Quarterly DevOps Security Review

Quarterly security review run by IT operations and the security lead — covers infrastructure, application pipeline, data protection, incident response readiness, and SIEM/logging hygiene. Designed for an in-house IT team or MSP running a recurring 90-day posture check.

5 sections 27 steps Collects data
1

Infrastructure Security

  1. Patch domain controllers and hypervisors

    • Apply the current Patch Tuesday rollup to all DCs and ESXi/Hyper-V hosts using the three-ring deployment (test → pilot → prod over 7-14 days). Capture KB IDs and confirm reboot completed; a half-rebooted DC is the classic Monday-morning login outage.

  2. Audit firewall rules against the baseline

    • Pull the running config from FortiGate / Palo / Meraki and diff against the documented baseline. Flag any-any rules, expired temporary exceptions, and rules with no hit count over 90 days for cleanup.

  3. Verify VLAN segmentation by trust tier

    • Confirm guest, IoT, server, and management VLANs remain isolated per the network diagram. Flat networks expand PCI scope and let a compromised printer pivot into payroll.

  4. Enforce MFA and block legacy auth in Entra ID

    • Confirm conditional access policies require MFA for all users and block IMAP, POP, SMTP, and EWS basic auth org-wide. Password-spray against legacy auth is the most common MFA bypass.

  5. Rotate service account credentials via PAM

    • Inventory service accounts in CyberArk / Delinea / BeyondTrust. Rotate any account whose password age exceeds policy and confirm dependent services restart cleanly. The 'temporary' Domain Admin service account from 6 years ago belongs in this audit.

2

Application Pipeline Security

  1. Run SAST scan against the main branch

    • Trigger Snyk Code, SonarQube, or Semgrep against the current main branch. Record the highest severity finding to drive the remediation gate below.

    Collects list
  2. Remediate critical SAST findings before deploy

    • Open a tracked issue per critical finding, assign to the owning team, and hold the next prod deploy until each is fixed or an exception is approved by the security lead with a documented mitigation.

  3. Run DAST against the staging environment

    • Use OWASP ZAP or Burp Suite Pro against staging with an authenticated session. Confirm staging mirrors prod auth flows; DAST against an unauthenticated surface misses the interesting 80%.

  4. Review SBOM for CVE-flagged dependencies

    • Generate the SBOM via Syft or Dependency-Track and cross-reference open CVEs by CVSS score. Prioritize anything ≥ 7.0 with a known exploit in CISA KEV.

  5. Validate WAF rules cover OWASP Top 10

    • Run synthetic attack payloads (SQLi, XSS, SSRF, path traversal) through Cloudflare / AWS WAF / F5 and confirm each is blocked and logged. False-negative on injection is the typical finding.

  6. Confirm secrets scanner blocks committed credentials

    • Verify GitHub secret scanning + Gitleaks pre-commit hook fire on a synthetic AWS key push. If the test key reaches main, the gate is broken.

3

Data Protection and Backup

  1. Confirm full-disk encryption on all endpoints

    • Pull the BitLocker / FileVault compliance report from Intune or JAMF and confirm 100% coverage. Verify recovery keys are escrowed in Entra ID or JAMF — keys lost when the user leaves are unrecoverable.

  2. Verify TLS 1.2+ on all public endpoints

    • Run SSL Labs or testssl.sh against every public hostname. Flag any TLS 1.0/1.1, weak ciphers, or certs expiring within 60 days. ACME automation handles renewal but only for hosts you've onboarded.

  3. Run restore drill from immutable backup

    • Restore a representative VM and a file-share dataset from the immutable copy (Veeam hardened repo, Datto cloud, or S3 object lock) into an isolated network. The 3-2-1 backup is only proven by an actual restore — green dashboards have lied for 18 months before.

    Collects list Collects paragraph Collects file
  4. Open P1 ticket with backup vendor

    • If the restore failed, escalate to Veeam / Datto / Rubrik support with the failed job ID and exported logs. Treat the backup chain as broken until the next successful drill.

  5. Review file-share access against role baseline

    • Pull SMB / SharePoint / Google Drive ACLs and reconcile against current role assignments. The 'Domain Users gets the project share' pattern from 5 years ago shows up here.

  6. Tag sensitive data per classification policy

    • Apply Microsoft Purview / Google DLP labels to PHI, PCI, and PII repositories and confirm DLP policies match. Required for HIPAA covered entities and any PCI scope.

4

Incident Response Readiness

  1. Confirm IR plan reflects current on-call roster

    • Reconcile PagerDuty / Opsgenie schedules against the IR plan's named roles (IC, comms lead, scribe, exec liaison). Departed staff in the runbook is the typical finding.

    Collects signature
  2. Run tabletop with a SEV1 ransomware scenario

    • Walk the IR team through a named scenario — file server encrypted, backups also hit, vendor under DDoS during recovery. Capture decision points where the runbook was unclear.

    Collects list
  3. Verify out-of-band comms channel works

    • Test the Signal / dedicated WhatsApp / SMS bridge for the IR team. If your primary comms is the same M365 tenant under attack, you have no comms during a tenant-wide compromise.

  4. Update asset criticality tier in CMDB

    • Reconcile ServiceNow / Hudu / IT Glue asset records with current business criticality tiers. Drives recovery prioritization during a multi-system incident.

  5. Update IR plan with named tabletop gaps

    • For each gap surfaced in the tabletop, add a named runbook step or contact, version the document, and circulate to the IR team. Gaps not written down are gaps that recur.

5

Monitoring and SIEM Hygiene

  1. Verify SIEM ingest from all critical sources

    • Confirm Splunk / Sentinel / Elastic is receiving events from DCs, firewalls, EDR (CrowdStrike / SentinelOne), M365 unified audit, and SaaS apps. A silent source for 30 days means the dashboard is wrong.

  2. Tune detection rules from last quarter's alerts

    • Pull the top 10 noisiest rules and the alerts the SOC closed as benign. Tune thresholds, add allow-lists for known scanners, and retire rules that haven't fired a true positive in 12 months.

  3. Confirm log retention meets compliance baseline

    • Reconcile retention windows against the binding standards (PCI: 1 year hot + accessible, HIPAA: 6 years, SOC 2: per policy). Cold-storage tier is fine; deleted is not.

  4. Validate immutable log storage with object lock

    • Confirm S3 Object Lock or Azure Blob immutability is set on the log archive bucket and that the SIEM service account cannot delete. Ransomware that erases logs erases your investigation.

  5. Review weekly SIEM anomaly digest

    • Walk the security lead through the rolling weekly anomaly digest — impossible-travel logins, after-hours admin actions, mass-download events. Patterns at quarterly cadence catch slow-burn compromise that weekly review misses.

Use this template

Copy it to your account, customize the steps, and run it with your team in minutes.

Use this workflow Start free trial
Sections 5
Steps 27
Category Systems Administration
Price Free to start
Need a different process

Browse hundreds of free templates across every team and industry.

Back to template library

Related templates

More workflows your team can run.

Systems Administration

Cloud Outage Response

View
Systems Administration

Network Troubleshooting Checklist

View
Systems Administration

User Offboarding Checklist

View
Systems Administration

IT Resource Allocation Checklist

View

Run Quarterly DevOps Security Review with your team

Customize the steps, assign roles, set a schedule, and keep a complete record for every run.

Use this workflow Start free trial