🎭 E8 Test Scenarios - Detailed Walkthroughs

Overview

Three detailed test scenarios validate the E8 Assessment Framework across different organization types, testing all aspects from initial assessment through board decision.

Scenario 1: TechStartup Pty Ltd (Small Business)

Organization Profile

• Industry: B2B SaaS Platform
• Size: 10 employees
• IT Setup: Cloud-first, no on-premise servers
• Governance: Founder-led, no formal board
• Current Security: Basic (Google Workspace, some 2FA)
• Compliance Needs: Considering SOC 2 for enterprise clients

Pre-Assessment Setup

Available Crossover Sources

1. Policies: Basic IT policy (5 pages)
2. Insurance: None (self-insured)
3. Prior Assessments: None

Expected Pre-fill Performance

• From policies: 8 questions (20%)
• From insurance: 0 questions (0%)
• From prior assessments: 0 questions (0%)
• Total Pre-fill: 20%

Assessment Walkthrough

Phase 1: System Pre-fill (Automated)

Questions pre-filled from basic IT policy:

• Q1: Application control → "Not implemented" (from policy section 2.1)
• Q14: Macro settings → "Disabled by default" (from policy section 3.2)
• Q23: Admin privileges → "Founders only" (from policy section 4.1)
• Q32: MFA status → "Enabled for admin accounts" (from policy section 5.1)
• Q37: Backup process → "Daily to cloud" (from policy section 6.1)

Confidence scores: All HIGH (policy less than 6 months old)

Phase 2: Founder/IT Completion (32 Questions)

Time Block 1: Application Control (5 questions, ~3 min)

• Q2: "Do you maintain an application whitelist?" → NO
• Q3: "Are executables blocked in user profiles?" → NO
• Q4: "Is PowerShell execution restricted?" → PARTIAL
• Q5: "Are application control bypasses monitored?" → NO
• Q6: "Is code signing enforced?" → NO

Time Block 2: Patching (6 questions, ~3 min)

• Q8: "Are critical patches applied within 48 hours?" → NO (weekly)
• Q9: "Do you maintain a patch management process?" → YES
• Q10: "Are end-of-life applications removed?" → PARTIAL
• Q11: "Is patching automated where possible?" → YES
• Q12: "Are patch compliance reports generated?" → NO
• Q13: "Is vulnerability scanning performed?" → NO

Time Block 3: Office Macros (3 questions, ~2 min)

• Q15: "Are macros from the internet blocked?" → YES
• Q16: "Are macro security settings enforced?" → YES
• Q17: "Are trusted locations minimized?" → N/A (no trusted locations)

Time Block 4: User Hardening (5 questions, ~3 min)

• Q18: "Is web browser hardening applied?" → PARTIAL
• Q19: "Are browser plugins restricted?" → NO
• Q20: "Is web content filtering active?" → YES (DNS filtering)
• Q21: "Is Java disabled in browsers?" → YES
• Q22: "Are ads and tracking blocked?" → PARTIAL

Time Block 5: Admin Privileges (4 questions, ~2 min)

• Q24: "Is privileged access regularly reviewed?" → NO
• Q25: "Are admin accounts separate from user accounts?" → PARTIAL
• Q26: "Is just-in-time access implemented?" → NO
• Q27: "Are privileged actions logged?" → PARTIAL

Time Block 6: OS Patching (3 questions, ~2 min)

• Q28: "Are OS patches applied within 48 hours?" → NO (monthly)
• Q29: "Is OS patching automated?" → YES (auto-updates)
• Q30: "Are servers patched regularly?" → N/A (no servers)
• Q31: "Is firmware updated regularly?" → NO

Time Block 7: MFA (4 questions, ~2 min)

• Q33: "Is MFA required for all remote access?" → YES
• Q34: "Is MFA required for privileged actions?" → PARTIAL
• Q35: "Is MFA resistant to phishing?" → NO (SMS/TOTP only)
• Q36: "Is MFA centrally managed?" → YES (Google)

Time Block 8: Backups (2 questions, ~1 min)

• Q38: "Are backups tested regularly?" → NO
• Q39: "Are backups stored offline/immutable?" → PARTIAL (cloud)
• Q40: "Is the 3-2-1 rule followed?" → NO

Phase 3: Results Calculation

Maturity Scores by Strategy:

1. Application Control: ML0 (0%)
2. Patch Applications: ML1 (40%)
3. Office Macros: ML2 (75%)
4. User Hardening: ML1 (40%)
5. Admin Privileges: ML0 (25%)
6. OS Patching: ML1 (33%)
7. MFA: ML1 (60%)
8. Backups: ML1 (50%)

Overall Maturity: ML0 (less than 30% average)

Phase 4: Recommendations

Quick Wins (< 1 week):

• Enable MFA for all accounts (+20% MFA score)
• Implement monthly backup testing (+25% backup score)
• Document admin privilege review process (+25% admin score)

Month 1 Targets:

• Implement application whitelisting (reach ML1)
• Reduce patching window to 1 week
• Separate admin accounts fully

Cost Estimates:

• Quick wins: $0 (configuration only)
• ML1 achievement: $5,000 + 40 hours
• ML2 achievement: $25,000 + 200 hours

Validation Points

✅ Pre-fill Rate: 20% (expected for minimal documentation) ✅ Completion Time: 18 minutes (under 25 min target) ✅ Routing: All to founder (no delegation needed) ✅ Maturity: ML0 appropriate for young startup ✅ Recommendations: Actionable and affordable

---

Scenario 2: MedCorp Limited (Medium Enterprise)

Organization Profile

• Industry: Medical Devices Distribution
• Size: 50 employees (35 office, 15 warehouse)
• IT Setup: Hybrid (on-prem AD, cloud apps)
• Governance: 5-person board (3 NEDs, 2 executives)
• Current Security: Moderate (managed IT service, cyber insurance)
• Compliance Needs: Medical device regulations, considering ISO 27001

Pre-Assessment Setup

Available Crossover Sources

1. Policies: Comprehensive IT security policy (45 pages)
2. Insurance: Cyber insurance questionnaire (completed 3 months ago)
3. Prior Assessments: Basic security audit (6 months old)

Expected Pre-fill Performance

• From policies: 18 questions (45%)
• From insurance: 12 questions (30%)
• From assessments: 4 questions (10%)
• Total Pre-fill: 34 questions (85%)

Assessment Walkthrough

Phase 1: System Pre-fill (Automated)

High Confidence Pre-fills (from recent sources):

• 18 questions from policy document
• 10 questions from insurance questionnaire
• 2 questions from security audit

Medium Confidence Pre-fills:

• 2 questions from older insurance answers
• 2 questions from audit recommendations

Manual Review Required:

• 6 questions with conflicting sources

Phase 2: IT Team Completion (6 Questions)

Questions routed to IT Manager:

• Q4: "PowerShell execution policy details?" → CONFIGURED
• Q11: "Automated patching coverage?" → 85% COVERAGE
• Q19: "Browser plugin restrictions?" → GROUP POLICY
• Q26: "Just-in-time access implementation?" → PARTIAL
• Q31: "Firmware update schedule?" → QUARTERLY
• Q35: "Phishing-resistant MFA status?" → PILOT PHASE

Time taken: 5 minutes (with team consultation)

Phase 3: Board Presentation

Board Dashboard View:

┌─────────────────────────────────────────┐
│    E8 MATURITY: CURRENT vs TARGET       │
├─────────────────────────────────────────┤
│                                          │
│  Current: ML1 (Partial)                 │
│  ████████░░░░░░░░░░ 40%                │
│                                          │
│  Industry: ML2 (Standard)               │
│  ████████████████░░ 85%                │
│                                          │
│  90% Completed by IT Team               │
│  Your Input Needed: 3 decisions         │
│                                          │
└─────────────────────────────────────────┘

Board Decisions Required:

1. Target Maturity Level

2. Option A: ML1 - Basic ($50k, 6 months)

3. Option B: ML2 - Industry Standard ($150k, 12 months) ✓

4. Option C: ML3 - Advanced ($400k, 24 months)

5. Investment Priority

6. Immediate: Application Control & MFA

7. Q2: Patching & Admin Privileges

8. Q3: Remaining strategies

9. Risk Acceptance

10. Accept current gaps for 12 months? NO
11. Accelerate high-risk items? YES

Board review time: 3 minutes

Phase 4: Results & Plan

Final Maturity Assessment:

• Current: ML1 (40% overall)
• Target: ML2 (board approved)
• Timeline: 12 months
• Budget: $150,000

Implementation Roadmap:

• Q1: Application control, MFA upgrade
• Q2: Patching automation, privilege management
• Q3: Full ML2 implementation
• Q4: Validation and certification

Validation Points

✅ Pre-fill Rate: 85% (matches target) ✅ IT Completion: 5 minutes (highly efficient) ✅ Board Time: 3 minutes (within target) ✅ Routing Accuracy: 100% (correct stakeholders) ✅ Decision Quality: Clear, actionable, approved

---

Scenario 3: FinanceCore Pty Ltd (Regulated Entity)

Organization Profile

• Industry: Financial Services (APRA regulated)
• Size: 100 employees
• IT Setup: Enterprise (SOC, SIEM, managed security)
• Governance: 8-person board, Risk Committee
• Current Security: Mature (ISO 27001 certified)
• Compliance Needs: APRA CPS 234, PCI DSS

Pre-Assessment Setup

Available Crossover Sources

1. Policies: Full policy suite (200+ pages)
2. Insurance: Comprehensive cyber coverage
3. Prior Assessments: ISO 27001, PCI DSS, penetration tests

Expected Pre-fill Performance

• From policies: 20 questions (50%)
• From insurance: 10 questions (25%)
• From assessments: 8 questions (20%)
• Total Pre-fill: 38 questions (95%)

Assessment Walkthrough

Phase 1: System Pre-fill (Automated)

Pre-fill Results:

• 38 of 40 questions auto-completed
• All with HIGH confidence
• Full audit trail maintained

Remaining Questions:

• Q26: "Latest PAM implementation status?"
• Q40: "Recent backup restoration test results?"

Phase 2: Compliance Team Completion (2 Questions)

Quick validation by Compliance Manager:

• Q26: "PAM fully deployed Q4 2024" → COMPLETE
• Q40: "Last test December 2024" → PASSED

Time taken: 1 minute

Phase 3: Risk Committee Review

Executive Summary:

┌─────────────────────────────────────────┐
│         REGULATORY COMPLIANCE           │
├─────────────────────────────────────────┤
│                                          │
│  APRA CPS 234: ✅ Compliant (ML2)      │
│  Board Standard: ✅ Met (ML2)           │
│  Industry Benchmark: ✅ Exceeds (Top 20%)│
│                                          │
│  Recommended Action: Maintain ML2       │
│  Optional: ML3 for competitive advantage│
│                                          │
│  95% Pre-filled from existing evidence  │
│                                          │
└─────────────────────────────────────────┘

Committee Decisions:

1. Maintain ML2 across all strategies ✓
2. Pursue ML3 for MFA and Backups (board differentiator)
3. Quarterly validation cycles approved

Review time: 2 minutes

Phase 4: Compliance Confirmation

Outputs Generated:

• APRA attestation report
• Board compliance certificate
• Insurer notification
• Public disclosure statement

Validation Points

✅ Pre-fill Rate: 95% (exceeds target) ✅ Manual Work: 1 minute (minimal burden) ✅ Committee Time: 2 minutes (efficient) ✅ Compliance: All requirements met ✅ Value Add: Competitive positioning identified

---

Cross-Scenario Analysis

Pre-fill Performance

Scenario	Expected	Actual	Sources Used
Small Business	20%	20%	Policies only
Medium Enterprise	85%	85%	All three sources
Regulated Entity	95%	95%	Comprehensive sources

Time Investment

Scenario	IT/Management	Board/Committee	Total
Small Business	18 min	N/A	18 min
Medium Enterprise	5 min	3 min	8 min
Regulated Entity	1 min	2 min	3 min

Maturity Outcomes

Scenario	Current	Target	Investment	Timeline
Small Business	ML0	ML1	$5k	3 months
Medium Enterprise	ML1	ML2	$150k	12 months
Regulated Entity	ML2	ML2+	$50k	Ongoing

Validation Summary

All three scenarios demonstrate:

1. Accurate Pre-fill: Rates match organization maturity
2. Efficient Routing: Right questions to right people
3. Quick Decisions: Board time under 5 minutes
4. Clear Outcomes: Actionable recommendations
5. Appropriate Scaling: Solutions fit organization size

The framework successfully adapts to different organizational contexts while maintaining consistency in approach and quality of output.