In this paper, we propose a straightforward architecture for setting out a consistent standards document that can be applicable regardless of platform. In essence, our format involves the creation of a set of High Level Standards that are platform-independent, followed by a set of Detailed Technical Standards for those specific platforms in use. In this manner, the High Level standards can be applied across the board (for example: All data shall have an assigned Data Owner; All user passwords will apply a minimum length of 8 characters) and when new platforms arrive, these can be translated into the necessary Detailed Technical Standards.

Thus your Standards can be applied regardless of who administers the platform and they can be used by your audit department for compliance checking.

Baseline Security Standards for a particular platform are those which most experienced security practitioners would agree should be implemented if there is no other information about the organization, the applications on the platform, or the users of it. While in most cases, baseline standards are synonymous with minimum security standards, in some cases further analysis would result in relaxing rather than tightening the standards.

Baseline Standards allow a system to be deployed quickly without a formal risk analysis; the standards for a particular platform can then be adjusted later based on the requirements of the specific system. There are numerous advantages to this approach which are discussed further in the following section.