It seems like you can’t swing a cat without bumping into the CIS20 when you talk to people about their security programs. It’s one of the things that comes up far more often than ISO 27000, and even more often than the NIST CSF, but that seems to be changing a little.
I have to say that I’m really not that big of a fan of the CIS20. I mean, yeah, there’s a lot of good stuff in there, but it’s a bit of a cheat really, since the “Top 20” really has 170 specific control statements as of the latest version…
…and that’s really my beef with it. Oh, I know, there’s 3 different levels of implementation, but even if you’re after only group 1, it’s still 42 different controls you need to have in your environment. I’m also not saying there’s anything bad per se about those initial 42 recommendations. They’re all pretty reasonable.
However…what we also know is that there’s still an awful lot of organizations out there who get them wrong, or they don’t understand the subtitles and relationships between the different parts of their organizations to get right.
So I got to thinking about this problem, and then I got to thinking about the number of conversations I’ve had recently where the phrase, “We’re basically using the CIS20 controls as the basis of what we’re doing.”
When I went back trough my notes, it was quite a few.
But the other big problem is that if you’re trying to start from CIS20 and justify why you’re doing things, you’re about a million miles away from anything directly to do with the business. As a result, your arguments can easily end up sounding like:
“Because I said so.”
The last time I checked, if you weren’t really overflowing with credibility and trust from the people who hold the organizational purse strings, that’s probably not going to be good enough.
So you’re going to have to start at a pretty low-level view of controls (because that’s what they are), figure out what they’re really doing for you and where they fit in some kind of mental model in your organization, and then…
…then you have the hooks you need to see how far apart the existing control environment is from what the organization requires—that is, if you’re able to engineer the security needs from the business objectives in a consistent enough way they can be represented as apples vs. apples instead of a festive fruit salad.
Well…I have some good news for you if you’re in an organization using the CIS20 as part of your control standards. You don’t have to do it yourself anymore.
I’ve decided to include an engineered version of the CIS20 controls as one of the bonuses that comes for FREE with the new, rather large and bulky hunk of processed paper that is the forthcoming Definitive Guide to The Agile Security System™.
What you’ll get if you order the book is a completely engineered and annotated version of the latest CIS20 control standard as a separate bonus guide, The CIS20 Companion Handbook for The Agile Security System™. That means, you’re going to get:
- A visual representation of how the control statements at each of the 3 implementation groups map to the Baseline Perspectives™ of The Agile Security System
- An engineered set of attributes based on the text of the control guidance and how those are related to the domains of the Baseline Perspectives
- Definitions of each of the attributes and domains
- A set of suggested services based on each of the domain and attribute mappings
- Suggested physical mechanisms and the feature catalog implied by the CIS20 controls
- How to use this information to guide the structure of your security policies
- A set of suggested attribute metrics to go along with the different implementation groups
And along with this bonus, I’ve decided that I’m going to include a couple more.
Bonus #2 is a guide to the 55 attributes that are included in the AEF Reference Architecture, including their common mappings to the Baseline Perspectives, and a starting point showing a network of attribute aggregation patterns.
And Bonus #3 is a set of architecture modeling stencils for OmniGraffle, draw.io an Visio that you can use to create your security architecture models with each of these tools. There are shapes for attributes, domains, inter domain associations, governance relationships, risk events, attack vectors and a set of predefined objects for the Baseline Perspective domains and the 55 AEF Reference Architecture attributes that are fully-documented, annotated and typed using the ASML™ ontology.
All these are designed to work as ideal companions with what you learn in the Definitive Guide about applying The Agile Security System in practical ways to truly kick-start your architecture models and the use of real security architecture in your organization.
If you’d like to get the book – and all the bonus guides and modeling stencils – you can pre-order the book today for $247, saving almost 50% for what it will sell for around mid-January once it’s ready to be shipped to your door.
But to get the all of this and save a bit of money, you need to place your order before Halloween night at 11:59pm on the 31st of October. That’s only about 4 more days.
But maybe you’re not interested in learning how to apply SABSA in an agile way…
…or about building real security architectures as quickly as possible, leveraging my experience doing this for customers around the world…
…or maybe having the CIS20 represented as SABSA attributes, domains, services and mechanisms isn’t something you’d find useful.
Totally cool with me.
If it’s something you DO want, then skedaddle over to this link before the discount fades away like the wail of a banshee or the wisp of a disembodied ghost:
https://archistry.com/go/dgpo.
It’s still not 100% guaranteed that all this stuff will hit the light of day, because I still need to hit the target of 10 pre-orders to validate this book is worth writing.
If this will help you be a better architect or enhance the effectiveness of your security program, I’d appreciate it muchly if you’d let me know with a few more pre-orders.
Otherwise they’ll stay the exclusive benefits of people in the much more expensive online training courses and our coaching and mentoring programs.
As always, it’s up to you.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. And if you’re interested in subscribing to the monthly print Security Sanity™ newsletter where The Agile Security System™ first appeared, you can start with the next issue here: https://securitysanity.com
