Which statement accurately describes a security baseline used for measurement and improvement?

• A. A minimum set of controls/configurations used to measure compliance and guide improvements.
• B. A comprehensive description of every possible control.
• C. A plan for rapid expansion of security budget.
• D. A method to replace governance with individual actions.

Answer: (D)

A security baseline is a standard set of minimum controls and configurations used as a reference point to measure compliance and guide improvements. By establishing these baseline settings, you have a concrete target to compare actual environments against, making it clear where gaps exist and what needs to be remediated. This approach supports consistent security across systems and provides a clear path for tracking progress over time.

It's not meant to describe every possible control—baselines focus on the essential minimum needed to achieve a baseline level of security. It also isn’t about rapidly expanding a security budget, nor about replacing governance with individual actions. Governance sets the framework and accountability, while the baseline provides measurable targets within that framework.