My answer: No! Unfortunately not everything can be made into a checklist, although much of it can! A general and common body of knowledge (to borrow some CISSP terminology) may be listed but it’s the knowledge on the outside of that common body that cannot be easily transferred. For example, tracing parameters for SQL injection may be an easy checklisted item but knowing that the logic is flawed for transferring money between bank accounts owned by the same person may not. Experience helps give one an expertise; experience brings these outside knowledge elements into the common body within the mind of the expert. It is unfortunate that these outside elements may not be translatable from the expert’s mind to the paper (at least in a concise format such as a checklist).
An information security program is less about discovery (science and art) and more about the reduction of risk through procedure. In 1999, I first learned this lesson while reading O’Reilly’s Computer Security Basics (1st edition). The authors write:
Secure system planning and administration is the human side of computer security. Even in a highly trusted system, security isn’t automatic. Administrators need a written guideline, spelled out beforehand, that clearly outlines what steps to take and what procedures to follow in the pursuit of security.
From a CISO level, checklists are one of many managerial tools that help in one’s quest for completeness and demonstrativeness. Checklists provide an ordered way to accomplish defined and repetitive tasks. The
Popularity: 2%
