How to Create and Select an Appropriate Approach to Baselining 

The Role Of Baselines In Effective Security Management

The expression “you can’t manage what you can’t measure” has been around for decades and although it might seem like common sense, it is easy (even for the most experienced professionals) to get overloaded or distracted, and eventually lose track of the crucial indicators of their organization’s security.

For cybersecurity professionals, baseline management is vital because any asset not properly configured can become a security vulnerability. To look at this in reverse, a patch fixes a vulnerability, but patches are released into the wild, giving threat actors visibility into the very weaknesses that must be patched. It becomes a race against time: the patch versus the exploit.

A baseline is a snapshot of “where things are right now.” It gives security professionals something to compare against as things progress, including implementing patches and making configuration changes. By comparing current status against the baseline, it becomes easier to detect changes and hidden gaps that either support the system’s stability, or become places for malware and other threats to take root.

Baseline Configuration Management

Every asset in a cyber system will have records describing how the asset operates, the software and firmware installed, patches, active ports for normal and emergency operation, other enabled services, how these are configured, and their history. Key attributes of baseline configuration management include:

  • Information about the asset must come from the asset itself
  • A schedule must dictate when information is retrieved
  • Information retrieved must be directly comparable to the baseline
  • When changes are noted between current information and the baseline, they must be assessed, verified, and documented
  • The goal is to ensure the safety of the asset, which entails systematically controlling the asset to a defined configuration state known to be the “most secure” configuration

It is good practice to archive previous copies of the baseline, rather than overwrite the sole copy, as they may prove useful during a forensic analysis of an incident, and as rollback points. Names and contact information of people participating in the change and in the baseline analysis should be attached. Everything should be linked to a person who is familiar with the process and accountable for it.

Baselines Are About Watching What Changes

All changes must be reviewed in the larger context of how they might affect other systems. In a software system, nothing exists in a vacuum. Changes should be reviewed to ensure they have been applied correctly and have been deployed completely and in the manner expected. Careful attention must be given to any changes that did not pass through a vetting and approval process, since changes that fail to meet the above requirements might place an organization in violation of a policy or law.

Creating And Selecting The Most Appropriate Approach To Baselining

A baseline is only as effective as its frequency and ease of use. The more frequently an organization reviews changes against a baseline, the more able it becomes to detect changes and anomalies and run the appropriate responses. Given that most organizations face numerous threats per day, a risk window of even 24 hours may be too wide, since threat elements may multiply once they discover a vulnerability, leading to an exponential problem.

Automated tools are highly recommended for baseline management since manual practices inevitably invite errors and consume time and resources. Tools are available from a range of enterprise software solution providers, or by searching for “baseline configuration management tool” online. Many of these are open source. It is also possible to create management tools using word processing and spreadsheet applications with Boolean logic formulas, but it is worth exploring and testing the options before reinventing the wheel.

A baseline configuration management tool should be:

  • Relevant and applicable
  • Intuitive in its design and use
  • Thorough
  • Editable
  • Easy to learn
  • Easy to teach
  • Trusted, and proven reliable
  • Secure

The Role Of A CGRC Certified Cybersecurity Professional In Securing The Organization

Specialized experts like the Certified in Governance, Risk and Compliance (CGRC) bridge the gap between cybersecurity specialists who work hands-on with designing and deploying the security controls, and the executives and employees who determine an organization’s future through their decisions and actions. The holder of a CGRC designation demonstrates the advanced technical skills and knowledge needed to ensure a baseline configuration management tool is identified, deployed, and managed in a way that best secures the organization. A CGRC can also authorize and maintain information systems, using risk management best practices, policies, and procedures.

How the CGRC Certification Can Help You to Succeed

The ISC2 Certified in Governance, Risk and Compliance (CGRC) certification provides all the foundational knowledge required to run the ATO authorization effectively. The Certified in Governance, Risk and Compliance is an information security practitioner who advocates for security risk management in pursuit of information system authorization to support an organization’s mission and operations in accordance with legal and regulatory requirements.

A CGRC professional understands the risks to the business of operating unauthorized systems and possesses the expertise to:

  • Compile the authorization package.
  • Analyze the information contained in the package to determine the amount of risk associated with operating the system.
  • Develop responses to address the remaining risk.
  • Decide whether to authorize or not the information system.

What is more, the ISC2 CGRC certification meets the requirements of Directive 8570.1 for IAM Level I and IAM Level II positions. Every organization can benefit from a wide range of training options to build-up the skillsets required for running the ATO authorization effectively