23Aug

Importance of Managing Recurring Tasks

Recurring Tasks, as the name implies, are tasks that happen over and over again on a regular basis. Managing Recurring Tasks is an important element in any cybersecurity program. For those in regulated industries, successfully achieving and maintaining compliance requires continuous task management and review.  This ensures performance of control requirements, as well as the documentation of evidence that these controls are functioning for the annual assessment.

 

Again, Recurring Tasks are a requirement for really all compliance structures. Ensuring that certain activities, controls, occur at a predetermined frequency ensures that you are not operating in a “set it and forget it” control environment. Most of us have experienced what happens when things are left unchecked and undocumente4d for longer periods of time.

 

Recurring Tasks are similar to scheduled car maintenance. In many ways, a security program should have a set of different Recurring Tasks (and associated checklists) that occur at specified recurring intervals. Your car needs an oil change every 5,000 miles and the service will usually include multiple point inspections too, like checks on fluids, hoses, wipers, filters, and brakes. At 10,000 miles, tires need to be rotated, brakes need to be inspected, wiper blades and filters need to be changed. While some of these items were checked in the more frequent service intervals, they also likely require replacement after some use. At an expanded frequency check, brake shoes and tires will need to be replaced, and eventually the rotors and other parts require inspection and replacement due to wear and tear.

 

Likewise, a security program has specified activities that are part of ensuring the control is operating as designed and producing the expected result. Let’s go through three examples:

 

  1. A typical firewall rule review should occur every quarter. The review looks for new rules (since last time), excessively permissive rules, and other potential issues that have cropped up since the last review. The purpose of the review is to ensure that each control (firewall is access control, firewall rule making, rule standards, and change control) is operating as expected. If a rule was created that did not go through proper firewall rule review or was not logged as a change or was excessively permissive or even meant to be temporary, the rule review will detect that and it can be corrected.
  2. Another common recurring task is to review security policies at least once per year. This tasks may be delegated to several individuals with different areas of responsibility, but it is up to the security program, CISO, or Compliance Manager to ensure that the review happens. It is not necessary that make changes to the policies simply because they are reviewed, but this is the time when that would typically occur when necessary. For example, a new technology may have emerged, new threats have arisen, or perhaps the company has made a transition to a cloud platform. There are many things that could require updates to existing policies or even the need to create new ones. Sometimes policies may need to be deprecated or retired too.
  3. Account reviews or audits are also necessary and recommended best practice. They should occur with some set frequency to ensure that the control, terminations, move-add-change (MAC), and new accounts are appropriate. It is very common to find stale, unused accounts on an active directory or applications that have not been inactivated after someone leaves. If your company is required to be compliant, this will likely show up on an audit.

 

A Bit About Frequency

How often a task should be performed — weekly, monthly, quarterly, annually — is largely dependent on two factors: 1) If it is required (compliance) it must be performed for example at specific time intervals or number of occurrences in a year. 2) If it is best practice and its aim is to ensure that specific controls are operating as designed, i.e., before so much time has passed that things get out of control (account/access audits) or the risks increase too much, then the frequency should be determined by the rate of risk accumulation. For example, vulnerability scanning is required by most regulations (PCI DSS, etc.) and it is also a best practice. Most regulations however do not require monthly vulnerability scanning and it is possible to remain compliant while scanning only one-time per quarter. The problem with this approach is that new vulnerabilities are often discovered weekly, so waiting three months to address a critical, exploitable vulnerability is very risky. Performed on a monthly basis, a scan is likely to catch most critical and severe vulnerabilities consistently and these can be addressed before they can be exploited.

 

It is perfectly fine to schedule dates that meet frequency requirements rather than organizing the activities into daily, weekly, and monthly recurrences. Simply determine how many times a task needs to be performed and schedule it accordingly.

Below are some examples of recurring tasks that every Cybersecurity Program should have along with typical or recommended frequency:

 

  • Vulnerability Scanning (Typical: Monthly; Minimum: Quarterly)
  • Account Audits (AD) (Typical: Quarterly; Minimum: Yearly)
  • Firewall Review (Typical: Quarterly; Minimum: Yearly)
  • Annual Policy and Procedure Review (Typical: Yearly; Minimum: Bi-annually)
  • Security Awareness Training (Typical: Monthly to quarterly; Minimum: yearly)
  • Penetration Testing (Typical: Yearly; Recommended: Semi-annually, quarterly, or monthly)
  • PCI Scan (Required: Quarterly; Recommended: Monthly)
  • Change Control Review (Typical: Quarterly; Minimum: Semi-annually)
  • Risk Assessment (Recommended: Quarterly; Minimum: yearly)
  • Application Scanning (Typical: Inconsistent; Recommended: Semi-annually)
  • Risk Steering Committee (Typical: Quarterly / Semi-annual; Minimum: Yearly)
  • Third-Party Audits (Typical: Annual)

 

Cadence

Cadence is typically defined as a rhythm or recurring sequence, as in music or a drill sergeant in the military. However, within a cybersecurity program, cadence can be seen as the motivating force, the pulse if you will, that keeps the program operating continuously. It may be the when, where, and how that the CISO or manager meets with her team but more importantly, it’s the opportunity for team members, staff and stakeholders to exchange information, share views, identify barriers, identify risks, and discuss solutions. Recurring Tasks cadence creates awareness of key issues, especially with systems and processes and in turn it can improve performance and drive critical change. This affects the performance of teams. The regular feedback, both positive and negative, creates a culture of collaboration and productivity in the workforce.

 

Metrics

Recurring Tasks can also be used to track, measure, and discuss KPIs (Key Performance Indicators). If the recurring task is not already metric-oriented, it is usually not difficult to define a measure that can be gathered and collected. But many tasks already involve metrics such as vulnerabilities discovered, risk score, ratios and numbers.

 

If you have not already implemented a Recurring Tasks strategy in your organization, now is the time.

 

Click here to download our free Recurring Task Tracker tool for tracking and managing all your recurring tasks. 

 

23 Aug, 2022