Good news for those of you that have to create GRC baselines! You don’t have to build specific GRC baselines such as for the Health Insurance Portability and Accountability Act (HIPAA), as the Solution Accelerators team is now building baselines that simultaneously support HIPAA as well as over 500 other GRC authority documents worldwide. This means you don’t have to figure out the nuances of individual regulations to create one-off baselines. You can simply use one product baseline that maps back to them all through our GRC management solution within System Center, which manages the control objectives, activities, drift, and results to support audits.

The baselines team is addressing this exact issue by changing how we group settings within a product security baseline.

• Setting Groups: There has been a significant design change in the way we will produce product security baselines. We’re now grouping baseline configuration items by associated risk/activity vs. the older method of grouping these settings by location within group policy. (Don't worry, you can still group by prior methods. For instance, all the password attributes settings are grouped together, as are the settings for audit log retention, capacity and performance management, etc. These groups are pulled from the Microsoft Control Library, a comprehensive and cited control set used to build control objectives and activities applicable to IT products and services for use by our customers. The Microsoft Control Library provides the groups by which settings are organized, the control objectives that cite back to over 500 regulations/standards/best-practices, and the control activities which guide the IT pro through product configuration.
• Setting Prescription: Setting values are being prescribed in accordance with over 500 regulations, standards, and best practices. For example, regulations include federal health, privacy, and financial regulations. Standards include ISO, NIST, and industry practices. Practices include Microsoft security guidance. The most conservative value wins. In the vast majority of cases, we have not made a prescriptive change to setting values as compared to prior released baselines.
• Control Activities: The groups of settings correspond to control activities, the prescriptive procedures developed for use within System Center Service Manager’s IT GRC Process Management Pack (IT GRC PMP). This allows a customer to use baselines to configure products and services to the expectations within regulations, standards, and practices. It also allows the customer to measure configuration compliance in a controlled, and auditable manner. Reports may be used as evidence within the audit process, including FISMA, ISO, HIPAA, PCI, etc.
• We’re releasing our first wave of newly organized product baselines in a few months. These include Windows Server and IE9. More product baselines will follow shortly thereafter.

If you have any questions regarding GRC baselines or would like to participate in feedback loops regarding the creation of GRC baselines content and the IT GRC solution for System Center, please contact secwish@microsoft.com.