Recurring Tasks, as the name implies, are tasks that happen over and over again on a regular basis. Managing Recurring Tasks is an important element in any cybersecurity program. For those in regulated industries, successfully achieving and maintaining compliance requires continuous task management and review. This ensures performance of control requirements, as well as the documentation of evidence that these controls are functioning for the annual assessment.
Again, Recurring Tasks are a requirement for really all compliance structures. Ensuring that certain activities, controls, occur at a predetermined frequency ensures that you are not operating in a “set it and forget it” control environment. Most of us have experienced what happens when things are left unchecked and undocumente4d for longer periods of time.
Recurring Tasks are similar to scheduled car maintenance. In many ways, a security program should have a set of different Recurring Tasks (and associated checklists) that occur at specified recurring intervals. Your car needs an oil change every 5,000 miles and the service will usually include multiple point inspections too, like checks on fluids, hoses, wipers, filters, and brakes. At 10,000 miles, tires need to be rotated, brakes need to be inspected, wiper blades and filters need to be changed. While some of these items were checked in the more frequent service intervals, they also likely require replacement after some use. At an expanded frequency check, brake shoes and tires will need to be replaced, and eventually the rotors and other parts require inspection and replacement due to wear and tear.
Likewise, a security program has specified activities that are part of ensuring the control is operating as designed and producing the expected result. Let’s go through three examples:
A Bit About Frequency
How often a task should be performed — weekly, monthly, quarterly, annually — is largely dependent on two factors: 1) If it is required (compliance) it must be performed for example at specific time intervals or number of occurrences in a year. 2) If it is best practice and its aim is to ensure that specific controls are operating as designed, i.e., before so much time has passed that things get out of control (account/access audits) or the risks increase too much, then the frequency should be determined by the rate of risk accumulation. For example, vulnerability scanning is required by most regulations (PCI DSS, etc.) and it is also a best practice. Most regulations however do not require monthly vulnerability scanning and it is possible to remain compliant while scanning only one-time per quarter. The problem with this approach is that new vulnerabilities are often discovered weekly, so waiting three months to address a critical, exploitable vulnerability is very risky. Performed on a monthly basis, a scan is likely to catch most critical and severe vulnerabilities consistently and these can be addressed before they can be exploited.
It is perfectly fine to schedule dates that meet frequency requirements rather than organizing the activities into daily, weekly, and monthly recurrences. Simply determine how many times a task needs to be performed and schedule it accordingly.
Below are some examples of recurring tasks that every Cybersecurity Program should have along with typical or recommended frequency:
Cadence is typically defined as a rhythm or recurring sequence, as in music or a drill sergeant in the military. However, within a cybersecurity program, cadence can be seen as the motivating force, the pulse if you will, that keeps the program operating continuously. It may be the when, where, and how that the CISO or manager meets with her team but more importantly, it’s the opportunity for team members, staff and stakeholders to exchange information, share views, identify barriers, identify risks, and discuss solutions. Recurring Tasks cadence creates awareness of key issues, especially with systems and processes and in turn it can improve performance and drive critical change. This affects the performance of teams. The regular feedback, both positive and negative, creates a culture of collaboration and productivity in the workforce.
Recurring Tasks can also be used to track, measure, and discuss KPIs (Key Performance Indicators). If the recurring task is not already metric-oriented, it is usually not difficult to define a measure that can be gathered and collected. But many tasks already involve metrics such as vulnerabilities discovered, risk score, ratios and numbers.
If you have not already implemented a Recurring Tasks strategy in your organization, now is the time.