We are halfway through the fourth quarter and I want to see a show of hands for everyone who feels like they're scrambling to get things done in time. And let's face it, no one likes to realize they've left something out or forgotten it entirely. But with busy schedules and wearing multiple hats at work often over-filled plates some things are just bound to slip through the cracks right?
That's all fine and dandy until an auditor asks for something that you thought was completed in the last year, only to realize that it was overlooked and hasn't been touched in 18 months. Or you're surprised by that risk assessment being due to the board next week, and you have to rush through it, or delay the report entirely.
We've seen it multiple times. The never-ending list of things to do for an information security program (ISP) can easily be overlooked if not properly managed. It gets even worse when the responsibilities are that of someone not managing cybersecurity on a full-time basis or when they are distributed over the members of a committee.
For that reason, we learned a long time ago that managing the ISP like a project is vital to good cybersecurity governance. And while we now use our CyberSecurity Program Organization Tool (CySPOT) portal to manage and report tasks to our vCISO clients, we used to rely on a spreadsheet.
Even though an automated system like CySPOT is easier and more efficient for teams, a simple spreadsheet is a great place to start to identify what needs to be done in a 12-month cycle, who is responsible, and when it is due.
[mc4wp_form id="1124"]
We've found that an ISP checklist can help in several ways:
1. Inventory what needs to be done
2. Cleary identify who is responsible
3. Communicates and tracks deadlines
4. Exhibits to auditors and examiners that you take it seriously
5. Use the filter feature to just see tasks assigned to a specific person or due in the next 30 days
To read more of the benefits or to find out more about our CySPOT portal, you can read this post from last fall:
http://bedelsecurity.com/is-it-time-to-take-the-organization-of-your-information-security-program-to-the-next-level/
And if you know someone else that can benefit from this template, please feel free to share!