Understanding How the CIS Framework Relates to Your Business
/Cybersecurity professionals think about information security in terms of layers. Overlapping protections provide a better overall security posture than one large, single perimeter. Consider your own home and ask what is more secure: a deadbolt or a standard lock, motion lights, a dog (no matter how big or mean!), and a cell phone? When it comes to security, the layered approach always wins, especially if the layers include deterrence (motion lights), protection (door lock), detection (dog), and response (cell phone to call 911) components. So, our analogies turn to layered items like the onion. One of my favorite analogies is the comparison to two candies: do you want your security to be like an M&M (soft inner core with a hard shell) or a gobstopper (layers of hard candy, in different colors of course)?
The Castle Analogy
My personal favorite security analogy is The Castle Analogy. No other single concept wraps so many security items into one well-understood theme. With the popularity of Game of Thrones, this analogy is better received than ever!
Castle builders in the Middle Ages constructed in layers. Consider these components of a castle, starting at the innermost sanctum and working outward: the Keep, the Inner Curtain, the Outer Curtain, Turrets and Towers, the Gatehouse, the Drawbridge, the Moat, and the surrounding fields. All these components make up the passive defenses of the castle. Add armaments and soldiers to use them, and a castle could be impenetrable.
Invaders could not approach the castle without being seen attempting to cross the open fields leading up to the castle. Watchers in the Towers would detect the invasion. Early warning gave defenders time to raise the drawbridge, man the Turrets, and send for reinforcements from the nearby areas. If the invaders managed to penetrate the external wall, they found themselves in a killing field trapped between the inner and outer curtains. Penetrating the inner wall, invaders found themselves exposed in the bailey or inner courtyard. By then the royal family would still be secure in the Keep, waiting for reinforcements to arrive.
How Affinity Can Build Your Castle
Affinity can build your castle using a proven set of blueprints. In cybersecurity, we call blueprints a framework, and ours is designed alongside the architects at the Center for Internet Security (CIS). The CIS Security Controls define a framework that enables Affinity to design and build an information security program around any type of business. Better yet, Affinity’s Complete Care product has alignment to the CIS Framework built into it as part of its core offering. Our Alignment Engineers get to know you and your business then assess, and re-assess, your alignment to the best practices defined in the framework. When something is found to be out of alignment, we’ll work with you to get those vulnerabilities addressed. In other words, if your moat needs crocodiles, we’ll help you get them.
How to Learn More About the CIS Framework
If you are a current client of Affinity, you’re going to see a completed CIS Framework Implementation Group (IG) 1 Assessment delivered this year. That assessment will give you the insight, specific to you and your business, into the framework and how you align to it. Since we practice what we preach, Affinity will be doing the same for itself – continuously improving, assessing, and re-assessing.
If you are not a client, feel free to reach out with questions. We love to help!
About the Author:
Bart Holzer recently joined Affinity Technology Partners as fractional chief information security officer. He also owns Overt Channel, LLC, working as a fractional or virtual chief security officer and chief information security officer for mid-size firms and nonprofits. A former federal law enforcement engineer, Holzer advises clients on security strategy, risk management, security program development and incident response.