security metrics, etc. We want to know that we haven’t forgotten anything when we do our job: missing something may increase the risk that a negative outcome could occur. Demonstrativeness is important because most security programs are reviewed by people outside the security department, whether it is internal auditors, external auditors, state or federal regulators, etc. We need to show others what we do and what we’ve done. Checklists are a good way to do both completeness and demonstrativeness at once.
At a very high level, checklists are paper trails of codified procedures. They (should) keep the procedure running smoothly for a given task; we may even say the checklist promotes efficiency. Checklists should not be a substitute for knowledge: they should be a reflection of knowledge. They are the sign posts and mile markers on a highway, but not the highway itself. A checklist maybe akin to a vulnerability scanner. The scanner runs through a defined list of checks and attack techniques: it compliments, but is not a substitute for, human experience and interpretation.
To me, here is the large question about checklists that causes much confusion: can everything be “checklist-afied”? Can everything be quantified put down on paper and turned into a procedure?
Popularity: 2%
