Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)

Previous Topic/Section
Reporting Incidents to Third Parties
Previous Page
Pages in Current Topic/Section
1
2
Next Page
3.5.1  OS/NOS Hardening
Next Topic/Section

3.5  Security Baselines
(Page 1 of 2)

Security Baselines are standards that specify a minimum (that is, “baseline”) set of security controls that are suitable for most organizations under normal circumstances. They typically address both technical issues (such as software configuration) and operational issues (such as keeping applications up to date with vendor patches). The idea of security baselines is that for any particular platform (hardware, OS, network, application), there is a minimum set of security recommendations which, if followed, will significantly decrease its vulnerability to security threats, and that it shouldn’t take an expensive consultant doing an extensive risk analysis of your environment to determine a reasonable set of security controls for you to implement. In this way, even a small mom-and-pop business without access to a major IT consulting firm can have some assurance that they are taking at least some worthwhile steps to computer security.

There are multiple schools of thought on the use of security baselines. Some think adopting a common set of security baselines across the industry is the way to go – a kind of set it and forget it approach that ignores the risk analysis step. Others think that baselines are just a starting point for the bare minimum acceptable level of security and those organizations that can, should expand upon them to further increase the security of their system as time, knowledge and budget permits and their particular risk situation requires.

When establishing Security Baselines, you may consider:

  • Any existing security baseline documents for the hardware and software you use

  • Any “best practices” guides that exist for hardening the hardware/software you use, which may exceed the recommendations in any proposed baselines for that hardware/software

  • Specific issues you may have run into the past which deserve extra attention (suppose your web server has historically been a favorite target of hackers)

  • What other administrators are saying and doing (do you really want to run the easiest FTP server for “Warez” folks to take over, on the whole Internet? If not, take the same step other administrators customarily take to secure their servers)

  • Unique characteristics of your environment (in terms of security risks faced, how much collaboration takes place, management’s views on the security requirements vs. ease of use tradeoff, etc.)

Security Baselines

Security baselines are minimum standards that set appropriate security controls that are suitable for most organizations in normal circumstances.

They may include both technical and operational standards.

The idea is that application of the baseline standards is sufficient to substantially decrease an organization’s risk of being attacked.

When establishing security baselines, consider vendor recommendations, “best practices” guides by third parties, what other system administrators are currently doing to harden their networks, and specific issues appropriate to your organization such as industry requirements (HIPAA, etc.).


Quick navigation to subsections and regular topics in this section



Previous Topic/Section
Reporting Incidents to Third Parties
Previous Page
Pages in Current Topic/Section
1
2
Next Page
3.5.1  OS/NOS Hardening
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.