Sakis is determining which controls from the baseline should be applied to a given system or software package. How should he decide?

The controls implemented from a security baseline should match the data classification of the data used or stored on the system. Custodians are trusted to ensure the day-to-day security of the data and should do so by ensuring that the baseline is met and maintained. Business owners often have a conflict of interest between functionality and data security, and applying the same controls everywhere is expensive and may not meet business needs.