ABSTRACT
A practical approach to securing information technology assets that an organization can take is the establishment of a minimum security baseline (MSB) and best practices for security configurations of its information technology platforms and devices. Here, the organization draws a line in the sand and says, “All of our systems will implement this basic set of security controls.” Other controls may be necessary, but at least these minimum security baseline controls will be in place. Through this baseline the organization establishes a point of reference from which it can determine its security posture through compliance with minimum controls implementation. It also provides the organization a starting point for assessing the validity of this control set for a given system through the risk assessment process, which is used to enhance controls requirements, eliminate nonapplicable controls, or recommend alternative controls for each system. In short, a minimum security baseline is a set of standards that are applied enterprisewide to ensure a minimum level of compliance.
