editione1.0.0
Updated October 9, 2023🚀 As explained by Laura
Unlike triggered security events that are linked to operational events in our business, security also requires a set of events that happen outside of the core operations and are purely in the security domain. We call these ongoing security activities (or scheduled security activities).
Our ongoing security activities can be laid out as a calendar across the year, with some activities needed more frequently than others. Unsurprisingly, our calendar will contain daily, monthly, quarterly, and annual activities, and may be expanded with more custom intervals that suit your organization’s needs.
important Remember that this ongoing security schedule is the heartbeat of your security operations. These are the basic, recurring tasks that ensure you are prepared for the unexpected and can respond quickly should the unexpected or malicious occur.
Much like any other sort of hygiene routine, get it right and you will have a healthy security program and a good grasp of your evolving risks and how you will respond to them. Neglect your routine and you will find yourself unprepared and in an unhealthy state when problems arise.
Thankfully, creating a great routine doesn’t have to be hard work or something you achieve alone, so before you feel like you have the weight of a huge security schedule on your shoulders, let’s take a look at some strategies for making it more manageable.
Just because it’s an essential hygiene process, it doesn’t mean our ongoing security activities and calendar should be treated as a background role or given to just one person to manage.
important In fact, one of the most important things you can do is ensure that this ongoing program of activities is shared across the wider team. This reduces the key person risk associated with having just one person in charge of your security program and also reinforces that security is part of the entire team’s responsibility.
confusion Remember that making security a team sport doesn’t just lighten your workload—it’s also good for the overall resilience of your company. Shared responsibility means there are many hands helping and many eyes watching for issues. Not only are you more likely to get more done, but you can respond quicker should bad things happen.
How do you make sure this new team approach to security sticks? One of the biggest hurdles is making sure you keep going. There is a common pitfall when a problem is shared between a group of people where nobody takes ownership. If everyone assumes someone else will do it, often nobody will.
This decrease in ownership and momentum can cause your security efforts to fade over time. Let’s take a look at how we can avoid that and keep your team focused and operating at pace.
In a rapidly growing company, change is everywhere. It often feels unnatural that something like a calendar would remain steady and predictable in the beautiful chaos of everyday operations. If we’re honest, sometimes these steady and predictable baseline activities can seem less glamorous or important than the fast-evolving processes that add to our revenue or move us towards growth targets.
As a result, we see a predictable decline in security momentum after the first few months or after a security goal (such as certification or compliance) is achieved. After all, who wants to spend all day doing the housework when someone is knocking down a wall and redesigning the kitchen?
Maintaining security momentum is as much about leadership as it is about operations. The importance of security needs to be communicated regularly from the top and related back to the key business objectives such as growth and profitability. Without this leadership first, those charged with security will lose momentum and often find themselves lacking motivation and a clear understanding of why their actions matter to the business.
Once you have a clear leadership message and the team are feeling their value in the context of the organization, remember that all security needs four things to thrive as an ongoing business function:
Agency. Your team needs the skills, teamwork, and support to manage their security responsibilities without hindrance.
Incentivization. Your team should be incentivized to make changes that improve security, simplify or speed up processes, or otherwise make security easier and more measurable for your business.
Acknowledgement. Your team needs acknowledgement, not just when there are security issues, but also when steps forward are made. These acknowledgments should be made in the same channels as other key business acknowledgments. For example, if you acknowledge application security improvements, do it in the same meetings you would acknowledge engineering excellence or meeting project milestones.
When your security calendar is the only thing in your world that is stable and predictable, you may cling to that reassuring schedule as a comforting island of predictability on a chaotic day. However, your calendar shouldn’t be static. As well as reviewing your policies and processes, remember to review your calendar and adapt it as your business changes.
That may mean making some activities more frequent if you feel the risk has increased or adding additional recurring events if your systems, tools, or processes are growing more complicated. Try to look at this review of your ever-growing security practice and calendar as a marker of your growing company and security maturity. It should be something to celebrate—just make sure you make time to do so.
Let’s move on to what your calendar of security events might look like.
Below is a sample set of activities that could make up your company’s ongoing security calendar. These activities are listed by their frequency and against the ISO domain they relate to.
It is very likely that your security calendar will have more actions than this, making it essential that you find ways to manage, share, and schedule these activities.
| Domain | Frequency | Action |
|---|---|---|
| Security policy | Annually | • Review policy suite and associated documents. |
| Organization of information security | Quarterly | • Review risk register. |
| Asset management | Annually | • Review all assets in the asset register to confirm location and condition. |
| Human resources security | Annually | • Provide role-appropriate security training. |
| Physical and environmental security | Monthly | • Review security camera footage. |
| Annually | • Change access codes for buildings and offices. | |
| Communications and operations management | Quarterly | • Review shared documents and revoke access where appropriate. |
| • Review communications tools for sensitive data. | ||
| Access control | Quarterly | • Review all account accesses. |
| • Review admin accesses. | ||
| Information systems acquisition, development, and maintenance | Annually | • Review your register of third-party agreements and engagements. |
| • Conduct penetration testing of production and key sensitive systems. | ||
| Monthly | • Apply security patches as part of the scheduled patching process. | |
| Quarterly | • Conduct vulnerability scan on sensitive networks. | |
| Information security incident management | Daily | • Review security incident logs and monitoring systems. |
| Quarterly | • Test high-risk and high-likelihood scenarios. | |
| Every six months | • Test Incident Response Plan. | |
| Annually | • Review Incident Response Plan. | |
| • Review Incident Response Playbooks. | ||
| • Test systems backups with full restore. | ||
| Business continuity management | Monthly | • Update critical roles list. |
| • Update external contact list. | ||
| • Update critical systems list. | ||
| • Update critical equipment list. | ||
| • Update Contingency Equipment list. | ||
| • Update Critical Documents list. | ||
| • Update Critical Locations list. | ||
| • Update system restore plan. | ||
| • Update plan activation conditions. | ||
| Every six months | • Test Business Continuity Plan. | |
| • Test system restore processes. | ||
| Annually | • Review Business Continuity Plan. | |
| • Review insurance requirements and policies. | ||
| • Review the “Recovery Point Objective” and “Recovery Time Objective” for all systems. | ||
| Compliance | Annually | • Compile audit evidence. |
| • Complete audit activities as per regulatory or compliance requirements. |
confusion While this table may seem overwhelming, remember that not everything applies to every company and not all activities need to be kicked off straight away. The idea is to know what you should be doing and make a plan towards getting there. If you get as far as making your calendar but can’t tick off all the items on day one, don’t despair. It’s better to know what you should be doing (but aren’t) than to have an empty calendar and a false sense of security.
Keeping track of your ongoing security activities is a great way to scope out your security program and monitor how many people and tools will be needed to get it done. It also helps create a predictable, clean security baseline for your organization—something that will be very useful to you in our next chapter, as we take a look at how you can prepare for security incidents and disasters.
🚀 As explained by Laura
It’s a cliche, but a lot of what we do in security is try to avoid bad things happening and prepare to respond if they do. It’s a profession of pessimists, and our pessimism and preparation are what makes the difference between a fast, smooth recovery and a prolonged, public crisis.
Let’s take a look at the two categories of “bad things” that typically affect our organizations—incidents and disasters—how they differ, and how we prepare for them. Think of this less like creating a bug-out bag and embracing survivalism, and more like having a plan for when the fire alarm goes off.