Security checklists often get bad press, particularly when it comes to compliance. The question "What must I do to comply with a standard?" often becomes "What is the minimum I can do to be in compliance?", which can lead to system administrators ticking off a checklist of the minimum compliance requirements rather than focusing on implementing robust security.
Checklists can play an important role in security, when they’re used as reminders to ensure security tasks are not overlooked, incidents are being investigated and policies are being followed and kept up to date.
I do think checklists can play an important role in security, when they’re used as reminders to ensure security tasks are not overlooked, incidents are being investigated and policies are being followed and kept up to date. In large organisations, it’s easy for certain tasks to fall between the cracks, everyone assuming somebody else is taking care of it.
Updating contingency plans when key employees leave or new clients are taken on is a common example: Is someone in HR or sales responsible for notifying the head of business continuity? In small organisations, infrequent tasks are easily forgotten. I had a client recently whose company had a member of staff resign for the first time in three years. They’d completely forgotten many of the security-related tasks this event should trigger, such as updating contingency plans and reassigning security roles.
I recommend all of my clients have a weekly meeting of their information security forum, and I provide them with a checklist to use as an agenda. The forum consists of senior representatives from each area of the business, and the checklist covers tasks I draw from their security policies that are triggered by certain events. Most have fewer than 20 events to check, and each includes references to the relevant IT security processes, policies and procedures should action be required.
So, for example, every checklist for each information security discussion asks whether any new IT equipment has been installed since the last meeting. If so, it reminds them that the asset register needs to be updated, along with the business contingency plan. Also, the asset owner needs to create or update any relevant work instructions, and the network manager needs to update any relevant network diagrams. Other events that should be on the list include changes to personnel and personnel roles, new clients and suppliers, reported security incidents and non-conformities, significant new threats, and plans to change the network infrastructure.
By simply asking these questions once a week, you will stop important checks and tasks from being forgotten or left uncompleted. Any areas that haven’t been properly dealt with can be logged and carried over to the next week’s meeting to ensure they are closed out. These simple checks don’t take long to go through, as most weeks no action is required, but they do ensure necessary tasks are not overlooked, which is essential to keep security controls up to date and effective.
Information security forum meetings are also a good opportunity to calendar in various tasks, such as internal audits and reviews of operational conformance, the testing of contingency plans, and reviews of the appropriateness of assigned access rights. They can also facilitate discussion of any new significant threats and the effectiveness of current security controls against them.
About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.
This was first published in October 2011