results of these tasks, as reflected by the checklist, help guide us in our risk reducing, decision making process in an ordered fashion.
How might security be like an art or science? Technical auditing may be similar to science. Before us sits an application, a network, a protocol, an algorithm and we are trying to determine things about it. We hypothesize about it and test out conclusions: How does the application work? What happens if I put this value in this application variable? What happens if I put in a negative number or a thousand A’s? We gather the results of this work and then return again with new questions and we seek new answers. Some of these methods may be written in a checklist, others cannot because the steps going forward are dependent on the result of the prior steps. (Perhaps a decision tree is possible?)
There are other information security tasks that are not like science at all: business continuity planning, policy writing, architecting identity management solutions, etc. While there are crafts to each of these tasks, one does not often “discover” new knowledge and engage in what one may consider the scientific method when embarked on completing these tasks. Checklists are beneficial in each of these “non-scientific” endeavors to know that one has considered all of the relevant points. It helps with completeness.
A checklist is not designed to replace human ingenuity. It is designed to help prevent human fallibility.
Popularity: 2%
