What should a medium-sized business establish to enforce minimum security controls across all network devices?

The most appropriate choice for a medium-sized business aiming to enforce minimum security controls across all network devices is to establish network security baselines. Security baselines provide a standardized set of security configurations and controls that network devices should adhere to. This helps ensure consistency in security posture across the entire organization and allows for more effective management of vulnerabilities and threats.

By implementing network security baselines, a business can establish clear expectations for how devices should be secured, which facilitates compliance with industry standards and regulations. Moreover, it enables the company to assess and audit devices against these baselines, thereby identifying any deviations that require corrective action.

While security awareness training, incident response plans, and regular penetration testing are all important components of a comprehensive security strategy, they serve different purposes. Security awareness training focuses on educating employees about security best practices, incident response plans outline how to handle security incidents, and regular penetration testing is a method for identifying vulnerabilities in systems. However, none of these directly establish the fundamental controls needed across all devices like network security baselines do.