Quarterly Security Review Checklist

Walk the acceptable use, access control, change management, and incident response policies against CIS Controls v8 IG1/IG2 requirements. Flag any policy that hasn't been reviewed by the CISO or vCIO in the last 12 months — auditors treat stale policies as a finding even when the underlying control is operating.

Verify named owners for incident response, vulnerability management, access reviews, and vendor risk. Departures and reorgs since last quarter are the common gotcha — an unowned control is a guaranteed audit finding.

Run a 60-minute tabletop with the IR commander, scribe, comms lead, legal, and exec sponsor. A ransomware-on-the-file-server scenario or a compromised admin credential tests the paging tree, the GDPR Article 33 72-hour notification clock, and the customer comms plan in one pass.

Walk the risk register, update inherent and residual scores, and capture any new risks introduced by changes since last review. Attach the updated register or a Vanta/Drata export as evidence.

Export the rule base from Palo Alto, Fortinet, or pfSense and flag rules with zero hits in 90 days, any-any rules, and rules tied to decommissioned hosts. Tighten or remove. Stale ALLOW rules from a former vendor's IP range are the recurring offender.

Run an SSL Labs or testssl.sh sweep against the public asset inventory. Reject TLS 1.0/1.1 and weak ciphers; PCI-DSS v4 and most browser defaults already do, but legacy admin portals and IoT gateways frequently lag.

Confirm the corporate SSID enforces certificate-based 802.1X via the IdP, not a shared PSK. The guest SSID stays segmented to a separate VLAN with no route to the production subnet.

Trigger Snyk, Semgrep, or GitHub Advanced Security across all production-tagged repos. Critical and high findings get a Jira ticket with a 30-day SLA; transitive npm or PyPI dependencies are the recurring source of CVEs.

Confirm scope, rules of engagement, and test window with the third-party tester. PCI-DSS v4 requires annual; SOC 2 evidence is stronger with quarterly. Attach the signed SOW and scope letter.

Run the AWS Config or Wiz query for unencrypted volumes, snapshots, and buckets. Customer-managed KMS keys for sensitive data, AWS-managed keys acceptable for low-sensitivity. Public buckets get flagged immediately, not at next review.

Pull membership of finance, HR, and customer-data groups from the IdP and route to data owners for attestation. Capture the manager's signature on the attestation form for SOC 2 CC6.3 evidence.

Pick a random production database and a random file share and restore each from Veeam, Datto, or AWS Backup into an isolated VPC. Measure actual RTO against the documented target. Quarterly is the floor — backups that haven't been restored aren't backups.

Reconcile the CrowdStrike or SentinelOne console against the MDM inventory in Jamf or Intune. Any endpoint in MDM but not in EDR is a gap; any endpoint in EDR but not in MDM is a likely shadow asset.

Push the EDR installer via MDM to each uncovered device and confirm check-in. If a device is offline more than 7 days, escalate to the manager — abandoned-laptop-in-a-drawer is the typical root cause.

Pull the MFA factor report from Okta or Entra ID for admin, break-glass, and SOC analyst accounts. SMS and email codes do not count as MFA for privileged access — phishing-resistant FIDO2 hardware key or platform passkey only.

Sort by EPSS descending, then KEV, then CVSS. The prioritization order matters — a CVSS 9.8 with EPSS 0.01 and no KEV listing waits behind a CVSS 7.4 KEV entry being actively exploited.

Send a KnowBe4 or Hoxhunt campaign mirroring a current threat — vendor invoice, MFA-fatigue prompt, or HR policy update. Click rate above 5% triggers targeted retraining for repeat clickers.

Pull the repeat-clicker list from KnowBe4 and assign the 15-minute remediation module. Notify the employee's manager — repeat clicks beyond two cycles is a conversation, not just another module.

Cross-check the HRIS new-hire list against the Checkr or Sterling completion report. SOC 2 CC1.4 requires evidence the check completed before access was granted, not just that it was ordered.

Personal phones accessing corporate email must be enrolled in Intune, Jamf, or Kandji with conditional access enforcing PIN, encryption, and remote-wipe. Unenrolled devices get blocked at the IdP — confirm the conditional-access policy is in enforce mode, not report-only.