It’s not unusual to encounter an organization that is using practical knowledge, a.k.a. tribal knowledge, to operate. Practical knowledge is what each individual professional knows in-practice and is able to perform, but isn't really documented anywhere. It may be about how hardware is configured, how applications are designed, or in some cases, it involves information about historical decisions. The issue with tribal knowledge is that it disappears from an organization when people move on.
Relying on practical knowledge to keep your cybersecurity program on track can be catastrophic. Instead you need to build institutional knowledge. Institutional knowledge, also known as institutional memory, is based on what is documented. Those documents are created, understood, and used by team members to perform their duties. They are also used to train new workforce members, to recover from disaster events, and to provide a living history of the organization’s progress over time. Since this knowledge exists outside the understanding and experience of individuals, it remains part of the organization when people move on.
Checklists are a great way to move from practical knowledge to institutional knowledge. Here are some checklists you should consider implementing to ensure that you cybersecurity program stays on track.
Daily Cybersecurity Program Checklists
There are certain tasks that should be completed every day, and having a checklist for all of these tasks can help ensure that they get done. It’s a way to administratively enforce that the daily tasks necessary for the organization are being executed.
Your daily checklists should include all the core technical items that are required to protect your organization. For example, checking that system alerts are working, that back-up process were completed, and that automated updates of signatures in your antivirus were successful. The checklists should also include checking threat intelligence feeds and distributing alerts as needed. Other daily task can be added based on business priorities.
Completing your daily checklists is your confirmation that the work has been done and helps you track how much time it took you to perform it.
Weekly Cybersecurity Program Checklists
Your weekly checklists can include those tasks that are easier to do in small and consistent batches rather than all at once. For example, if you have hundreds of systems to perform vulnerability scans on, it can be more efficient to separate them into groups of 50. Limiting vulnerability scans to only 50 machines per week can make looking at results, then identifying and mitigating any vulnerabilities found, much easier. If you have your vulnerability scanning procedure documented as a checklist, you will make sure that you're consistent on what you're doing and that vulnerabilities are being taken care you. You can ensure that the work is getting done.
Other weekly checklists could include checking for updates on systems or applications that don’t have regularly scheduled or published updates (e.g. non-Adobe products). Checking peer forums to keep up-to-date on what’s going on in your sector every week is advisable. And again, based on your business priorities, determine what other tasks must be accomplished every week to keep you on track.
Monthly Cybersecurity Program Checklists
Monthly checklists are typically used for tasks that are more complicated and time consuming, but need to be done on a consistent basis. An example here is system configuration checks. It can take a long time to validate that your systems are still configured the way they're supposed to be. If you've got a lot of systems, you may want to inspect 10% of those systems on a monthly basis to validate their configurations.
Monthly checklists can also be used for testing system restore, including spinning up a replacement virtual machine for application servers or restoring a database from backup.
You can also include the tasks that need to be performed annually, but you want to make some progress on each month. For example, policy review can be divided up so it’s completed in 12 months and you tackle one slice each month.
Other Cybersecurity Program Checklists
There are a host of emergency procedure checklists that you should have available. These are important because your ability to respond, and do things correctly and securely, are paramount to cyber resilience. Since these checklists are not used frequently, we highly recommend that you practice and test them on a consistent basis to ensure the processes are working.
These checklists may include:
- Emergency procedures for shutting down network segments;
- Adverse termination of system administrators;
- Annual Disaster Recover preparation;
- Build-out of a new network closet; and
- Standing up new Virtual Host.
There are also many basic operational checklists that you should make available. Examples include:
- VM imaging;
- System hardening;
- Configuration standard updating;
- Application system build;
- Database system build; and
- Security configuration standards updating.
You may be performing these tasks every quarter, every day, or every week, but a checklist will help you be consistent about these activities, as well as provide you with a historical, auditable, record of critical cybersecurity activities. These are the kinds of checklists that keep you out of trouble because everyone has agreed on how something should be configured, how something should be hardened, or how something needs to be built. The checklist is your confirmation of what was actually done and ensure it can be repeated.