Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 94
Baselines
ОглавлениеSome organizational cultures refer to a tailored version of a standard as a baseline. Typically, tailoring of a standard reduces the requirements set by the standard; if additional requirements are needed, it is best practice to put them into some other document, such as a local or internal standard. Once a baseline has been established, any deviation from the baseline should be formally approved through the organization's change management practice. As with standards, baselines establish a compliance expectation.
As a subset of baselines, security baselines express the minimum set of security controls necessary to safeguard the information security requirements and properties for a particular configuration. Scoping guidance is often published as part of a baseline, defining the range of deviation from the baseline that is acceptable for a particular baseline. Once scoping guidance has been established, then tailoring is performed to apply a particular set of controls to achieve the baseline within the scoping guidance.
The term baseline can also refer to a reference set of systems components; the inventory of software installed on a server by the vendor, at the time when the server is first turned on and configured, is an architectural baseline.