An almost universal truth in small to mid-sized enterprise environments is that IT and Security departments are small in size and are faced with a wide array of responsibilities. In regulated industries, key responsibilities include supporting or enforcing compliance with a variety of state, federal, industry, or market-driven standards, as well as contractual obligations. Many of these have audit and reporting requirements that will place additional burdens on an already busy security team. Following a compliance calendar will enable your team to support these requirements and maintain a state of audit preparedness more effectively.
Benefits of Proactive Security Management
Using a compliance calendar for your enterprise will facilitate proactive security management. Following a consistent schedule will enable your security team to plan ahead for better resource allocation and to drive and monitor reporting and compliance tasks throughout the year more effectively. Proactively managing your compliance with regulatory issues will result in an overall strengthening of your cybersecurity efforts, an increased awareness of cybersecurity and regulatory issues within the company, and increased support and participation from key stakeholders outside of IT.
Ultimately, this will result in your team being able to document and maintain a state of audit preparedness, with documented efforts to maintain operational readiness in place and supported with an organized collection of artifacts to support your audits at any time.
How to Establish Your Compliance Calendar
First, your security personnel should consult with key leaders throughout the enterprise to create a consolidated list of standards, regulations, and contractual obligations that your company is obligated to comply with. Following that, your next steps would be to identify the common reporting requirements for each of them and determine an appropriate internal cadence for measurement and reporting.
Once the cadence has been established, the dates should be added to a calendaring or planning application. Each deadline should be entered as a repeating event; with alerts set to remind responsible parties prior to their due dates. The resulting calendar should be referred to frequently and used to ensure that security and compliance tasks are being completed in a timely manner.
Recommended Intervals
Many of the standards require documented evidence of management-level communications and directives, risk and vulnerability assessments, policy updates, and internal audit processes. Keep in mind that many of the more time-consuming audit and assessment tasks can be managed more effectively if broken into sets of smaller tasks.
Weekly Tasks should include analysis of security logs from critical information systems. Typically, this review will focus on common indicators of compromise such as login failures, malware reports, etc. Other typical weekly tasks include vulnerability scans of your internal network segments. Tickets should be generated to remediation efforts to their successful conclusion.
Monthly Tasks, including phishing tests and reviews of SIEM reports, should also result in generated tickets to cover any resulting training or investigative activities.
Quarterly Tasks should be spread across the quarter to reduce the impact on overall workloads. Audits, risk assessments, and committee meetings should be scheduled at sufficient intervals throughout the quarter to ensure consistent measurement and management of risks, and documented communications to management and key personnel.
A few tasks are best handled on a Semi-Annual basis. Audits of access rights and network traffic are required by the majority of the current security standards these days. Updating standard configurations and VM images at this interval also serves to strengthen corporate security as well.
Finally, there are a few items that are usually scheduled Annually. These include testing and updating Incident Response and Disaster Recovery plans, training, and managing third-party assessments and remediation efforts. These, along with policy updates, should be distributed throughout the year as well.
Compliance Binders and Automation
A compliance binder is a core element of any successful compliance program. It serves as a structured repository of policies, procedures, standards, and artifacts from audits and other compliance activities. Scripted processes, and alerts from ticketing systems should be forwarded to SharePoint or designated mailboxes to support the automated collection and storage of evidence.
Following the Process
Following a predetermined schedule for the tasks listed above will enable security and compliance operations to run more effectively. Following the calendar will have a significant positive impact on your overall security posture and enable a state of audit preparedness for your company. Long-term advantages include a strengthened culture of security within the enterprise, and additional management support for security initiatives due to increased participation in the security management process.
Getting Started
Even though policies, procedures, and routines may not be well established now, it doesn’t take long to change that reality. Start today by holding that first meeting to form a committee, identify applicable standards, and developing the initial cadence to move things along. Changing how your organization manages compliance now will ensure the ease and readiness of IT and security operations for the future.
|
Sample Security & Compliance Management Calendar |
||||
|
Q1 |
January |
February |
March |
Weekly |
|
H1 Access Rights Audit |
Q1 Security Committee Meeting |
Q1 Asset Audit |
Log Analysis |
|
|
H1 MFA Token audit |
Q1 password strength audit |
Q1 SIEM/syslog config audit |
Vulnerability Scans |
|
|
H1 Network Traffic Audit |
Q1 Risk Assessment |
Q1 Board Presentation |
|
|
|
Annual Incident Response Test |
Annual Disaster Recovery Test |
Q1 DNS Config audit |
|
|
|
Q1 Config Audit – Network |
Q1 Policy Review |
|
||
|
Q2 |
April |
May |
June |
Monthly |
|
Annual Data Retention Audit |
Q2 Security Committee Meeting |
Q2 Asset Audit |
SIEM Report review |
|
|
H1 OS Template Image Update |
Q2 password strength audit |
Q2 SIEM/syslog config audit |
Phishing Tests |
|
|
Q2 Config Audit |
Q2 Risk Assessment |
Q2 Board Presentation |
|
|
|
|
Q2 Policy Review |
Q2 DNS Config audit |
|
|
|
Q3 |
July |
August |
September |
|
|
H2 Access Rights Audit |
Q3 Security Committee Meeting |
Q3 Asset Audit |
|
|
|
H2 MFA Token audit |
Q3 password strength audit |
Q3 SIEM/syslog config audit |
|
|
|
H2 Network Traffic Audit |
Annual Comprehensive Vulnerability Assessment |
Q3 Board Presentation |
|
|
|
Annual Incident Response Training |
Q3 Risk Assessment |
Annual Board Report: Vulnerability test & remediation |
|
|
|
Q3 Config Audit |
Annual Disaster Recovery Training |
Q3 DNS Config audit |
|
|
|
Q4 |
|
Q3 Policy Review |
|
|
|
October |
November |
December |
|
|
|
Q4 Config Audit |
Q4 Security Committee Meeting |
Q4 Asset Audit |
|
|
|
H2 OS Template Image Update |
Q4 password strength audit |
Q4 SIEM/syslog config audit |
|
|
|
Annual Security Exemption Review |
Q4 Risk Assessment |
Q4 Board Presentation |
|
|
|
Q4 Policy Review |
Q4 DNS Config audit |
|
||