I can see the reasoning behind why doctors would object to check-lists, but it makes me wonder why so many corporate IT departments, sysadmins, programmers and so on resist “security check-lists”.
I always used check-lists as a programmers, sysadmin, and in most of my managerial roles where it was appropriate. Yes I got laughed at for it, and usually mis-quoted Winnie-the-pooh — “I’m a bear of very little brain and remembering things confuses me”.
I’ve discussed the role of check-lists for an auditor in many forums before.
They are valuable, but as Gary and I agree, downloading them from the’Net and applying them willy-nilly is WRONG! Their purpose if to ensure you did do everything you meant to do, as aide-memoires when you get distracted or sidetracked.
But given that SANS has many “Top XXX List” showing security issues that need to be addressed, why do they persist year after after year? Why is there the resistance to the same problems, SQL injection, XSS, bufferoverflow (those three account for about 50% of the 2008/9 CVE data) and so forth ? Visit http://cwe.mitre.org/ and look at how the same flaws keep recurring.
Take a look at http://www.veracode.com/resources/sans-top-25-webcast.html and look at the slide #12. Only one of those (downloading) isn’t “education”, which means “awareness”, which means it could be dealt with by means of a check-list.
“Automation” you say? Well, yes, such tools are valuable, just like compliers that generate correct “jumps” as an alternative to hand-coded assembler. But running the tools needs to be on the check-list, doesn’t it?
Isn’t a make script which ensures all the files get compiled and linked a ‘check-list’ of sorts?