Security Baseline Controls Strategy

The traditional approach to security controls, advocated by both the International Security Forum and the ISC2, is to define a baseline set of controls and define additional controls based on risk.

Security Baseline and Risk-Based Controls
Figure 16: Security Baseline and Risk-Based Controls

Baselines are a starting point for security and not the complete solution. It is critical to define what controls are required for what level of risk. However, the controls need to be tempered based on the affordability to the business.  Creating a single level of controls has the side effect of over specifying the security for the majority of users which creates an enormous extra cost for those who do not need it.

The business needs to define the acceptable business risk appetite in the business and operations risk policy.  The information risk policy needs to document how the risk appetite will be satisfied.

Once a baseline has been established it is essential that it is constantly updated and reviewed to reflect the changing risk profile of the business strategy and product plans as well as the surrounding risk environment. An example of business change having an impact on the controls would be the use of Straight Through Processing (STP) to reduce the time to process a transaction. Additional controls may have to be use to monitor for abnormalities passing through the system.

Platform Security Configuration

The main focus on baseline configuration standards to date has been on the technical configuration controls for operating systems. Numerous security standards have been produced over the years from organisations such as SANS and ISF but they have not been maintained. The latest from set of baseline standards are from CISecurity (http://www.cisecurity.com) and they seem to be being maintained and supported by tools vendors.

There much confusion between the baseline configuration and the hardening of a platform – these are two different levels of security. There is a risk of develop baseline security standards that have a big impact on the running of an application and will require a large amount of maintenance.

A baseline configuration is a set of changes that are likely not to have an impact on an application running on a platform and are a minimum that should be used in the security configuration of a system. The configurations should be applied to all platforms.

Hardening a platform is with more extensive configuration changes are more likely to have an impact on the running of an application and need to be applied with careful testing. They should only be applied to applications in a high risk environment or where the loss of a system may result in a high impact. The systems may include those performing key security enforcing functions such as firewalls or application servers facing connected to the Internet. The hardening of a platform will also involve performing a vulnerability scan of a system to identify any further vulnerabilities that are not in the documented standards.

CISecurity is a good starting point for the base platforms because they maintain both baseline (Level 1) and hardening (Level 2) security standards and tools. In addition to the base platforms, standards need to be developed for the software tools and applications running on the base platform. If you do not configure the Apache or IIS web server correctly, configuration of the operating system correctly may not help to protect a business. Regulatory and Corporate Governance Impact Operational

Regulatory and Corporate Governance Impact

Operational risk is a key concern of businesses today with regulatory and corporate governance requirements placing pressure on identifying and managing operational risk better.

In the finance, insurance and pharmaceutical industries the issue of managing operational risk is being raised by regulatory organisations. For banking, Basel II introduces a financial impact on the banks if operational risk is seen to be managed effectively. Banks today set aside money to cover the market and credit risk of the bank. The Basel II accord is proposing that money be set aside based on the effectiveness of the operational risk management of a bank.