Security posture is “the security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.” (NIST SP 800-30 R1)
In other words, security posture is the overall security status of an organization determined by the effectiveness of total security controls. Security posture is established by embedding security controls throughout the life cycle of assets and the systems development life cycle (SDLC). An organization takes inventory of assets, classifies them based on business values, selects controls from security control frameworks, customizes security controls according to business requirements as the security baseline. The baseline security controls are then implemented for certification, assessed for authorization, and monitored for assurance. Changes are managed, and actions are taken to improve continuously.