Checklist for creating and managing a security baseline

1. Definition and Scope

Define which systems, networks, and applications will be covered by the security baseline.

Identify if the scope includes:

• Endpoints (laptops, desktops).
• Servers.
• Internal networks.
• Cloud environments.
• Critical applications.
  
  

2. Initial Environment Assessment

• Perform a complete inventory of technological assets.
• Identify the type of data processed, stored, or transmitted.
• Classify information according to its criticality and sensitivity.
• Analyze data workflows.
• Identify potential threats and existing vulnerabilities.
• Evaluate risks associated with the business and operational context.
  
  

3. Regulatory References and Best Practices

Define applicable standards and frameworks:

• ISO/IEC 27001.
• NIST SP 800-53.
• Other industry or regulatory standards.
• Align the security baseline with legal and compliance requirements.
• Document baseline security policies.
  
  

4. Creation of the Reference Device (Technical Baseline)

• Select a reference device (e.g., model laptop or server).
• Install the operating system from scratch (clean install).
• Apply all security updates and patches.
• Configure the operating system securely.
• Disable unnecessary services and features.
• Apply hardening configurations according to official guides.
  
  

5. System Security Configuration

• Configure local and/or perimeter firewalls.
• Define user policies and least privilege permissions.
• Implement disk and communications encryption.
• Install and configure antivirus and anti-malware.
• Install Endpoint Detection and Response (EDR) solutions.
• Verify system logs and audits.
  
  

6. Application Installation and Evaluation

• Install only applications necessary for the business.
• Verify updated versions of all applications.
• Scan applications for vulnerabilities.
• Remediate detected vulnerabilities.
• Document authorized software (whitelisting).
  
  

7. Security Baseline Validation

• Compare the system against secure configuration guides.
• Run vulnerability scans.
• Verify the absence of misconfigurations.
• Validate that the system complies with the defined baseline.
• Document the “known good and secure” state.
  
  

8. Baseline Image Generation

• Create an image of the reference device.
• Store the image securely.
• Define restoration procedures from the image.
• Version the Secure Baseline image.
  
  

9. Organizational Deployment

• Implement the secure baseline across all defined devices.
• Use automated tools and scripts for deployment.
  
  In Windows environments:
  
  

• Configure Group Policy Objects (GPOs).
• Define policies, user rights, and audits.
  
  In cloud environments (e.g., AWS):
  
  
• Define secure configurations.
• Use tools like AWS Config.
• Verify baseline consistency across all equipment.
  
  

10. Continuous Maintenance and Control

• Restrict unauthorized software installations.
• Implement controls to prevent unapproved changes (drift control).
• Perform periodic audits.
• Implement continuous configuration monitoring.
• Detect deviations from the defined security baseline.
• Generate alerts and immediate remediation actions.
• Review and update the established security baseline periodically.
• Adapt the baseline to technological changes, business needs, or new threats.
  
  

11. Staff Training and Awareness

• Train employees on the importance of the security baseline.
• Raise awareness about the risks of deviating from secure configurations.
• Promote cybersecurity best practices.
• Establish channels to report suspicious activities.
• Reinforce the security culture within the organization.