Quarterly Network Security Review

Pull the conditional access policy export and confirm legacy authentication is blocked org-wide. Watch for policies scoped to 'All users' that exclude break-glass accounts only — exclusion creep is the most common drift between quarters.

Run the Entra ID auth methods report against the Tier 0 / Tier 1 admin groups (Global Admin, Privileged Role Admin, Domain Admin equivalents). Service accounts and break-glass accounts are intentional exceptions; document them. Any human admin without phishing-resistant MFA (FIDO2, Windows Hello, certificate) is a finding.

Open a P1 ticket per affected admin: enroll FIDO2 key or migrate to Windows Hello, revoke active sessions, and confirm enrollment in the auth methods report before closing. Do not proceed with the rest of the review until Tier 0 is clean.

Use Entra ID Access Reviews (or manual export) on Domain Admins, Enterprise Admins, Global Administrators, and any custom roles with delegated admin rights. Each member must be re-attested by a named approver — no rubber-stamping. Members not attested in 7 days get removed.

Pull the lastSignInDateTime report from Entra ID and AD lastLogonTimestamp. Cross-reference HR's active employee list — terminations that didn't trigger offboarding land here. Disable (do not delete) and tag the account with the date for audit retention.

Export rules from FortiGate / Palo Alto / Meraki MX. Flag any rule with source 'any' and destination 'any', overly broad service objects, or rules with hit count zero over the last quarter (candidates for removal). Document the business justification on every retained permit rule.

Walk the diagram against switch configs. Verify guest, IoT, voice, and corporate VLANs cannot route to one another except through documented firewall rules. Flat networks expand PCI scope and ransomware blast radius — this is where segmentation drift hides.

Pull the most recent Nessus or Qualys external scan. Any open port without a corresponding firewall justification gets closed or filtered. Pay attention to RDP (3389), SMB (445), and management interfaces exposed externally — these are top ransomware entry points.

Reconcile CrowdStrike / SentinelOne / Defender for Endpoint console against the asset inventory in your RMM and Intune. Servers without an EDR agent are the most common gap — Linux file servers and ESXi hosts especially. Open a ticket per uncovered device.

Confirm threat-intel feeds and signature definitions on the IPS, EDR, and email gateway are current. Auto-update doesn't mean auto-verified — a feed that silently failed two weeks ago is invisible until you check.

Most SOC 2 / PCI / HIPAA programs require an external pen test annually. Check the engagement schedule against the current date — if the next test falls in this quarter, flag it now to give the vendor lead time and the team scope-prep room.

Reach out to the contracted pen test vendor with the current scope: in-scope IP ranges, web apps, social-engineering rules of engagement, blackout windows. Confirm the rules of engagement document is signed before the test starts, not after.

Walk the IR team through a scripted scenario — encrypted file shares discovered Monday morning, backup vendor portal also impacted. Confirm playbook contacts are current (legal, cyber insurance, FBI field office) and the immutable backup chain is reachable from a clean environment.

Run an SSL Labs (or internal equivalent) scan against the external-facing hostname list. TLS 1.0/1.1 and weak cipher suites still slip in via legacy load balancers and forgotten subdomains. Cert expiration dates in the next 60 days get renewal tickets opened today.

Pull the BitLocker recovery key inventory from Intune / Entra ID. Every encrypted endpoint must have its recovery key escrowed; a TPM-locked laptop with no escrowed key is a brick during recovery. FileVault PRK escrow on macOS fleet gets the same treatment.

Use CyberArk / BeyondTrust / Delinea to rotate non-managed service account passwords on the quarterly schedule. Coordinate with the application owners — service accounts hardcoded in legacy app configs will break on rotation if not refreshed first. Document any exceptions with a remediation date.

For Sentinel / Splunk / QRadar, confirm last-event timestamps for domain controllers, firewalls, EDR, M365 audit, identity provider, and DNS. A source that stopped sending two weeks ago is the SIEM equivalent of a tree falling unwitnessed in a forest.

Per source: file a P1 with the agent / connector owner, document the gap window in the audit log, and note compliance impact (SOC 2 CC7, HIPAA audit controls, PCI 10.x). Do not close the quarterly review until ingestion is restored or the gap is formally accepted by the security owner.

Pull rule-trigger metrics for the last 90 days. Rules firing more than ~20 times per week without a real incident drive analyst fatigue and missed real alerts. Tune thresholds, add suppression for known-benign sources, or retire rules with documented justification.

Trigger a synthetic SEV1 alert and confirm the page lands on the current on-call rotation in PagerDuty / Opsgenie. Verify escalation policy walks to the secondary if the primary doesn't ack within the SLA. Stale rotations and disabled phone numbers are common silent failures.