To create a Security Baseline for the set of computers used by the accounting

department which will be deployed in a few weeks, I would use the Security
Configuration Manager tool to create, apply and edit the security for the
accounting organizational unit. Using the security template to be applied to
the accounting department /OU, and Security Settings extension to Group
Policy to edit individual security settings in the organizational unit.
The security settings I would import from the security template would include
Account Policies, Local Policies, File system, event log, and Restricted Groups.
Group Policy Object will be sensitive to the function of the departmental
roles. These roles are the Chief Financial Officer (CFO), Certified Public
Accountant (CPA), Controller, Advanced Accountant, and Bookkeeper. The
Chief Financial Officer is imported C-Level Executive rights and permissions
as their specialty encompass overseeing and managing various financial
aspects of the business and main goal is the long-term success of company.
Level two employees- CPA, and the Controller roles encompass long-term
strategies in the business and are responsible for financial controls and
reconciling bank statements and other sensitive documented procedures.
Level one employees -The Advanced Accountant and Bookkeeper are
responsible for the day to day functions of the companys accounting such as
account receivables and payables.
Security baselining is important in all three levels of the accounting
department to reduce the risks of attack and data leakage. The operating
system will be updated with patches and fixes as an ongoing task and
installed at 4 am. Password Management will maintain that all users
implement at least fourteen combination character password including at
minimum of 3 alternate characters, they shall be changed every 6 months
and locked after three failed attempts. Level C executive groups will also
have an extra layer password identification to access executive resources.
Unused accounts after a period of two months will be disabled and removed
from the OS if not otherwise stipulate by an executive permission. Logging
is enabled and unnecessary file sharing is disabled. Access to files and
directories a controlled through the use of ACLs and file permissions in
conjunction with accountants level. All non-essential services within the day
to day level accountants will not be configured to run, only the services
required to perform the tasks for which is assigned. Routers are password
protected and not public; router within the department implements WPA
security measures; no BYOD. Unneeded ports are blocked by a firewall.
Application and services installed on network require administrative
password.