Baseline Standards
Why Baseline Standards Are the Foundation of Personal Security Architecture
Most security failures among professionals and small business owners don’t start with a sophisticated attack—they start with inconsistency. Baseline standards fix that by giving you a stable, documented posture to build from.
This is chapter 3 of Gabriel Osei’s Personal Security Architecture guide series. The earlier chapters covered threat modeling and asset inventory. Here, the work shifts from planning to implementation: setting the minimum viable security posture you’ll actually maintain, and establishing the change control habits that keep it from drifting into chaos.
What a Baseline Standard Actually Is
A baseline standard is a documented set of security configurations and behaviors that apply by default across your systems, accounts, and devices. It answers the question: “What is the normal, acceptable state of my security posture?” Everything above the baseline is an upgrade. Anything below it is a gap that needs remediation.
The concept matters because without a defined baseline, you have no meaningful way to detect drift. If you don’t know what your systems are supposed to look like, you can’t tell when something has changed—and in security, unnoticed change is often the prelude to a problem.
Baseline standards also solve a subtler problem: decision fatigue. When every security choice is made fresh each time, you’ll eventually make a bad one at 11pm after a long day. A baseline removes the decision. The defaults are already set. You only need to think deliberately when you’re consciously choosing to deviate.
The Minimum Viable Security Posture
For independent professionals and small businesses, a practical baseline covers five domains. These aren’t aspirational goals—they’re the floor.
1. Authentication
- Unique passwords for every account, stored in a password manager. This is non-negotiable. Password reuse is one of the most reliably exploited weaknesses in personal and small-business environments. Use a reputable password manager and generate long, random passwords you don’t need to remember.
- Multi-factor authentication (MFA) on all accounts that support it, starting with email, cloud storage, and financial accounts. Prefer an authenticator app over SMS for your most sensitive accounts. SMS-based MFA is meaningfully weaker than app-based or hardware key options, though it’s still far better than no MFA at all.
- A defined policy for shared credentials. If you work with a team or contractors, document how shared account access is handled and revoked when someone leaves.
2. Devices
- Full-disk encryption enabled on all laptops and mobile devices. On modern hardware this is often on by default, but verify it rather than assuming.
- Automatic screen lock after a short idle period—five to ten minutes is a reasonable default for a work machine.
- Operating system and application updates applied within a defined window. A common practical standard is: critical security patches within 72 hours of release, routine updates within two weeks. The exact numbers matter less than having a consistent habit.
- A documented list of what’s installed on your primary work machines. This doesn’t need to be exhaustive, but you should know what software has elevated permissions or handles sensitive data.
3. Data Handling
- A classification scheme, even a simple one. At minimum, distinguish between data that’s public, data that’s internal/operational, and data that’s sensitive (client information, financial records, credentials). Once you know which category something falls into, handling decisions become easier.
- Defined storage locations for each category. Sensitive data should live in encrypted, access-controlled locations—not in an unsorted downloads folder or a shared drive with overly broad permissions.
- A backup standard. The widely cited 3-2-1 approach is a reasonable baseline for most: three copies, on two different media types, with one stored offsite or in cloud storage. Test restores periodically. A backup you’ve never tested is a backup you don’t fully trust.
4. Network
- Your home or office router running current firmware, with the default admin password changed. Router security is frequently overlooked and frequently exploited.
- A separate network for IoT devices (smart speakers, printers, cameras) if your router supports guest or VLAN configuration. These devices rarely receive long-term security support and shouldn’t share a network segment with your work machines.
- A defined posture for public Wi-Fi. Either avoid sensitive work on public networks, or use a VPN with a clear understanding of what it does and doesn’t protect.
5. Email and Communications
- Email filtering and spam controls configured and reviewed periodically. Phishing remains one of the most common entry points into small business environments.
- A habit of verifying unexpected requests through a secondary channel before acting on them—especially wire transfer requests, credential resets, or urgent access requests, even when they appear to come from known contacts.
Documenting Your Baseline
A baseline that exists only in your head isn’t a baseline—it’s a hope. Documentation serves two purposes: it creates a reference you can check against, and it forces you to be specific about what you’ve actually decided.
Your baseline document doesn’t need to be elaborate. A structured note or simple spreadsheet works fine. For each domain, record:
- The standard (what the configuration or behavior should be)
- Where it applies (which devices, accounts, or systems)
- How you verify it (how you’d confirm the standard is being met)
- When it was last reviewed
Keep this document somewhere accessible but protected—encrypted cloud storage or a secure note in your password manager is appropriate. You’ll refer to it during periodic reviews and whenever you’re making a change.
One practical addition: document your recovery paths. For each critical account or system, know the answer to “how would I regain access if I lost my primary credential?” Before you need it is the only time that’s easy to think through clearly.
Change Control: Preventing Accidental Chaos
The second half of baseline discipline is change management. This sounds corporate, but the underlying principle is simple: don’t make security changes impulsively, and document the ones you do make.
The most common self-inflicted security problems in personal and small-business environments aren’t attacks—they’re people locking themselves out of systems, breaking workflows by changing configurations without testing, or forgetting what they changed and why. A lightweight change control habit prevents most of this.
In practice, change control at this scale means:
- Before making a change, write down what you’re changing and why. Even a one-line note is sufficient. This forces a moment of deliberate thought and creates a record you’ll thank yourself for later.
- Test changes before relying on them. If you change your MFA configuration, verify login works before logging out of your existing session. If you modify a backup process, run a test backup and confirm the restore path before the old system is gone.
- Make one significant change at a time. When multiple things change simultaneously and something breaks, isolating the cause is much harder. Single-change commits are easier to debug and easier to reverse.
- Update your baseline document to reflect the new state. The document should always represent current reality, not the state from when you first wrote it.
Scheduled Reviews, Not Reactive Scrambles
Security drift is natural. Software changes, services add new features, your threat landscape evolves, and what was a reasonable default setting last year may not be adequate now. The way to catch drift before it becomes a problem is with scheduled, routine reviews—not reactive audits triggered by a security scare.
A practical review cadence for most independent professionals:
- Monthly: Check that updates are current. Review any new accounts or services added since the last review and confirm they meet baseline standards. Scan for credentials that need rotation.
- Quarterly: Review your baseline document for accuracy. Assess whether any significant changes to your work or tools have created gaps. Test at least one backup restore.
- Annually: Revisit your threat model from chapter 1. Consider whether your baseline standards are still appropriate for your current risk profile and work context. Revoke access for any integrations, accounts, or devices that are no longer needed.
Put these reviews on your calendar as recurring appointments, not aspirational intentions. Treat them like quarterly financial reviews—not exciting, but genuinely important.
The Practical Takeaway
A baseline standard isn’t about achieving perfect security. It’s about establishing a known, consistent posture that you can maintain, verify, and improve deliberately. The five domains covered here—authentication, devices, data handling, network, and communications—give you a complete minimum viable posture for personal and small-business contexts.
Write it down. Document your changes. Review on a schedule. That combination—more than any single tool or configuration—is what turns security intentions into security practice. Chapter 4 will build on this foundation by addressing incident response: what to do when, despite a solid baseline, something still goes wrong.