Quarterly Security Review Checklist

Walk the acceptable use, access control, change management, and incident response policies against CIS Controls v8 IG1/IG2 requirements. Flag any policy that hasn't been reviewed by the CISO or vCIO in the last 12 months — auditors treat stale policies as a finding even when the underlying control is operating.

Verify named owners for incident response, vulnerability management, access reviews, and vendor risk. Departures and reorgs since last quarter are the common gotcha — an unowned control is a guaranteed audit finding.

Run a 60-minute tabletop with the IR commander, scribe, comms lead, legal, and exec sponsor. A ransomware-on-the-file-server scenario or a compromised admin credential tests the paging tree, the GDPR Article 33 72-hour notification clock, and the customer comms plan in one pass.

Walk the risk register, update inherent and residual scores, and capture any new risks introduced by changes since last review. Attach the updated register or a Vanta/Drata export as evidence.

Triggered when residual risk is over appetite. Walk the top three Red items, propose accept/transfer/mitigate/avoid for each, and capture sign-off in the management review minutes for ISO 27001 Clause 9.3 evidence.

Export the rule base from Palo Alto, Fortinet, or pfSense and flag rules with zero hits in 90 days, any-any rules, and rules tied to decommissioned hosts. Tighten or remove. Stale ALLOW rules from a former vendor's IP range are the recurring offender.

Run an SSL Labs or testssl.sh sweep against the public asset inventory. Reject TLS 1.0/1.1 and weak ciphers; PCI-DSS v4 and most browser defaults already do, but legacy admin portals and IoT gateways frequently lag.

Confirm the corporate SSID enforces certificate-based 802.1X via the IdP, not a shared PSK. The guest SSID stays segmented to a separate VLAN with no route to the production subnet.

Trace the routes from user VLAN to production VLANs and confirm only documented jump-host paths exist. Auvik or a manual nmap from a user-VLAN host validates the assumption — drift between Visio and reality is the gotcha.

Trigger Snyk, Semgrep, or GitHub Advanced Security across all production-tagged repos. Critical and high findings get a Jira ticket with a 30-day SLA; transitive npm or PyPI dependencies are the recurring source of CVEs.

Confirm scope, rules of engagement, and test window with the third-party tester. PCI-DSS v4 requires annual; SOC 2 evidence is stronger with quarterly. Attach the signed SOW and scope letter.

Cross-reference the Tenable or Wiz findings against the CISA KEV catalog. KEV entries have a 14-day patch SLA in CISA BOD 22-01 for federal — adopt the same internally regardless of sector. CVSS alone misses what's actually being exploited.

Run the AWS Config or Wiz query for unencrypted volumes, snapshots, and buckets. Customer-managed KMS keys for sensitive data, AWS-managed keys acceptable for low-sensitivity. Public buckets get flagged immediately, not at next review.

Pull membership of finance, HR, and customer-data groups from the IdP and route to data owners for attestation. Capture the manager's signature on the attestation form for SOC 2 CC6.3 evidence.

Pick a random production database and a random file share and restore each from Veeam, Datto, or AWS Backup into an isolated VPC. Measure actual RTO against the documented target. Quarterly is the floor — backups that haven't been restored aren't backups.

A failed restore is a Sev-2 in PagerDuty until proven otherwise. Document the failure mode (corrupted snapshot, missing key, broken job) and the recovery path. This becomes evidence in the next SOC 2 walkthrough — auditors specifically ask about failed-restore disposition.

Reconcile the CrowdStrike or SentinelOne console against the MDM inventory in Jamf or Intune. Any endpoint in MDM but not in EDR is a gap; any endpoint in EDR but not in MDM is a likely shadow asset.

Push the EDR installer via MDM to each uncovered device and confirm check-in. If a device is offline more than 7 days, escalate to the manager — abandoned-laptop-in-a-drawer is the typical root cause.

Pull the MFA factor report from Okta or Entra ID for admin, break-glass, and SOC analyst accounts. SMS and email codes do not count as MFA for privileged access — phishing-resistant FIDO2 hardware key or platform passkey only.

Sort by EPSS descending, then KEV, then CVSS. The prioritization order matters — a CVSS 9.8 with EPSS 0.01 and no KEV listing waits behind a CVSS 7.4 KEV entry being actively exploited.

Run AWS IAM Access Analyzer or Wiz to flag roles with unused permissions over 90 days. Service principals and CI/CD roles are usually the worst offenders — temporary admin granted for a one-time migration that nobody walked back.

Send a KnowBe4 or Hoxhunt campaign mirroring a current threat — vendor invoice, MFA-fatigue prompt, or HR policy update. Click rate above 5% triggers targeted retraining for repeat clickers.

Pull the repeat-clicker list from KnowBe4 and assign the 15-minute remediation module. Notify the employee's manager — repeat clicks beyond two cycles is a conversation, not just another module.

Cross-check the HRIS new-hire list against the Checkr or Sterling completion report. SOC 2 CC1.4 requires evidence the check completed before access was granted, not just that it was ordered.

Personal phones accessing corporate email must be enrolled in Intune, Jamf, or Kandji with conditional access enforcing PIN, encryption, and remote-wipe. Unenrolled devices get blocked at the IdP — confirm the conditional-access policy is in enforce mode, not report-only.

Trigger HashiCorp Vault or AWS Secrets Manager rotation for service accounts whose credentials are over 90 days old. Long-lived service account passwords last rotated in 2019 are the classic finding — migrate to managed identities or OIDC where the credential never lands on disk.