Standards Group:
YALE-MSS-5: Software Security
YALE-MSS-5.1: Utilize an industry-standard secure configuration method
Details
Select, review, and apply a security configuration standard, being careful to make risk-based decisions when choosing not to apply specific controls. Document your use of the standard, as well as any decisions to not employ certain controls. Review and revise this documentation regularly.
There are security configuration standards available for most IT Systems. When applicable, the CIS (Center for Internet Security) Benchmarks are Yale's preferred standard. For more information about CIS, please visit https://www.cisecurity.org/cis-benchmarks/.
Note that this control is not exclusively concerned with operating systems. Yale's preference for Web application programming and the configuration of Web services is the Application Security Verification Standard (ASVS) by the Open Web Application Security Project (OWASP).
A security configuration standard aids the implementation of cybersecurity best practices. Use of a standard such as the CIS Benchmarks helps to ensure these practices are being met for a given system.