Skip to main content

building a baseline

  • Several standards and frameworks can be leveraged to establish a baseline, in particular:

    • ISO/IEC 27001/27002
    • NIST Cyber-Security Framework
    • CIS Framework
    • SOC 2
    • OWASP SAMM

  • The baseline shall cover the main domains of cybersecurity.

  • Stories shall be selected and adapted to fit the organization.

  • The stories shall be sorted so as to group them in several levels. The sorting order can be from simplest to hardest, from best to lowest ROI, or anything that fits the organization.

  • There can be typically 3 or 4 levels, designated by numbers starting from 0 or 1.

  • E.g. the first level can contain 20 stories, the second 12 more, that is 32 stories, and the third 8 additional stories, for a total of 40.

  • A more complex variant is to refine some stories at each level. Thus, a story can gain additional items or criteria for the Definition of Done at each increasing level.

  • The lifecycle of the baseline shall be managed from the beginning. In particular, the baseline shall be versionned, and improved regularly to fix the inconsistencies and ambiguities that will inevitably occur.

  • To promote regular improvements of the baseline, it is possible to align major revisions with a yearly calendar, and to add the year in the name of the baseline (e.g. SEC2021). This does not preclude minor changes whenever necessary.

  • The validation of the baseline can be associated with an internal certification scheme, promoting emulation between teams. This certification can be coupled to existing schemes for architecture, code quality, etc.

  • Making sure the first level is relatively easy to achieve will help enrolling the development teams.

  • If an independent certification is seeked, the organization can strive to achieve SOC 2 or ISO/IEC 27001 certification. In that case, the baseline can be aligned with the controls retained by the organization for its certification.

  • Each story of the baseline shall be defined in an agile manner. It shall contain:

    • Business requirements (often a security achievement)
    • Guide for implementation
    • Definition of Done (DoD)
    • Proof to provide

  • For example, a story can be implemented to require code review by a peer. This can be enforced easily using Github or Gitlab configuration. The Definition of Done will be simply that the adequate configuration is observed, and the proof is given by an appropriate screenshot.