Ask the Expert

A standard framework for a security baseline

I'm leading the Information Security Group in a new organization stucture and responsibilities. One of my top priorities is to establish what we have called a "Security Baseline." This intends to be a methodology that indicates what security elements must be considered in any application to be developed, any package to be implemented or even a server to be configured. Is there any standard framework available that I can use as a starting point?


    Requires Free Membership to View

There are many people who have many opinions on these sorts of things.

There's nothing that covers all aspects in one methodology. Engineering and operations are very different things, and you can't apply one methodology to both.

Take a look at what SANS, CSI, and ISACA have.

Donn Parker, one of the most respected names in computer security, has a new book out with his ideas about how we've been doing things wrong for the last three decades. I think it's a must-read. It is called "Fighting computer crime: A new framework for protecting information." You can find it at Amazon.

John Viega and Gary McGraw have an excellent new book on building secure software. You can also find it at Amazon.

Also, there's Ross Anderson's excellent book on Security engineering.

While we're at it, Schneier's Secrets and Lies is also a must read.

All of these resources talk about the various methodologies that you might use. Unfortunately, there's no one size that fits all. Not only is development not the same as operations, but the way you operate a bank is not the way you operate a convenience store. Neither of these is the way you operate a military base. When you construct a methodology for yourself, you look at what your assets are, what your threats are, what things you can solve easily (like buying insurance) and so on.


For more information on this topic, visit these other SearchSecurity resources:
Best Web Links: Security standards and guidelines
Best Web Links: Security management


This was first published in April 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: