​

EXECUTIVES are increasingly expected to know and take responsibility for their companies’ IT security, particularly if there is a data breach of customer or sensitive financial information. A new checklist being drafted by the United States Cyber Consequences Unit (US-CCU), a research unit funded by the Department of Homeland Security, provides business managers with a tool that makes this task simpler.

John Bumgarner, research director for security technology with the US-CCU, says that the idea for the checklist evolved because, despite the number of industry-specific guidances (such as Sarbanes-Oxley and ISO standards), there was nothing aimed at nontechnical managers. He and the unit’s director, Scott Borg, a senior research fellow at Dartmouth University’s Tuck School of Business, spent a year putting together nearly 500 questions that require no deep understanding of technology to help nontechnical executives assess whether they have adequate IT security.

“We wrote it from the business angle,” says Bumgarner, so that it could be used in any business unit, from physical security to human resources. “We looked at it from a business standpoint and broke down an organization’s IT infrastructure into business components.”

The questions fall in six areas of vulnerabilities: hardware, software, network, automation, human operator, and software supply. These are further broken down into subsets, so that, for example, hardware vulnerabilities include tracking and guarding physical equipment, protecting communication lines, and controlling physical access.

Questions, even those that target technical subjects like networks, are at a high level rather than intricately detailed. This allows executives to ask the right questions while leaving it to the technical professionals to consider the answers. Example questions include: Is network traffic regularly monitored for covert communication channels? Do corporate policies define what type of data communication should be encrypted, and what type of encryption should be used? Are penetration scans regularly performed on critical systems inside the corporate network?

Mike Jacobs, vice president and director, cyber and national security, with IT integrator SRA International, gives the list kudos. “It’s the only list I’ve seen of its type that is that comprehensive,” he says. “It’s put together in a way that’s both readable and understandable, in clear and unambiguous terms,” unlike other checklists “written by techies for techies” that are all but undecipherable by nontechnical executives, says Jacobs, who is former head of the National Security Agency’s information assurance directorate.

Bumgarner says that they received comments and suggestions from security professionals throughout the private and public sectors, and that they are adding some new questions based on the feedback they’ve gotten. Jacobs says he plans on suggesting that updated versions of the list include questions on antitampering technology, which is software that alarms when an attacker tries to alter it and then automatically corrects any changes made.

The checklist will remain a living document, updated annually or biannually. “A lot of lists are stagnant,” says Bumgarner. “That’s a problem because the IT community moves on, and so does the business community.”