Mandatory Security Baselines

2010/06/10 by ITSRM

A "Security Baseline" defines a set of basic security objectives which must be met by any given service or system. The objectives are chosen to be pragmatic and complete, and do not impose technical means. Therefore, details on how these security objectives are fulfilled by a particular service/system must be documented in a separate "Security Implementation Document". These details depend on the operational environment a service/system is deployed into, and might, thus, creatively use and apply any relevant security measure. Derogations from the baseline are possible and expected, and must be explicitly marked.

At CERN, for each service/system used in production, such a Security Implementation Document must be produced by its system/service owner, and be accepted and approved by the Computer Security Officer.

All systems/services must be implemented and deployed in compliance with their corresponding Security Implementation Document. Non-compliance will ultimately lead to reduced network connectivity for the affected services and systems (i.e. closure of CERN firewall openings, ceased access to other network domains, and/or disconnection from the CERN network).

Security Baseline Documents

  • Security Baseline for Hardened PCs and Laptops
    (EDMS 1593100)
  • Security Baseline for Servers, PCs and Laptops used in a CERN Production Environment
    (EDMS 1062500)
  • Security Baseline for File Hosting Services used in a CERN Production Environment
    (EDMS 1062503)
  • Security Baseline for Web Hosting Services used in a CERN Production Environment
    (EDMS 1062502)
  • Security Baseline for Industrial Embedded Devices used in a CERN Production Environment
    (EDMS 1139163)

A template for the "Security Implementation Document" can be found here: EDMS 1062504