Cyber Security: ESORMA Quickstart Guide Published by Aldwych Factors Ltd Copyright © 2020 David White, Mustafa Ahmed All rights reserved. No portion of this book may be reproduced in any form without permission from the publisher, except as permitted by U.K. copyright law. For permissions contact: [email protected] Disclaimer: CISM® is a registered trademark of ISACA®. Our materials have been developed independently and are not endorsed, sponsored, delivered by or connected with ISACA®. Disclaimer: CISSP® is a registered trademark of the International Information Systems Security Certifications Consortium (ISC)2® Inc. Our materials have been developed independently and are not endorsed, sponsored, delivered by or connected with (ISC)2®, Inc. Disclaimer: TOGAF® is a registered trademark of The Open Group. Our materials have been developed independently and are not endorsed, sponsored, delivered by or connected with The Open Group. Accompanying book resources available here: https://esorma.com/freegifts.html This publication is designed to provide accurate and informative information on the subject matter for entertainment purposes. The author makes no representation, warranty or claims as to the actual accuracy or completeness of the information contained. This book is sold on the understanding that the authors are not rendering services or offering advice through this book. The concepts and ideas may not be suitable for your circumstances. You should consult with a qualified professional advisor where appropriate. You agree to assume all the risk of your business endeavour and the authors shall not be liable for any loss of income, profit or any other commercial damages or any emotional or psychological distress. ESORMA Contents Contents Change Is Needed 1 Foundation 5 What ESORMA is and is not 6 Every Business Has A CISO 6 Where to start? 10 Learn While ‘Doing’ 13 This Quick Start Guide Is Here For You 13 Continuing Professional Education 14 Practical And Pragmatic 14 The Common Problem 15 Loose Frameworks Are More Adaptable 15 Is Security A Cost? An Enabler? Or Profit Centre? 16 The ESORMA Membership 17 Wait There’s More! 18 What Alternatives Are There? 18 The Well-Architected GRC Framework 20 The Key Domains 21 ESORMA Summary 22 ESORMA Domain #1: Scope 25 How scoping is done 28 Categorisation: 29 Classification 29 Tools 30 The Information Asset Register 30 Geo-Mapping Tool 31 Information Flow Map 32 Fishbone Diagram 34 Case Study 34 Summary 35 Domain #1: Scope Questionnaire 36 ESORMA Contents ESORMA Domain #2: Priority 41 Two Ways To Measure Risk 42 Human Risk Factors 43 Key Tools 44 Job Rotation 46 Job Segregation 47 Key Risk Stages 48 Threats and Vulnerabilities 49 Risk Assessment & Prioritisation 51 The Five Major Components of Quantitative Risk Analysis 51 How To Calculate Risk 52 How To Invest In Safeguards Efficiently 55 Associated Safeguard Costs 56 Risk Registers 57 Case Study 60 FREE Bonus Chapter Resource 60 Summary 61 Domain #2: Priority Questionnaire 62 ESORMA Domain #3: Evaluate 65 Business Impact Analysis 67 The objective of the BIA is to help you in several areas: 68 Timing 68 Priority 68 The Benefits of Using A Form Driven Approach 69 Understanding Through Interviews 70 Business Procedures 71 Information Systems 72 Real Assets 73 RISK Appetite 74 Genuine Business Benefits 75 Impact Statements 76 Timing 77 Risk Treatment 79 Risk Acceptance Framework 80 FREE Bonus Chapter Resource 81 Summary 82 Domain #3: Evaluate Questionnaire 83 ESORMA Contents ESORMA Domain #4: Enable 87 Tools 90 Risk Communication 90 Risk Awareness Checklist 91 Documentation 91 Compliance 92 The PDCA: PLAN - DO - CHECK - ACT Walk through. 92 Resource Management 93 Controls 95 Summary 96 Domain #4: Enable Questionnaire 97 ESORMA Domain #5: Harden 101 Pre-Planning 102 Clarity 103 Capability 104 Disasters Happen 106 Business Continuity and Disaster Recovery (BC/DRP) 106 Business Continuity Management Lifecycle 107 Disaster Recovery 108 Disaster Recovery Plan Lifecycle 109 BCM/DRP Objectives 109 Summary 110 Domain #5: Harden Questionnaire 111 ESORMA Domain #6: Monitor 115 How monitoring is conducted 117 Strategy 117 Programme 118 Analysis 118 Response 119 Tools & Walk-through 120 SIEM 120 Continuous audit module 121 Manual audit logs 122 Heartbeat monitoring 122 Penetration Testing 123 Control objective evaluation 124 Summary 124 Domain #6: Monitor Questionnaire 125 ESORMA Contents ESORMA Domain #7: Operations 129 What is the alternative to a SOC? 130 Good security is invisible. 133 The Who ? 134 The How ? 135 The What ? 135 Tools 137 Case Studies 139 Summary 140 Domain #7: Operations Questionnaire 141 ESORMA Domain #8: Comply 145 Geographic locations 146 Contractual obligations 147 Organisational principles 148 Optional standards 149 How compliance is done 150 Compliance Tools 151 UCF (Unified controls framework) 151 CCM from the CSA 151 ESORMA GRC 152 Case Studies 152 Summary 153 Domain #8: Comply Questionnaire 154 EPILOGUE 159 The Book Plan 162 The ESORMA Platform 162 Introducing The Authors 163 Mustafa Ahmed 163 David White 167 Special Thanks 170 Skills Acquisition 170 Next... 170 ESORMA Change Is Needed Change Is Needed Some businesses and enterprises have spent millions on cyber security and yet some of these organisations are exactly where breaches continue to occur. Clearly criminals are going after the money and they seem to be rewarded well. It is not just businesses with money, it is also government and educational establishments being caught with their trousers down. We hope you are not next because no one wants the criminal fraternity to prosper. When we review most of the accidental breaches the root cause often seems to be something silly, minor, usually where a policy was in a place in an area that was ‘covered’. Usually, when a certain activity has been constant for so long it is considered normal until finally investigated to reveal its true horrors, by which time millions may have been syphoned. Often blamed is the staff. They are often wrongly seen as the weakest link, when they are probably the strongest link! It is invariably a business process letting staff down. Staff are often not informed and simply rightly following an ill thought through procedure. Feedback tells us that staff are keen to do the right thing, yet they tend not to know what to look for or what to do. Considering staff as part of the security team would be a big change for many business operations executives and yet is proven to provide more protective power to those businesses without extra budget. Better security results are common when staff learn what to review. You can expect reported incidents to rise. This is a good thing as it amounts to more opportunities to plug the gaps in the dyke. Even if the reports are wrong it demonstrates vigilance. More eyes working together, collaborating to seek security provides more protection. 1 ESORMA Change Is Needed Yet security officer salaries are often the budget, for some companies in their entirety. When more attention to detail, or just slightly bigger budget allowances could easily lead to business processes being streamlined and efficiencies found. Security Officers are often given a bad rap, seen to slow things down. When they do it is usually because development teams tend to leave wide open doors and leave systems and passwords exposed in online places like Git-Hub which is a notorious code and credentials storage service owned by Microsoft that hackers know and love. It is about time business and enterprise officers started to understand their responsibility. They are the ones who will be fined and it is their customers who will ultimately pay the price. Potentially businesses will lose face, customers and income, from which over 50% of businesses never recover. It’s not too late. A business can yet transform itself. It requires security to be baked in at the core. ESORMA has been written to show how you can bake security into the core of your business. This book is the opening salvo, offering a practical quick start to improve processes starting with the alignment of communications. It is high time the language of security firmly sits in the field of business needs and requirements rather than security and technological jargon. The focus here is first on the business and secondly on an easy to use and understand system designed as a framework to make it easy to share and most importantly apply uniformly. Each domain has it’s own workbook. The workbook is published separately for you to run your own workshops. 2 ESORMA Change Is Needed All in all the objective is to make security easier to implement and run or embed, to deliver more profits for the businesses who adopt it. Due to its uniform and straightforward implementation requirements it is designed to be easy for all to understand, implement and manage. ESORMA processes are unusually practical. Can you afford to wait another minute? Do you know where to start? Here’s a clue: turn the page, run through the foundation and then start the first ESORMA domain: Scoping. There are only eight domains to manage and you are done. If you are familiar with the domain content the workbooks can be completed in a morning. If you are a speed reader and you do not complete the workbooks, you could speed through in about an hour. If you are completely new to the subject and concepts of security, with desk based research to look things up, if you wish to verify the information you will find, allow for an entire day. Our overall advice is please don’t over complicate this. Above all else, your business needs come first. Please do your best to stick to plain English and avoid jargon. Your role as a security officer is to advise, or better still ask questions and seek answers. ESORMA training and certification is available and is useful, as are the CPEs (Continuing Professional Education) you will earn. However, the purpose of this guide is to get you started. Just read through the domains and work through the workbook pages at the end of each domain. We hope we get you thinking, implementing and adding more protection fast. 3 ESORMA Change Is Needed The business must always come first, the structure of this framework is to save you time, to ensure comprehensive protection is achieved quickly and to assist the business through the systematic streamlining of processes. If something has to give, for you to make this work in your world, make it the framework, not the business! Most of all: enjoy. 4