Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Security Baseline

Training Camp • Cybersecurity Glossary

What is Security Baseline?

A defined set of minimum security configurations and controls every system must meet, drawn from standards like CIS Benchmarks or DISA STIGs.

Glossary > Governance, Risk & Compliance > Security Baseline

Understanding Security Baseline

A security baseline is a defined set of minimum security controls, configurations, and settings that systems must meet to be considered adequately protected. It establishes a consistent, repeatable security floor across servers, workstations, network devices, and applications, derived from industry standards, regulatory requirements, and organizational policy.

Baselines are typically expressed as concrete, checkable settings, password policy, disabled services, audit logging, encryption requirements, firewall rules, and account configurations, often sourced from CIS Benchmarks, DISA STIGs, Microsoft Security Baselines, or NIST SP 800-53 control sets. They are applied through hardening scripts, group policy, or configuration-management tools (Ansible, Puppet, Intune), then continuously verified by compliance scanners. Deviations are flagged as drift; approved exceptions are documented, and the baseline is updated as new threats and vendor guidance emerge.

This matters because inconsistent configuration is a primary source of breaches. Without a baseline, each system is hardened differently or not at all, leaving misconfigurations, default credentials, and unnecessary services that attackers routinely exploit. A baseline makes security measurable and auditable, enables rapid detection of configuration drift, simplifies onboarding of new systems, and provides the evidence auditors and frameworks like PCI DSS, HIPAA, and ISO 27001 expect. It also shrinks attack surface uniformly rather than relying on individual administrators' judgment.

For example, an enterprise adopts the CIS Benchmark for Windows Server as its baseline, codifies it in a group policy and an Ansible role, and applies it to every new server. A weekly compliance scan reports any host that drifts, such as one where an administrator re-enabled SMBv1 for a legacy app. The deviation is either remediated automatically or recorded as a tracked, time-limited exception with compensating controls, keeping the fleet's security posture consistent and provable.

Learn More About Security Baseline:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →