Checkbox Security – A Wolf in Sheep’s Clothing

I like checkboxes. When I go camping I make sure all items needed are staged in the garage and checked off my list before being loaded in the back of my truck. The same goes for when I travel for business–I lay out all my clothes, toiletries, etc. and then as each goes in my suitcase, I can ensure nothing is left behind (as I have done in the past).

Some information security practitioners also utilize checkboxes; it seems they are useful when discussing regulations and/or standards especially when talking with auditors. Do you have a security program in place? Check. Do you have a firewall? Check. Do you have a password policy? Check.

Take pretty much any regulation/standard and a list of requirements (on a checkbox form) can easily be generated. But having a checkbox list for security in and of itself does nothing to ensure that you are secure. In fact it can, and often does, lead to a false sense of security as the real details of the efficiency and effectiveness of security measures is what matters–not whether you have one or not.

Your organization may have the best firewall in the world, but if it is configured incorrectly it is worthless. Your password policy (another checkbox) that requires 4 character passwords and allows admin passwords to never expire is similarly worthless. Check the signature on your security program documents–is that Executive still in that position or even with the company? Is the last date for updating the documents 2 administrations ago…you get the point. A common maxim is that “the devil is in the details” and it’s certainly true in this case.

Don’t get me wrong…checkboxes are useful, but only if they are the top page in a binder of actual details for each area/domain being addressed. Check lists can also be useful for reporting tools but not as a mere paper exercise to satisfy upper management. After your firewall is implemented, configured, tested, reviewed and documented is when you should be allowed to place a checkmark in the appropriate box. The same should be said for all security-related functions to include policies and procedures.