In Praise of the Information Security Checklist

This is much anger and venom spit when the subject of the information security checklist is brought up. At one point in my career I looked at the checklist in disdain figuring that only people who do not understand the true depths of a subject relied on checklists as a crutch in place of knowledge. Since then I’ve had a change of heart. I admit freely that there are people who use checklists as a crutch, but to me, this is not the ultimate purpose of a checklist.

How are checklists used by information security professionals? First, they may be used by individuals to check the state of security against an ideal configuration or corporate/government policy. Essentially, this use of a checklist is for audit purposes. Second, checklists may be used by the staff to show what happens in the department on a daily, weekly or monthly basis. This checklist is often referred to as the “daily checklist” of security tasks. It basically shows the framework and methodology of the department. Finally, a checklist may be used to teach others what to do for a given subject matter. One may think of the OWASP top ten or SANS Top 20 as checklists that instruct professional what to be aware of and review in their information security program.

The value of the checklist is derived from two concepts: completeness and demonstrativeness. Completeness is important because we do not want gaps in our program that may increase our exposure, whether that exposure be legal, compliance, soundness of security settings, thoroughness of reviewing

Post a Comment

Your email is never published nor shared. Required fields are marked *