Ashley Walker's Blog

Checklist Risk Management – The Illusion of Security

, , ,

Checklist Risk Management is the practice of using a pre-defined checklist, that is produced in bulk, has little customisation, and pushed to your organisation by a vendor, stakeholders, or customer. It is typical that these come in the form of a self-answered audit that have questions such as:

  • Do you have a Security Information and Event Management (SIEM) in place?
  • Are all computers protected by an Anti-virus System?
  • Are all administrator accounts MFA protected?

These audits tend to demand binary responses – yes or no. They imply a necessity for these security measures without delving into the reasons behind their importance.

Companies, when faced with such audits or checklists, often take superficial actions to strengthen their responses, while neglecting the management of underlying risks. Looking at how answering ‘yes’ to these questions can be misleading, and how a ‘no’ response might still indicate effective risk management. These examples are drawn from real conversations I have had with clients.

Do you have a SIEM in place?

Yes: We have a SIEM system, but it lacks configured rules, regular monitoring, and alert reviews.

No: We haven’t implemented a SIEM system due to its cost exceeding our entire IT budget, and its lack of significant protection for our organization.

Are all computers protected by an Anti-virus System?

Yes: All computers have an antivirus system, but it’s not centrally managed or monitored, and it doesn’t send alerts to a central location.

No: We have special-purpose computers that don’t connect to any network or external devices.

Are all administrator accounts MFA protected?

Yes: All administrator accounts have MFA, but we lack policies enforcing MFA challenges.

No: We maintain privileged service accounts for legacy programs. The credentials for these accounts are unknown to anyone and are randomly generated when needed for resets, adhering to a policy of maximum length passwords.

This shows how much more nuanced the answers typically are when an organisation has a risk management system in place, or how reading the question at face value may reduce the perceived risk exposure, but actually have you more exposed. It’s crucial to manage the underlying risks effectively, rather than just participating in Checklist Risk Management.