August 2006 - IT Security Checklist Developed to Help Business Managers

In an effort to update outdated security checklists that, researchers say, have left gaping holes in the cyber defenses of critical infrastructures, the United States Cyber Consequences Unit (US-CCU), a research group funded by the Department of Homeland Security, has developed an IT security checklist to help business managers assess their companies’ cyber-security. Entitled the US-CCU Cyber-Security Check List, the checklist is a result of onsite visits and interviews with personnel in the electric-power and health care industries, and is an attempt to focus security efforts on real-world consequences of security breaches.

The list includes 478 questions relating to cyber-security attacks in 16 attack venues in six areas of vulnerability:

• Hardware: Physical equipment, physical environment and physical byproducts.
• Software access: Identity authentication, application privileges, input validation and appropriate behavior patterns.
• Network: Permanent connections, intermittent connections and network maintenance.
• Automation: Remote sensors and control systems and backup procedures.
• Human operator: Security training and accountability.
• Software supply: Internal policies for software development and policies for dealing with vendors.

John Bumgarner, research director for security technology with the US-CCU, says that the idea for the checklist evolved because, despite the number of industry-specific guidances (such as Sarbanes-Oxley and ISO standards), there was nothing aimed at non-technical managers. US-CCU spent a year putting together nearly 500 questions that require no deep understanding of technology to help non-technical executives assess whether they have adequate IT security.

The final draft of the document is available at http://portal.etsi.org/docbox/workshop/gsc11/GSC11_GTSC4/gsc11_gtsc4_32a1%20US-CCU%20Cybersecurity%20Checklist-%20Final%20Draft.pdf.

COPYRIGHT ©2005, ISO Services Properties, Inc.

The information contained in this publication was obtained from sources believed to be reliable. ISO Services Properties, Inc., its companies and employees make no guarantee of results and assume no liability in connection with either the information herein contained or the safety suggestions herein made. Moreover, it cannot be assumed that every acceptable safety procedure is contained herein or that abnormal or unusual circumstances may not warrant or require further or additional procedure.