Security Baseline

Introduction

Businesses are faced with increasing threats that may often go unrealized. Such threat may include data breach or other security incidents that expose enterprise data to manipulation and misuses. When incidents, Compromised records, and data disclosures are served without respite to managers, it becomes challenging to determine what is truly applicable to the organizations and how to employ appropriate defenses. Inaction may be the most probable response to such reports. Security baselines come in handy to reduce exposure to the risk of attack on vulnerable systems or data.

A Security Baseline is a set of basic security objectives which should be met by a system of service. The process involves the identification of the typical behavior of a network or computer IT environment and the configuration of the system to confirm to consistent standard levels such that malicious behavior can be more effortlessly recognized should it occur during the process. Security baselines may be based on a risk analysis process conducted in a generic environment or a consensus reached between various organizations. Therefore, introducing security baselines provides minimum protection. An organization is required to choose the appropriate baseline or set of baselines.

Importance of security baselines

A business may set pragmatic and complete objectives that are not imposed through technical means. Thus, the details of how to set security objectives planned to be fulfilled by a particular system should be documented in a separate document. Such details may vary with the operational environment of a system. As a result, baselines should be creatively applied to incorporate only the relevant security measure. Derogations are expected and possible and should be explicitly marked. Different security baselines are available for use by enterprises. Some are made for general discipline independent organizations while others are specifically made for specific disciplines. The code of practice for information security management is one of the best-known baselines (Gritzalis, 1997).

The importance of a security baseline is to provide a secure starting point for a system. In creating a baseline, the first step involves creating a written security policy. Once the security policy is created, administrators employ diverse techniques, such as security templates, Group Policy or imaging, to implement security baselines. The existing systems can be checked against the security baselines to determine if the systems are still secure. For example, an organization’s security policy may authorize its users not to install software in the system. The policy may have been enforced and deployed by the administrators. Such a system may be checked to ensure that original security baselines are still intact and that users cannot install software. An enterprise will often have various security baselines such as end-user generic servers’ baseline, operating systems baseline, and specialty servers’ baselines. There isn’t a standard checklist to identify how to secure all operating systems as each operating system is different (Veiga & Eloff, 2007).

When considering how to employ baselines as a defense against data breaches, executing them as documented is preferable. But as organizations integrate baselines into it’s their own processes, the experiences requires adequate time and resources. Managers and data owners should expect an extended period of transition. During this period, the respective organizations are still partially at risk from particular types of attack as they identify and assess their systems against the perceived business risk. Organizations may use baseline as guidelines and must be able to constantly evaluate themselves against the standards and speedily determine where the highest risk levels lie. Recognizing which components of the organization are subject to the most risk helps Information Technology and line-of-business sections to prioritize their remediation efforts and ensure that risks are remediated as quickly as possible with the available resources as well as with minimum disruption to operations. Ideally, the goal will take into consideration implementing baselines that managers and other business leaders can easily understand. The goal here is to help the managers quickly understand the level of risk confronted by different facets of the enterprise at a given time. Comprehensive baselines have the capability to spot weaknesses or vulnerabilities in systems (Yong-Hong, 2011).

Baseline capability gives management a clear picture of risk across all systems to help better prioritize their response. Different vendors may include tools to help generate a security baseline. The hardening of key components of the IT architecture helps in reducing the risks of attack. The major areas necessitating hardening include applications, network and operating system. All systems should be executed in compliance with their corresponding Security Implementation Document. Non-compliance results in reduced connectivity for the affected systems (Yong-Hong, 2011).

A baseline report may be created using Windows systems. The baseline enables the organization to capture snapshots of key metrics with determined intervals throughout a defined period. The snapshots provide a comprehensive picture of a system’s performance during slack and peak performance. The picture can be used by an administrator to compare current performance with the baseline to spot any differences. A performance baseline may be used to identify the overall performance of a system. If performance depreciates later, administrators can evaluate the present performance against the baseline report. The difference between the present performance and the baseline helps the managers differentiate between actual problems and normal performance. The baseline report incorporates information on utilization of basic system hardware resources (Veiga & Eloff, 2007).

A good baseline addresses and mitigates risks while complying with statutory, contractual and legal requirements of the organization. It must also provide demonstrate support for business objectives and maximize shareholder’s value. The baseline should provide a sound basis on how the business might provide appropriate security practices into every area and process of the business. The ultimate goal of system and information security is process assurance. Thus, the primary goal of baselines is to protect IT assets. IT assets are significant in supporting the primary purpose of the business through value-added processes (Brooks & Hutchinson, 2002).

Conclusion

Security baselines are the minimum satisfactory security provided to protect information source. The main importance of baselines is to protect IT assets that are significant in supporting the primary purpose of the business through value-added processes. Organizations may use baseline as guidelines and must be able to constantly evaluate themselves against the standards and speedily determine where the highest risk levels lie. It should provide a sound basis on how the business might provide appropriate security practices into every area and process of the business. Recognizing which components of the organization are subject to the most risk helps Information Technology and line-of-business sections to prioritize their remediation efforts and ensure that risks are remediated as quickly as possible with the available resources as well as with minimum disruption to operations. They vary with the criticality and sensitivity of information assets under consideration. Baselines can be expressed as procedural, technical and personnel standards throughout the organization. They are often developed using a combination of accepted global standards.

References

Yong-Hong, G. U. I. (2011). Study and Applications of Operation System Security Baseline [J]. Computer Security, 10.

Veiga, A. D., & Eloff, J. H. (2007). An information security governance framework. Information Systems Management, 24(4), 361-372.

Sherry Roberts is the author of this paper. A senior editor at Melda Research in custom research paper services if you need a similar paper you can place your order for a custom research paper from research paper company.

"Janet Peter is the Managing Director of a globally competitive essay writing company.