, these are people who know your
secrets, they know how your systems work, they may know
where your most valuable data is and if they know all this, they
may even know who will benefit the most from it (here’s a clue -
it’s not you) and who your biggest competitor is...
Many of the tools you need probably exist within your firm’s
standard terms of employment, yet they should be understood
and implemented correctly, particularly employment
termination.
54
ESORMA Priority
55
ESORMA Priority
Job Rotation
Job Rotation is a technique that builds in both redundancy and
security. Job Rotation is often referred to as Cross Training in
the UK. Having more than one person able to undertake a role
ensures a business will experience less downtime as they have
a range of colleagues who are able to undertake the required
roles in case of illness or incident. In addition, moving people
from one role to another ensures best practices are maintained
and reduces the occurrence for fraud, theft, sabotage and
information misuse. Cross Training enables peer auditing and
protects against collusion.
56
ESORMA Priority
Job Segregation
Similarly Job Segregation is about separating key activities,
especially those that depend upon another to operate effectively.
For example, the person who enters invoices should not also
be the person who pays them. An obvious example, yet in
small accounts departments still common, similarly for stock
management. In the case of software development, software
developers should not be the only person to test their software
as the chances are that ‘difficult’ areas may be overlooked.
57
ESORMA Priority
Businesses are under threat all the time. The volumes of threat
vary widely, in the case of most enterprises threats occur at the
rate of tens of thousands a day. A threat in and of itself is not
necessarily a problem.
58
ESORMA Priority
These may be rare, yet existential events are best planned for as
they tend to be catastrophic. For instance in any 24 hour period
there are thousands of deaths, road traffic accidents, hundreds
of fires, floods, power failures, plus the odd earthquake and
eruption too.
59
ESORMA Priority
Chances are hopefully, they will miss you, yet they happen
daily and just one of them can hurt not only your business, but
many other businesses that you work with and you may suffer
from the knock on effect of someone else’s difficulty especially if
your enterprise operates within a vast but tight interconnected
supply chain, as most businesses do nowadays.
60
ESORMA Priority
61
ESORMA Priority
62
ESORMA Priority
63
ESORMA Priority
The new safeguard should change the ARO for the better. The
EF usually remains the same. Rarely would a safeguard reduce
the ARO to zero. In addition a safeguard normally introduces
additional threats as safeguards are likely to be open to attack
too. You will need to add the cost of the safeguard to the cost of
the asset when recalculating.
64
ESORMA Priority
65
ESORMA Priority
In many cases there will be associated wear and tear costs that
can be calculated annually, also costs such as maintenance,
administration, operation, testing and evaluation need to be
catered for. There may also be productivity improvements or
losses.
The annual cost of the safeguard should not exceed the annual
cost of the asset.
66
ESORMA Priority
Risk Registers
Yes plural. A risk register may be divided into parts. A risk
register is not something you want to run alone. The point of the
risk register is for you and the officers of your company to be
aware of the risks to manage. At the very least you should have
an Asset register. You should have a Staff register, a Partner
register, a Supplier register, a Contractor register, Skills register,
Business Process register and so on, these may be compiled and
considered as the Risk Register collectively.
67
ESORMA Priority
68
ESORMA Priority
69
ESORMA Priority
Case Study
Download the case study from the ESORMA Portal by
registering at https://ESORMA.com select the ‘free gifts’
navigation item for all the free gifts that come with this free
guide.
Spikes!
70
ESORMA Priority
Summary
Prioritisation is key to ensure the objectives of governance, risk
management and compliance are achieved, as it puts order to
the required undertakings to ensure the biggest value to the
enterprise is achieved first.
Taking care of staff and colleagues will probably give you the
biggest bang per buck invested in security as they can employ
safer practices and they can report events from the front line.
71
ESORMA Priority
What do you think at this stage will follow, what is your true
purpose, the one you have in mind?
______________________________________________________
_________________________________________________________
___________________________________________________
______________________________________________________
72
ESORMA Priority
73
ESORMA Priority
P lease register online for all the online goodies that come
with this quick start guide:
You will also learn how to get your own custom branded
questionnaires and how to organise one to one training, support
or consultancy and custom on site, or open, hotel based training
events.
You will also get access to a suite of tools that should help you
in your ongoing ESORMA journey.
Next Up...
Now that we have prioritised, the next chapter helps us to
further add order to our prioritisation through understanding
the context of each part in terms of the evaluation of potential
protection systems.
75
ESORMA Evaluate
76
ESORMA Evaluate
77
ESORMA Evaluate
Timing
How long have you got to repair and recover from failure before
production or service delivery is affected and clients find out.
Priority
Not based simply on risk and cost, but based on client needs
which can affect income, client retention and market reputation.
78
ESORMA Evaluate
79
ESORMA Evaluate
80
ESORMA Evaluate
Business Procedures
When people let you know what the staff do they often describe
business procedures and these are worth noting separately.
You would primarily be interested in processes that enable the
production and delivery of goods and services to clients. You
may discover these are not recorded anywhere and often, teams
are relieved that at last, recordings are being made, as clearly
processes are undertaken to the benefit of the business. For two
reasons at least:
81
ESORMA Evaluate
Information Systems
People and business processes tend to deploy Information
Systems, although sometimes all an Information System has
to do is to print a label. Information is usually the output
and the point of output is often an area of risk, more so if
the information is identifiable. Cyber criminals look out for
snippets of information in order to collect and then to put back
together to build a bigger picture. Transactional data may
well be separate from Contact Information but may share the
same ID. Some data may be collected electronically, other data
may be recovered from printed waste. When you look, you
will often see lots of ways that data may be leaking from your
organisation and this, for most can be a very serious issue.
Real Assets
Your impact analysis must be end to end, so if your service is
delivered by an installation team, a consultant or put on a truck,
the assets employed from the beginning, through development,
manufacture to delivery must all be accounted for, as without
them, if a disaster struck the business would be stuck.
83
ESORMA Evaluate
RISK Appetite
There are certain things where you cannot arrive at an easy
figure in terms of costs, a quantitative figure and as referred to
in Domain 3, you may have to use qualitative methods (Low,
Medium, High or Critical Impact) instead.
84
ESORMA Evaluate
The lists of all the things you need to include can easily be very
long with complex interconnections. In the short term you need
a plan and so your BIA will be an abridged, necessary shortened
version as it is better to have a plan than none at all, even if it is
slightly wrong and incomplete, that is the point of the BIA, so it
can be scrutinised, so all the people involved can review it and
provide more detailed updated and accurate information, this is
one reason for a BIA to take a year to be produced.
85
ESORMA Evaluate
Impact Statements
For every item on every list, you need to write down what
would happen if it was lost, damaged, destroyed or somehow
disabled. Calculate the knock on cost too. This will then enable
you to add a further comment about a potential remedy. In
most cases a remedy is very likely to cause changes to your
production or service cycles as it becomes obvious that certain
things can be fixed or resolved even before they go wrong.
86
ESORMA Evaluate
Timing
We can’t leave this domain without talking about timing and
in particular, down time, for instance: Maximum Tolerable
Downtime (MTD) is an important time consideration, one of
an important handful. For each business process, you need
to assess the MTD, the time after which a process becomes
unrecoverable, irreversible (and often fatal). This is not easy
to know, yet it must be attempted as it is a piece of crucial
information and may simply be a best guess, or could be arrived
at by talking to clients, in terms of how long they could wait.
Finally there is the cold site. Nothing is switched on, yet the
minimum necessary to provide a backup site is on hand that
could provide cover in an emergency.
87
ESORMA Evaluate
The cost difference between running hot, warm and cold sites
is usually a lot, the reason is down to the RTO. You may decide
on compromises in order to reduce costs although it still enables
you to recover within the RTO you define. Different solutions
will take different amounts of time and this can vary the costs
incurred a lot.
Risk Treatment
When reviewing risk there are just four methods to treat risk
with, they are:
1. Risk Acceptance
2. Risk Avoidance
3. Risk Mitigation
4. Risk Transfer
The first, Risk Acceptance is the easiest, as quite simply you see
the risk and do nothing, by default the business is said to accept
the risk.
88
ESORMA Evaluate
The second, Risk Avoidance is to see the risk that you face and
to reorganise the business process in order to avoid taking the
risk altogether, this means the identified risk element is deleted
from the business process, so it does not exist anymore and
therefore cannot be a risk and is avoided, permanently.
Finally you can respond with Risk Transfer. This is where a risk
is transferred to a third party. Insurance is an example. Note
the whole risk is rarely transferred. The risk continues to exist,
in the case of insurance should the risk take place you may be
paid a financial consideration which may help to compensate
for the occurrence of risk but would not solve the risk and the
risk could occur again. Equally a business process such as the
chopping of wood may be outsourced. This would eliminate the
danger of an employee being harmed by a wayward Axe, yet
this type of accident could still occur at the outsourced location
while someone went to work on chopping your wood.
89
ESORMA Evaluate
90
ESORMA Evaluate
91
ESORMA Evaluate
Summary
Evaluation is key to ensure the objectives of governance, risk
management and compliance are achieved, as it puts order to
the required undertakings to ensure the biggest value to the
enterprise is achieved first.
Taking care of staff and colleagues will probably give you the
biggest bang per buck invested in security. They can employ
safer practices and they can report events from the front line.
92
ESORMA Evaluate
93
ESORMA Evaluate
94
ESORMA Evaluate
P lease register online for all the online goodies that come
with this quick start guide:
You will also learn how to get your own custom branded
questionnaires and how to organise one to one training, support
or consultancy and custom on site, or open, hotel based training
events.
You will also get access to a suite of tools that should help you
in your ongoing ESORMA journey.
95
ESORMA Evaluate
Next Up...
Now that we have evaluated, the next chapter is about enabling.
The question is do you know who, how and what to enable?
96
ESORMA Enable
97
ESORMA Enable
98
ESORMA Enable
There are a lot of risk categories that range from the technical
to the structural. However there are common principles, for
instance: risk management follows a life-cycle process, as shown
and for each of the risks you need to determine the periods
for assessment and continuous improvement, invariably these
essential, vital activities need to be undertaken by the front line
team that use the equipment and systems.
99
ESORMA Enable
Tools
A lot of the tools required for implementation reside in the
form of a risk register, stakeholder register, supplier register
and process register. These are essential to map out how the
operating parts of a business are interconnected, as it is likely
that each person in a chain will have a different view of what
and how it needs to be done.
Risk Communication
General proposals for change and detailed proposals for
implementation invariably require communication. Sometimes,
the numbers of people involved require a road-show approach
to take account of all the views and / or to communicate what
needs to be done pre or post implementation simultaneously.
100
ESORMA Enable
Documentation
In all cases documentation is required. Documentation that
records current state and future state, enough to perform a gap
analysis. Before and after a risk assessment. Before and after the
implementation of countermeasures. Risk registers constitute
and contain documented notes. Proposals and acceptances,
business case development, business impact analysis and cost
estimates.
101
ESORMA Enable
Compliance
All risk related implementation must be completed in a
compliant manner.
102
ESORMA Enable
Every time there is a KPI you can employ KGIs above and
below the KPI to ensure your control keeps to close parameters
and triggers an alert before danger levels are reached.
Resource Management
A significant proportion of the implementation of an
information security programme will focus on Information
Technology. For most companies this means legacy systems.
104
ESORMA Enable
Controls
Implementation of controls is largely determined by your
strategy. There are Preventative, Detective, Corrective,
Compensating and Deterrent controls and you have to decide
in each case the type of control to deploy. Your strategy will
depend on your level of acceptable risk and risk tolerance
in the circumstances. The controls can be applied to people,
technology and processes, often in combination. For example
access control.
105
ESORMA Enable
Summary
Security is effective when it is enabled, and in turn, security
is effectively an enabler. Security needs to be an organised
practice for it to be effective and this domain describes the
many ways that a business can be enabled as a result of security
technologies and procedures.
106
ESORMA Enable
What can you find that might help you to judge the risk appetite
of the business?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
107
ESORMA Enable
108
ESORMA Enable
109
ESORMA Enable
P lease register online for all the online goodies that come
with this quick start guide:
You will also learn how to get your own custom branded
questionnaires and how to organise one to one training, support
or consultancy and custom on site, or open, hotel based training
events.
You will also get access to a suite of tools that should help you
in your ongoing ESORMA journey.
Next Up...
Now that we have enabled, the next chapter is about hardening.
The question is are you constantly, frantically hardening or are
you satisfied with your plan? Stan?
W ith thousands of
attacks a day, it
is highly likely that as
a security officer you
will spend some time
considering the types of
attacks you get.
111
ESORMA Harden
Pre-Planning
The Business Impact Analysis (BIA) as covered in Domain 3
of ESORMA is a pre-planning exercise, designed to help build
in resilience to the business by providing an alternative plan
should something go wrong with service or product delivery.
112
ESORMA Harden
Clarity
It is important to both avoid failure and to recover from failure
to have systems in place with adequate documentation. One
thing to consider is when things do fail there will be extra
pressure on the systems and personnel, both of which may
be subject to further failure. Mechanically, or electronically
component failure could put more pressure on existing
components and in turn this may increase the temperature and
potentially other components can suffer if they exceed their
normal operating ranges too. Thus, chain reactions can start
where one thing fails which causes further related failures.
113
ESORMA Harden
It is also vital to make life super easy for staff to operate when
under fire.
Capability
It is normal for an enterprise to expect to improve capability
over time as it moves from unpredictable processes to
predictable to increased staff expertise and systems are
enhanced, refined and ultimately optimised. Capability can be
reflected in a number of ways.
114
ESORMA Harden
You should find the ESORMA framework will help you to move
from a CMMI of 1 through to a higher number and ultimately
help you through to level 5 provided you continue to review the
processes employed, your staff are proactive in their application
and collectively your organisation continues to review and find
improvements.
115
ESORMA Harden
Disasters Happen
Fires, burst pipes, server crashes, area flooding, power outages,
winter storms, even local transport issues can all have an
impact, more recently pandemics, and then there are deliberate
attacks from staff, disgruntled clients or competitors can all
produce menacing dangers.
116
ESORMA Harden
117
ESORMA Harden
The final phase is Embed and this can help with developing a
CMMI level 5 capability where you not only identify the process
but as a process of testing, ongoing revision and review you get
the opportunity to optimise your plan and in turn tune your
resilience where you can expect to improve quality, increase
speed and potentially reduce costs too.
Disaster Recovery
There are times when disaster occurs beyond your control,
especially if the disaster is related to a third party, or as we have
seen a few times a country wide epidemic. However it can be
a smaller local event, yet still have big implications. Every day
there are fires, car accidents, accidents at work and unintended
as well as intentional consequences, from mistakes, lateness, a
robbery or an aggravated attack for instance.
118
ESORMA Harden
BCM/DRP Objectives
Processes developed should provide for immediate, accurate
and measured responses to emergency situations. Policies,
procedures, and documentation need to be created and
provided, so are available to staff during an event to aid the
recovery process in practice. A database of resources available
to aid recovery that includes additional lines of communication
and flexibility to create an ad-hoc BCM/DRP team made up
of the staff available at the time. You will also need a list of
approved vendors and probably access to vendor SLAs too in
order to know who is responsible for ensuring reduced outages.
119
ESORMA Harden
Summary
The summary for the Harden domain is really about
preparation and planning. Most governance strategies insist on
a disaster and recovery plan as part of risk management is about
recovery as well avoidance of risk, to minimise the effects of risk
and then there are compliance requirements too.
However, as with all the best plans, disasters can happen and
while we plan for you to be covered for every eventuality, there
is bound to be a freak event that does not fit neatly into your
contingency plans, so your business continuity processes will
exist in a range of areas across your business and your disaster
recovery plan should be adaptable.
120
ESORMA Harden
121
ESORMA Harden
Do you have a BIA in place, what and when was the last action
on it (is it complete, rehearsed, accessible and up to date)?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Where are you on the CMMI scale and what do you need to do
to move up at least one notch or maintain level 5?
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
122
ESORMA Harden
123
ESORMA Harden
P lease register online for all the online goodies that come
with this quick start guide:
You will also learn how to get your own custom branded
questionnaires and how to organise one to one training, support
or consultancy and custom on site, or open, hotel based training
events.
You will also get access to a suite of tools that should help you
in your ongoing ESORMA journey.
Next Up...
Now that we have hardened, the next chapter is about
monitoring. Monitoring is full of risks and yet has also become
mission critical area of the business. Read on to find out why
this should concern you.
Numbers are great, but things change. The next question is are
the controls actually still as effective as originally envisaged?
124
ESORMA Monitor
N owadays we have
to manage mission-
critical information
technology, assure
confidentiality, integrity
and availability as a
mission critical function.
If objectives are not met for any reason then action must
be taken to rapidly fix the problem so data assets or our
colleagues are not vulnerable.
125
ESORMA Monitor
The CEO and director were lazy and had given their
credentials to the person making the change and told him to
log in and approve it. I will let you count in your head the
amount of breaches in this scenario.
126
ESORMA Monitor
Strategy
As with all elements of information security you have to plan
things in advance of trying to make changes. When it comes
to the strategy for controls you can go back to the core of
ESORMA and scope your requirements for monitoring.
127
ESORMA Monitor
Programme
Only once you know how monitoring needs to be applied can
you start looking at the gaps between what needs to happen
to optimise monitoring and what you currently have in place.
Then you can decide who needs to do what and when. You
can probably start to appreciate why a programme of works
is needed. A roadmap would be required to plug the gaps
found.
Analysis
Analysing controls might be seen as a Security Operations
Centre (SOC) function as it is more than analysing logs. It is
about understanding the right logs are being generated in the
first place and the devices, processes or systems generating
the logs and information are actually functioning.
128
ESORMA Monitor
Response
As soon as a control is discovered not to be meeting its
objectives it becomes imperative to take action to remedy the
situation otherwise a non-functioning control becomes an
unmitigated risk in itself.
129
ESORMA Monitor
SIEM
130
ESORMA Monitor
131
ESORMA Monitor
Heartbeat monitoring
132
ESORMA Monitor
Penetration Testing
133
ESORMA Monitor
By U.S. Government Accountability Office from Washington, DC, United States - Figure 2:
Achieving Objectives through Internal Control, Public Domain, https://commons.wikimedia.
org/w/index.php?curid=52098015
Summary
In this chapter we looked at what Monitoring is, who is
responsible i.e. Senior management should commission it so it
falls into the governance category of GRC. We also looked at
why it is necessary and the tools and methodologies available
for it.
134
ESORMA Monitor
135
ESORMA Monitor
136
ESORMA Monitor
P lease register online for all the online goodies that come
with this quick start guide:
You will also learn how to get your own custom branded
questionnaires and how to organise one to one training,
support or consultancy and custom on site, or open, hotel
based training events.
You will also get access to a suite of tools that should help you
in your ongoing ESORMA journey.
137
ESORMA Monitor
Next Up...
Now that our monitoring is motoring, the next chapter is
about your operations.
You will learn more about what to look out for, what to
measure and what to report back.
138
ESORMA Operations
S ecurity Operations
mainly revolve around
monitoring and responding
to information security
events, usually a domain for
a security operations team.
To get clearance to shut down and restart the whole network (to
remove a memory resident virus after it had been cleaned from
the infected files). The CIO of the company was supposed to
approve such an action.
139
ESORMA Operations
This cost the bank millions in losses as they had people all
around their enterprise twiddling their thumbs and unable to
work for a whole day. All because of an ill thought out and
untested operational structure.
141
ESORMA Operations
142
ESORMA Operations
143
ESORMA Operations
The Who ?
The who is about establishing the number of staff required on a
day to day basis. Whether they need up-skilling or augmenting
with internal or external help or whether they can manage.
When it comes to staffing a good framework recommends the
following:
At the end of the day there is a need for ‘use case’ development.
Establishing who needs to do what, where, when and how is
essential to establish.
144
ESORMA Operations
The How ?
Written processes on how to achieve the goals of data security
are needed. These processes should form part of every
employee’s induction and should be contained within employee
handbooks and across the corporate Intranet.
The What ?
What must be measured or responded to in operations?
There are tons of logs generated by both manual processes
and automated systems. Who signed into the building on
a given day? What did the firewall catch? Who logged into
an application or server or who has checked out a corporate
laptop? You get the picture.
145
ESORMA Operations
146
ESORMA Operations
Tools
Many different tools and methods can be used as part of
operations. The ones listed below are usually found to be the
most useful for the task:
147
ESORMA Operations
148
ESORMA Operations
Case Studies
Case study 1 : A security review of local government using
NIST CSF - Download the case study from the ESORMA Portal
at https://ESORMA.com select the ‘free gifts’ navigation item for
all the free gifts that come with this free guide.
149
ESORMA Operations
Summary
In this chapter we looked at what security operations are, who is
responsible and why they are necessary. Looking at Operations
through the lens of a well-architected GRC (Governance, Risk
& Compliance) framework it is important for operations to be
supported at the highest level of the organisation.
150
ESORMA Operations
151
ESORMA Operations
152
ESORMA Operations
P lease register online for all the online goodies that come
with this quick start guide:
You will also learn how to get your own custom branded
questionnaires and how to organise one to one training, support
or consultancy and custom on site, or open, hotel based training
events.
You will also get access to a suite of tools that should help you
in your ongoing ESORMA journey.
153
ESORMA Operations
Next Up...
Now that our operations are all set, it is important that we finish
off with Compliance.
154
ESORMA Compliance
C ompliance is all
encompassing and
although you will have
some idea about the laws
and standards to comply
to, you just won’t know
how to apply compliance
thoroughly until you have
completed all the prior
domains and still, things
could change.
Staying up to date is a
continuous process and is so important we gave it a domain of
its own.
The first two are usually dictated to us but the latter two are
more flexible. Each of these areas are briefly explained below.
Geographic Locations
The first obligation is to comply with the laws and regulations
of the land in which you have established a base.
Contractual Obligations
After the direct laws of the land have been complied with we
need to consider indirect laws. Usually civil and contract law
is important to observe here. You may have many agreements
and contracts with third parties that stipulate what you can or
cannot do with data, what you must do with data and when
you can be audited to check if you are observing any of the
above or not.
157
ESORMA Compliance
Organisational Principles
An enterprise has two types of principles and both are
chosen and developed at a governance level: Organisational
principles restrict how an enterprise will carry out its mission
and architecture principles that define what type of rules will
be in place to define the type of architecture is suitable to its
strategic goals and values.
158
ESORMA Compliance
Optional Standards
Adopting optional standards to comply with is usually done
as a way of structuring compliance activities for the legal and
contractual obligations discussed above but often it can be a
distinguishing factor or matter of pride and prestige in order
to build goodwill. After all who wouldn’t want to do business
with an organisation that prides itself in having achieved
an international standard for information security such as
ISO27001 or the NIST Cyber Security Framework over one
that doesn’t. It’s all about having an impressive corporate
resumé.
159
ESORMA Compliance
• PCI DSS
• ISO 27001 series of standards (Not always the simplest to
interpret and require investment to be certified)
• NIST Standards (Usually quite clear in language and free
to boot)
• ENISA
• MCSS (Minimum Cyber Security Standard)[1]
• IASME
• Cyber Essentials
160
ESORMA Compliance
Compliance Tools
Many different tools and methods can be used to comply. The
ones listed below are usually found to be the most useful for
the task:
161
ESORMA Compliance
ESORMA GRC
The ESORMA GRC practical and fast way is simply to
reference different clauses that apply and add it to the risk
register. In this way you would be able to demonstrate to an
auditor of the risk, how it is mitigated and how you comply.
Case Studies
Unfortunately there are so many news articles about security
breaches that there is no need to cite one as a case study. Just
search for ‘data breach’ and you will find many examples
of non-compliance which should be taken and presented to
senior management as examples of what the business does not
want to happen.
162
ESORMA Compliance
Summary
In this chapter we looked at what compliance is, who is
responsible and why it is necessary.
1. Geographic locations
2. Contractual obligations
3. Organisational principles
4. Optional standards
[1]. https://www.gov.uk/government/publications/the-
minimum-cyber-security-standard
163
ESORMA Compliance
164
ESORMA Compliance
165
ESORMA Compliance
166
ESORMA Compliance
P lease register online for all the online goodies that come
with this quick start guide:
You will also learn how to get your own custom branded
questionnaires and how to organise one to one training,
support or consultancy and custom on site, or open, hotel
based training events.
You will also get access to a suite of tools that should help you
in your ongoing ESORMA journey.
167
ESORMA Compliance
Next Up...
Change Is Needed.
168
ESORMA Change Is Needed
Change Is Needed
S ome businesses and enterprises have spent millions on
cybersecurity and yet many of these organisations are
exactly where breaches continue to occur.
Clearly criminals are going after the money and they seem to be
rewarded well. It is not just businesses with money, government
and educational establishments are being caught with their
trousers down too.
Often blamed is the staff. They are often wrongly seen as the
weakest link, when they are probably the strongest link! It
is invariably a business process letting staff down. Staff are
often not informed and simply rightly following an ill thought
through procedure. Feedback tells us staff are keen to do the
right thing, yet they tend not to know what to look for or what
to do.
Yet security officer salaries are often the budget, for some
companies in their entirety. When more attention to detail,
or just slightly bigger budget allowances could easily lead to
business processes being streamlined and efficiencies found.
Security Officers are often given a bad rap, seen to slow things
down. When they do it is usually because development teams
tend to leave wide open doors and leave systems and passwords
exposed in online places like Git-Hub which is a notorious code
and credentials storage service owned by Microsoft that hackers
know and love.
It’s not too late. A business can yet transform itself. It requires
security to be baked in at the core.
ESORMA has been written to show how you can bake security
into the core of your business. This book is the opening salvo,
offering a practical quick start to improve processes starting
with the alignment of communications.
Here, each domain has it’s own workbook. The workbooks are
also published separately for you to run your own workshops.
170
ESORMA Change Is Needed
Here’s a clue: turn the page, run through the foundation and
simply start with the first ESORMA domain: Scoping. There are
only eight domains to manage and you are done.
If you are familiar with the domain content the short exercise
workbooks at the end of each domain can easily be completed
in a morning. If you are a speed reader and you do not complete
the workbooks, you could speed through in about an hour. If
you are completely new to the subject and concepts of security,
you can employ desk based research to look things up, verify
the information you will find, allow for an entire day.
171
ESORMA Change Is Needed
Next Up...
The Epilogue. We hope to provide some insights into what the
future might hold for ESORMA and how it should change the
conversation so more business enterprises become more secure,
save time and money.
172
ESORMA Epilogue
EPILOGUE
“Save Time And Money”
T he implementation of a
well architected security
strategy should employ
the assets of an enterprise
efficiently at a minimum
cost. Ease of management
is delivered as the result of
uniform procedures so all
involved understand what,
when and why.
For the authors, their students and clients ESORMA has been a
long time in coming. It has been practiced, in part, in fits and in
starts, never written down in one place, always as notes in bits,
here and there. Yet when it came down to it we were quite lucid
about what the task would involve and easily able to clearly
define what we wanted to do.
173
ESORMA Epilogue
174
ESORMA Epilogue
175
ESORMA Epilogue
176
ESORMA Epilogue
Mustafa Ahmed
Coming up with ideas for a framework ESORMA was the
farthest thing from my mind just a few years ago. My journey
to becoming a co-founder of ESORMA starts like it would for
anyone interested in technology but it took some interesting
turns.
177
ESORMA Epilogue
178
ESORMA Epilogue
179
ESORMA Epilogue
180
ESORMA Epilogue
David White
I came to ESORMA through four directions, first of all for
decades, until about a decade ago I ran an IT start-up called
Weboptimiser where I pioneered Search Engine Marketing, back
in the day when there were hundreds of search engines. It is a
business that is redundant now, as there is only one to speak
of - Google and anyone prepared to lose their shirt can get to
number one, and many do. It is not a happy market.
181
ESORMA Epilogue
182
ESORMA Epilogue
I found that Mustafa and I are able to spar really well, lots of
good feelings and great ideas just rub off. We have developed a
process for exchange (by phone and email) and we set ourselves
incredible deadlines and we really deliver.
183
ESORMA Epilogue
Special Thanks
In particular to their agreement to being our first Mastermind
Interviewees and for their thoughts and input into this book:
Skills Acquisition
Our range of one to three day ESORMA courses all reward
skills and CPE credits by combining aspects of cybersecurity,
management, architecture, operations, communications and
project management skills. Each one day course specialises on
individual domains.
Our two day courses reward double the CPEs and are available
configured as Foundation, Lead Implementer Bootcamp and
Refresher courses with homework and certification.
Our three day courses reward triple CPEs aimed at those who
are keen to acquire ESORMA Practitioner skills. Find out more
at ESORMA.com/training.html
Next
You can connect with David and Mustafa in a number of places
but the best place is via the books portal where you will also
discover so much more. There, the authors will answer you
personally… which may be good or not.
184
ESORMA Epilogue
Help spread the word. One or two line reviews are all we are
looking for. Thank you.
185