Ensure that your organizational policy enforces the need for secure configuration baselines and requires that information systems be configured in the most secure configuration that supports your business's needs and technical parameters.

Establish mechanisms that ensure that the information security program has a reporting capability to upper management that allows technical risks to be brought to the attention of senior leadership.