Most enterprises are responsible for maintaining the security of literally thousands of devices, ranging from laptops and tablets to routers and firewalls. The sheer number of these systems makes it impossible to manually configure each of them to operate in a secure manner. In this video, learn how security baselines provide enterprises with an effective way to specify the minimum standards for computing systems, and efficiently apply them across deployed devices.
- [Instructor] Most enterprise security teams are responsible for maintaining the security of literally thousands of devices, ranging from laptops and tablets to routers and firewalls. The sheer number of these systems makes it impossible to manually configure each of them to operate in a secure manner. Security baselines provide enterprises with an effective way to specify the minimum standards for computing systems and efficiently apply those standards across deployed devices.
Many organizations begin their security standardization efforts by developing a baseline standard. This baseline sets forth the minimum standards that apply to all devices, regardless of their purpose, operating system, or the types of data that they contain. For example, a baseline security standard might require that a named individual is responsible for the security of each device, the device is protected against unauthorized access attempts, the device does not jeopardize the confidentiality, integrity, or availability of other systems or the data those systems contain, that the device remains under the positive control of trained system administrators, and that all activities on the device comply with the organization's data security requirements.
Those requirements sound pretty generic, don't they? That's actually the point of the baseline security standard. It sets forth a clear set of minimum requirements that apply to every device in the enterprise. These generic baselines are especially useful during the countless times that security teams come across a new type of device that is joining the network for the first time. Even if the team doesn't have specific security guidance in place for that type of device, they can turn to the security baseline to determine the generic controls that should be enforced.
Baselines can also dive into deeper detail, breaking out different requirements for different classes of systems and information. An organization might organize their security baseline controls based upon the highest classification of the information stored, processed, or transmitted by the system. For example, the security baseline might require that all data storage devices be encrypted when they are used to store highly sensitive information.
In addition to baseline requirements, organizations often create specific security standards for the operating systems, mobile technologies, network devices, appliances, and other systems commonly used in their environments. These standards describe how the organization will specifically achieve the baseline requirements on a particular system type. For example, the baseline security standard for a Windows system might require that the system's host firewall be enabled with all ports blocked other than those specifically required for business purposes and documented in a network access approval.
Security baselines often require hundreds or thousands of individual security settings on a particular device. If administrators tried to configure these systems manually, they quickly find that it is an impossible task. There are simply too many settings and too many systems to configure. Fortunately, automation technologies are available to rapidly deploy configuration templates across a large number of systems. For example, administrators can create a standard configuration template for all end user Windows systems and then apply that template across those systems by using Group Policy objects and Active Directory.
I discuss this in more detail when we get to Domain Four in the CISSP Communications and Network Security course. Once administrators set baseline requirements and deploy those baselines across the enterprise, they should continue to monitor systems for compliance with the baseline. Users might accidentally adjust settings, administrators might make errors in Group Policies, attackers might undermine security, or any one of a number of other activities might cause deviations from that baseline.
Automated monitoring solutions allow administrators to rapidly check thousands of systems against the baseline and quickly identify any deviations that require further investigation.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
Note: This course is part of a series releasing throughout 2018. A completed Learning Path of the series will be available once all the courses are released.
- Understanding data security policies and roles
- Limiting data collection
- Developing security baselines
- Leveraging industry standards
- Restricting access to data with Windows and Linux file permissions
- Encrypting data
- Securing cloud storage