|Like this CertiGuide? Get it in PDF format!|
Use coupon code "certiguide" to save 20%!
|Also available: 300-question Security+ practice test!|
|Get It Here!|
3.5 Security Baselines
(Page 1 of 2)
Security Baselines are standards
that specify a minimum (that is, baseline) set of security
controls that are suitable for most organizations under normal circumstances.
They typically address both technical issues (such as software configuration)
and operational issues (such as keeping applications up to date with
vendor patches). The idea of security baselines is that for any
particular platform (hardware, OS, network, application), there is a
minimum set of security recommendations which, if followed, will significantly
decrease its vulnerability to security threats, and that it shouldnt
take an expensive consultant doing an extensive risk analysis of your
environment to determine a reasonable set of security controls for you
to implement. In this way, even a small mom-and-pop business without
access to a major IT consulting firm can have some assurance that they
are taking at least some worthwhile steps to computer security.
There are multiple schools of thought
on the use of security baselines. Some think adopting a common set
of security baselines across the industry is the way to go a
kind of set it and forget it approach that ignores the risk analysis
step. Others think that baselines are just a starting point for the
bare minimum acceptable level of security and those organizations that
can, should expand upon them to further increase the security of their
system as time, knowledge and budget permits and their particular risk
When establishing Security Baselines,
you may consider:
- Any existing security baseline documents for
the hardware and software you use
- Any best practices guides that exist
for hardening the hardware/software you use, which may exceed the recommendations
in any proposed baselines for that hardware/software
- Specific issues you may have run into the past
which deserve extra attention (suppose your web server has historically
been a favorite target of hackers)
- What other administrators are saying and doing
(do you really want to run the easiest FTP server for Warez
folks to take over, on the whole Internet? If not, take the same step
other administrators customarily take to secure their servers)
- Unique characteristics of your environment (in
terms of security risks faced, how much collaboration takes place, managements
views on the security requirements vs. ease of use tradeoff, etc.)
Security baselines are minimum standards that set appropriate security controls that are suitable for most organizations in normal circumstances.
They may include both technical and operational standards.
The idea is that application of the baseline standards is sufficient to substantially decrease an organizations risk of being attacked.
When establishing security baselines, consider vendor recommendations, best practices guides by third parties, what other system administrators are currently doing to harden their networks, and specific issues appropriate to your organization such as industry requirements (HIPAA, etc.).
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.