Here is a version of the Checklist talk I gave at Secure 360 last year. It was one of my favorite talks I ever gave made even more so by a great audience including David Mortman and other folks in the trenches I really respect. I worked really hard to make things very simple and real world, no assumptions around "and then a guru appears from behind the curtain fixes everything", I was targeting strategies that any organization could muster.
In helping clients build these Checklists out, I have observed its very difficult for Infosec to build a good one. Its not impossible but it requires striving for simplicity and an action oriented - perscriptive do it this way approach. However difficult it is though it closes an important issue in software development by dealing with some of the complexity.
**
Three days of iOS and Android AppSec geekery with Gunnar Peterson and Ken van Wyk - Training dates for NYC April 29-May 1
Excellent presentation and a few good pointers in there. I really agree with your comment that checklists should be simple and clear. In addition to that, and one point that is often overlooked, is that checklists should assume that the people using them are knowledgeable. In other words, checklists should state /what/ to do, not how to do execute each step.
The one problem that I still need to address with using checklists is checks-and-balances. How do I verify that a step is indeed executed in a meaningful way, and not just to check a box?
As I go through iterations of a daily secops checklist, I am getting closer, but I don't think I'm quite there yet.
Posted by: Leune | March 06, 2013 at 06:36 PM
@Leune - thanks, as much as checklists try to make things objective, the checks and balance is a tough one. I think part of the answer is that the checklist should at least
1) make the division of responsibility for each task more explicit. This resolves one issue because so many problems result when someone says - but I thought you were doing that.
2) assign some accountability to others on the team, security cannot do everything, some tasks should be carried out by other teams
There is a lot more to this, many subtle issues. I heartily recommend Checklist Manifesto which I am sure will spur more thoughts for you in this direction
http://www.amazon.com/Checklist-Manifesto-How-Things-Right/dp/0312430000
Posted by: gunnar | March 09, 2013 at 12:34 PM