Widespread electronic attacks on computer systems have become commonplace with threats ranging from remotely launched attacks on network services to malicious code spread through e-mails. To make matters worse, vulnerabilities in IT products such as operating systems are discovered almost daily. But, securing today's complex systems and products can be very complicated, arduous and time-consuming for even the most experienced system administrator.
While the solutions to IT security are complex, one basic, yet effective tool is the security configuration checklist, sometimes called a lockdown or hardening guide. Basically, a checklist is a series of instructions for configuring an information technology (IT) product to a baseline or benchmark level of security.
The National Institute of Standards and Technology (NIST), with sponsorship from the Department of Homeland Security (DHS), has developed a program to facilitate the development and sharing of security configuration checklists. The program helps developers make checklists that conform to common operational environments; provides guidelines for making better documented and more usable checklists; provides a managed process for reviewing, updating and maintaining checklists; and includes an easy-to-use repository of checklists.
A new NIST report, Security Configuration Checklists Program for IT Products—Guidance for Checklists Users and Developers (NIST Special Publication 800-70) gives an overview of the NIST Checklist Program, explains how to retrieve checklists from NIST's repository and provides general information about threats and baseline technical security policies for associated operational environments. It also describes the policies, procedures and general requirements for checklist developers to participate in the program. The report and other information is available at http://checklists.nist.gov.