Page 349 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 349

Using Security Baselines


               Once an organization has identified and classified its assets, it will
               typically want to secure them. That’s where security baselines come in.
               Baselines provide a starting point and ensure a minimum security

               standard. One common baseline that organizations use is imaging.
               Chapter 16, “Managing Security Operations,” covers imaging in the
               context of configuration management in more depth. As an
               introduction, administrators configure a single system with desired
               settings, capture it as an image, and then deploy the image to other

               systems. This ensures that all the systems are deployed in a similar
               secure state, which helps to protect the privacy of data.

               After deploying systems in a secure state, auditing processes
               periodically check the systems to ensure they remain in a secure state.
               As an example, Microsoft Group Policy can periodically check systems
               and reapply settings to match the baseline.

               NIST SP 800-53 Revision 5 discusses security control baselines as a
               list of security controls. It stresses that a single set of security controls

               does not apply to all situations, but any organization can select a set of
               baseline security controls and tailor it to its needs. Appendix D of SP
               800-53 includes a comprehensive list of controls and has prioritized
               them as low-impact, moderate-impact, and high-impact. These refer
               to the worst-case potential impact if a system is compromised and a
               data breach occurs.

               As an example, imagine a system is compromised. What is the impact

               of this compromise on the confidentiality, integrity, or availability of
               the system and any data it holds?

                    If the impact is low, you would consider adding the security
                    controls identified as low-impact controls in your baseline.

                    If the impact of this compromise is moderate, you would consider
                    adding the security controls identified as moderate-impact, in
                    addition to the low-impact controls.

                    If the impact is high, you would consider adding all the controls
   344   345   346   347   348   349   350   351   352   353   354