Security's Everyman

Security's Everyman

Monday, January 22, 2007

The Value of Best Practices

Update: I'm unofficially changing the title of this post to "The Value of Checklists". I originally wrote this at about 5:00am this morning and the words best practices were in Dr. Anton's post and the morning fog carried them over to my title. Thanks to Mike for pointing out that Checklists and Best Practices are not the same thing.

Dr. Anton and Ross Brown talk about the benefits of just plain good security over just following the check list to be compliant or just for the sake of doing something. I couldn't agree more, but we have to be careful that our desire to see people practice good security doesn't discourage them from doing something that can help secure our networks. Checklists do have a place in security. They remind us of things that we need to do each and every day. Without them we will get caught up in the fires and emergencies of each day and overlook something that may be happening that needs our attention. They also keep us accountable to do a good job. Security professionals need accountability to management and users to show that we are doing our job. It's easy to say that we do our jobs because if we didn't then there would be lots of problems, but that doesn't always fly with management. As much as I dislike checklists they do have their place and we need to encourage the use of them. Not as proof that we are secure and surely not as the "key" to being secure, but to help us remember the little things that we often forget and to keep us aware of all that we have to do to have a secure environment.

1 comment:

Ross Brown said...


Abso-fricken-lootly checklists are needed. In my private life, I am a pilot and I would never think of turning the engine over without my kneeboard and checklist. It's a core discipline, but it can't be the only discipline - at some point, looking out the window and applying creative reasoning helps a lot!

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.