Develop secure configuration baselines based on industry best practices, such as:

• Center for Internet Security (CIS): https://www.cisecurity.org/
• Defense Information Security Agency (DISA): https://iase.disa.mil

These organizations have developed detailed guidance, benchmarks, and procedures that explain the available security configuration options for a large range of applications, services, and operating systems.

The guidance contained within these documents includes:

• Enabling best practice security-related configurations
• Removal of unneeded accounts
• Removal or disabling of unneeded services

The guidance, benchmarks, and procedures that you select should be tested to meet your organization's security requirements, business needs, and operational technical supportability.

Once testing has concluded and you have developed tailored guidance that meets your organization's objectives, your tailed organization's guidance should be templated so that it can be used as a repeatable process for all new future systems.

This guidance should be followed for each technology type deployed as part of your enterprise information system.

If best practices guidance does not exist for a specific technology deployed by your organization, your information security program should work with business and IT stakeholders to develop guidance.