Infrastructure & Systems compliance

An organization's infrastructure is composed of different layers. On top, there are usually applications, which in turn are served by a multitude of systems that act as containers for these applications (usually operating systems or containers). At the end the infrastructure layer interconnects these systems in order to provide a medium of communication between systems and applications.

The purpose of the Infrastructure & Systems compliance is to ensure that the infrastructure and systems layers are positioned in the appropriate security posture. This security posture can be defined as the condition where the configuration of a specific asset comply with a specific benchmark, such as:

• Best practices, that is widely accepted from the community
• A standard (Community, like CIS or government, like DISA STIG)
• An organization predefined configuration

The activity can be splitted in three main parts:

Definition of:

• Scope
• Reference benchmark
• Operational prerequisites
• Technical analysis on the assets under scope
• Gap-analysis with respect to chosen benchmark

The output of the activity is usually a list of configuration items that do not comply with the chosen benchmark. The report usually includes ( depending on which benchmark is selected to perform the assessment) a list of mitigation that, if applied, could reduce the gap between the current and the desired configuration state