I'm leading the Information Security Group in a new organization stucture and responsibilities. One of my top priorities...
is to establish what we have called a "Security Baseline." This intends to be a methodology that indicates what security elements must be considered in any application to be developed, any package to be implemented or even a server to be configured. Is there any standard framework available that I can use as a starting point?
There are many people who have many opinions on these sorts of things.
There's nothing that covers all aspects in one methodology. Engineering and operations are very different things, and you can't apply one methodology to both.
Donn Parker, one of the most respected names in computer security, has a new book out with his ideas about how we've been doing things wrong for the last three decades. I think it's a must-read. It is called "Fighting computer crime: A new framework for protecting information." You can find it at Amazon.
John Viega and Gary McGraw have an excellent new book on building secure software. You can also find it at Amazon.
Also, there's Ross Anderson's excellent book on Security engineering.Secrets and Lies
All of these resources talk about the various methodologies that you might use. Unfortunately, there's no one size that fits all. Not only is development not the same as operations, but the way you operate a bank is not the way you operate a convenience store. Neither of these is the way you operate a military base. When you construct a methodology for yourself, you look at what your assets are, what your threats are, what things you can solve easily (like buying insurance) and so on.
Security standards and guidelines