Defining an IT Security Baseline

Organizations are constantly changing processes and adding new vendors, various devices, cloud services, and applications to their environment. With every change comes the risk that a new hole has been opened in the organization’s network with the potential to expose systems and information to new threats and vulnerabilities.

While your organization should have a formal approval process for any new vendors or service providers (many colleges and universities take advantage of the Higher Education Community Vendor Assessment Toolkit (HECVAT) for measuring vendor risk), it can be difficult to define a consistent approach for evaluating security controls within and across various departments on campus.

It can be easy to feel overwhelmed with security and compliance obligations, and even more difficult to properly educate departmental staff with wildly varying roles or responsibilities. How can you make them understand why an ongoing security review process is required and get them to fully comprehend the amount of effort that is involved in order to effectively protect systems from compromise? How can your organization ensure all departments are operating with at least the minimally-accepted security controls in place?

Many organizations are working to define an information security baseline through the use of a consistent cybersecurity framework, such as the NIST Cybersecurity Framework, or the NIST Special Publication 800-171.

These frameworks provide a predefined set of security controls for endpoint security, access control, physical security, application security, policy, training, etc., to protect systems and information. You can take a holistic approach to information security across the organization, have a defined set of best practices for everyone to follow, and have a more calculated process for assessing and managing risk levels of new systems or applications.

By utilizing a standard framework across all areas, you can:

• Consistently assess the security practices of various departments

• Implement common tools, processes, and procedures (and align your overarching cybersecurity policies)

• Monitor and verify security metrics to ensure all departments are operating at the minimally acceptable security baseline

• Identify critical security gaps and define where organizational resources are needed most in order to best protect sensitive information and high risk systems

• Identify tasks and timelines for individual departments to meet the defined security standards

As an organization, you may also want to track metrics related to the outlined security controls. Examples include the percentage of systems that have a network firewall in place, the number of systems with anti-virus software installed, the number of systems that are patching critical vulnerabilities within 30 days, the percentage of systems with data encryption, and those that have completed risk assessments. You can then use this data to show improvements in your information security program over time.

The utilization of a cybersecurity framework across your whole organization also provides a way to measure where you stand compared to other similar organizations, and allows you to simplify communications about security metrics with board members and executive leadership.

Following this approach, you can ensure practical, basic IT security measures have been implemented. This baseline will not ensure full compliance with specific federal or industry security standards (PCI DSS, HIPAA, FERPA, CMMC, etc.), but once you have aligned the majority of your business practices with a cybersecurity framework, you can much more easily comply with compliance requirements as you will have already addressed almost 80 percent of the necessary controls and can now focus on meeting the remaining 20 percent of requirements specific to each data type or system.

Some additional guidance from CampusGuard’s Security Advisor Team:

[Coudeyras]: Many federal/industry compliance standards require organizations to implement a baseline security configuration for all devices in scope. Therefore, not only is it a good idea from a purely compliance perspective, it is a good idea from an information security perspective as well. As we know, there is a difference between being compliant and being secure. Implementing and auditing baseline security configurations is a surefire way to decrease overall risk levels at the organization while at the same time checking compliances boxes. It is important to also include all in-scope systems in your annual risk assessment to verify the appropriate controls have been implemented and are being maintained accordingly.