U.S. Cyber Consequences Unit Cyber-Security Checklist

We have just this week finished the final release version of our cyber-security check list.  A bookmarked pdf copy of it is attached to this e-mail.

This final version takes account of the large number suggestions that we received after circulating the draft versions.  There were a few additional suggestions that seemed excellent, but that we weren't able to include at this point, because they were either too detailed or too much ahead of current defender and attacker practices.  We intend to do an annual update of the check list, however, so some of the suggestions that were omitted this time will probably be included in the future.

We are now ready for this check list to be posted on any responsible and well-run website that would be interested in posting it.  In fact, since our own website still isn't back up, we are currently relying on other websites to get this check list to cyber-security professionals around the world as soon as possible.

We are exploring the possibilities for developing additional versions of this check list tailored to specific critical infrastructure industries and also the possibility of providing an interactive version in collaboration with another organization.

We are very interested in hearing from people who might want to translate this check list into other languages and who have the technical understanding necessary to do so.

Recent developments in the hacker world are making some of the newer counter-measures described in this check list increasingly urgent.  We have not yet heard what status this check list will be accorded by the relevant government departments, but the earlier drafts were extremely well received by leading cyber-security professionals, both inside and outside government, so we expect this check list will be put into widespread use fairly rapidly.

As far as we know, this is now the most comprehensive and most up-to-date cyber-security check list available.  We hope to maintain this status for the check list by continuing to revise it annually in the light of our own ongoing work and in the light of the further suggestions we receive from other cyber-security practitioners.

We hope this final version of the check list is useful to you and would greatly welcome your comments.

Best wishes,


Scott Borg
Director and Chief Economist
U.S. Cyber Consequences Unit

The U.S. Cyber Consequences Unit is an independent
research group that supplies DHS with information on the consequences
of cyber-attacks and evaluate the cost-effectiveness of
countermeasures. As part of this work, director and chief economist
Scott Borg and research director John Bumgarner began on-site visits to
evaluate systems in critical industry sectors.  Read more the
U.S. Cyber Consequences Unit here.

You can download the PDF here.


Author: Xavier Ashe

Entrepreneur, Infosec Executive, CISSP, CISM, Ironman triathlete, traveler, UU, paleo, father of 8, goyishe, gamer, & geek. http://linkedin.com/in/xavierashe

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s