Security Baseline Review

  • 1 minute to read

Scope

This SOP applies to the External Service Provider (ESP) responsible for managing the security baseline configuration of Microsoft cloud services and Intune-managed Windows workstations within the Compliance-as-a-Service (CAAS) framework.

Responsibilities

ESP Security Compliance Team: Responsible for conducting annual reviews of the security baseline configuration.

Change Control Board (CCB): Reviews and approves proposed changes before implementation. This CCB group will consist of ESP Compliance Officers.

Client IT Representatives: Notified of significant changes that may impact their environment.

Procedure

3.1 Annual Security Baseline Review

The ESP Security Compliance Team will initiate an annual review of the security baseline configuration.

The review will leverage Microsoft Purview NIST 800-171 R2 / CMMC 2.0 assessment to evaluate compliance.

The following components will be assessed:

  • Conditional Access Policies

  • Additional or new Microsoft Sentinel audit log sources by enablement of additional Sentinel Data Connectors

  • Intune Security Baselines

  • Defender for Endpoint Policies

  • Microsoft 365 Security & Compliance Settings

  • Any other configurations relevant to CMMC 2.0 compliance

Identified deviations or necessary updates will be documented in the Baseline Configuration Review Report.

The report will be submitted for formal review by the Change Control Board (CCB).

3.2 Change Control Process

Proposed changes resulting from the annual review must follow the formal change control process, including timelines & reporting requirements, found here https://caas.nimbus-logic.us/sop/baseline-configuration-changes.html