Incorporating best practices

To finish off this chapter, we wanted to provide a checklist of the most important items that will help enforce your security baselines. The following list is ranked in order of importance as you look to build and enforce your baselines:

• Select and deploy a framework to build a foundation.
• Select a baseline foundation. We covered CIS and Windows security baselines in this chapter.
• For your Windows devices, use the policy analyzer from the Microsoft SCT to review your baselines.
• Create or use a Golden Image template for each use case that you can reuse and always keep up to date with the latest updates.
• Build well-documented and easy-to-follow procedures that others can use and follow.
• Use the automation of controls and tools to re-enforce the baseline—for example, MDM with Intune or Active Directory Group Policy.
• Use compliance policies to validate whether controls are in place. This will also help with auditing devices that are non-compliant.
• Implement a quarantine or risk access policy with non-compliant devices.
• Implement efficient monitoring and reporting for device compliance. Power BI is a great way to visually provide reports.
• Always keep up to date with both the Windows versions and the technology used to manage the devices. The modern world is very dynamic and moves at an extremely fast pace.

It's important to note that while creating a security framework and enforcing controls with full compliance is desirable, exceptions will need to be accounted for. It is recommended that your organization also includes a risk register that clearly documents the systems and applications that do not comply with the defined policies and standards. The register should identify all the risks as well as rate the implication or severity of each risk and its potential impact on the organization. These implications should not only be viewed from a security lens but should also identify potential legal liabilities and costs implications if the risks were exploited. Leadership should be made aware of these risks and should sign off on their acceptance. Furthermore, a stakeholder should be named as the accountable party and the register should be reviewed frequently to identify any possible solutions to mitigate the risks.