While the solutions to IT security are complex, one basic, yet effective tool is the security configuration checklist, sometimes called a lockdown or hardening guide. Basically, a checklist is a series of instructions for configuring an information technology (IT) product to a baseline or benchmark level of security.
The National Institute of Standards and Technology (NIST), with sponsorship from the Department of Homeland Security (DHS), has developed a program to facilitate the development and sharing of security configuration checklists. The program helps developers make checklists that conform to common operational environments; provides guidelines for making better documented and more usable checklists; provides a managed process for reviewing, updating and maintaining checklists; and includes an easy-to-use repository of checklists.
A new NIST report, Security Configuration Checklists Program for IT Products--Guidance for Checklists Users and Developers (NIST Special Publication 800-70) gives an overview of the NIST Checklist Program, explains how to retrieve checklists from NIST's repository and provides general information about threats and baseline technical security policies for associated operational environments. It also describes the policies, procedures and general requirements for checklist developers to participate in the program. The report and other information is available at http://checklists.nist.gov.