FREQUENTLY ASKED QUESTIONS
From time to time we get questions about ESM - Enterprise Security Modeller and below we try to give a brief summary of these as well as our answers.
01 "Who should use ESM?"
We believe that there are many different roles that would benefit from using ESM - Enterprise Security Modeller.
- The IT-Architect: ESM provides a visual, simple and specific tool for modelling processes, information, applications and IT-systems. We provide a modelling tool that is accessible by many other, thus the IT-Archtiect will be able to share his/hers models with other enabling a common, shared model that enable more effective collaboration.
- The Information Security specialist: ESM provides support for sharing requirements on ISO/IEC27000 controls in processes, applications and in IT-systems. Thus a security specialist will be able to work efficiently in sharing requriements, follow up om compliance and providing support on how to implement security controls. With ESM:s process view peoples within the organisation may also get support in security related processes, such as Information Classification etc.
- The IT-Manager: ESM provides a simple and visual model on information flows between applications, in what infrastructure a specific application is running and where sensitive information is stored. This will provide fast and easy accessible information that supports the decision process for Managers.
- Risk Managers and CISO's that want to provide their organisations with support in a distributed process for Risk Identification and Analysis. ESM's efficient workflow with support from ISO/IEC27005 will support Your organisation.
- Data Privacy Officers and similar that want an effective support for GDPR article 30 and start working with Dataprotection by Design with support from ISO/IEC27018.
02 "What organisations should use ESM?"
We believe that ESM is best suited for Small and Medium sized Enterprises that need support in improving their Information Security governance. ESM support collaboration and offers effective means for a smaller team of Information Security specialists to reach out to their organisation. ESM is also suitable for complex IT-systems where several specialists need to collaborate around Compliance and Information Security.
03 "Can ESM provide support in Information Classification?"
ESM - Enterprise Security Modeller has built-in support for effective and efficient classification of Information objects in terms of confidentiality, integrity, availability and traceability. With the ISO/IEC27000 module the classification will result in security requirements being utportionerade on those applications, processes and/or IT-systems that actually use the information objects. This will make it possible to implement an effective process for information classification that supports owners of applications and processes.
04 "Is ESM providing any support for GDPR?"
ESM - Enterprise Security Modeller provides support for GDPR as you can classify information objects and processes with labels from GDPR. This makes it possible for an organisation to work with classification of information, trace where privacy information actually is stored and processed as well as to integrate process support for important processes required from GDPR, e.g. incident management. With ISO/IEC27018 and ISO/IEC27701 you get support in working with data protection and GDPR.
05 "Can I import information into ESM?"
ESM - Enterprise Security Modeller has no built-in support for importing information, however we have successfully helped some of our clients in importing information from Excel and Sparx Enterprise Architect.
06 "How do I pay for ESM?"
ESM - Enterprise Security Modeller wants to support collaboration, therefore you can have as many Read-only users you want. What you pay for is the Read-write users. We also have an add-on to our base model for supporting ISO/IEC27000.
07 "Can ESM help me with ISO-certification?"
ESM - Enterprise Security Modeller has ISO/IEC27000 built in for paying customers (for licensing reasons). You will still need to document your Information Security Policy and some other guidelines. The strength of ESM is the ability to manage processes, information and IT-systems in the same tool. The integrated support for information classification and connection with ISO-controls in ISO/IEC27002 will help you to detail what processes, applications and devices that need to comply with specific ISO-controls. With ESM you may also distribute the responsibility to report compliance with the ISO-controls to process owners, applications and devices.