How many times has an auditor asked for something that you thought was completed in the last year, only to realize that it was overlooked and hadn't been touched in 18 months? How often are you surprised by the risk assessment being due to the board next week, and then hurrying through it, or having to delay the report?
We've seen it multiple times. The never-ending list of things to do for an information security program (ISP) can easily be overlooked if not properly managed. It gets even worse when the responsibilities are that of someone not managing cybersecurity on a full-time basis or when they are distributed over the members of a committee.
For that reason, we learned a long time ago that managing the ISP like a project is vital to good cybersecurity governance. And while we now use our CyberSecurity Program Organization Tool (CySPOT) portal to manage and report tasks to our vCISO clients, we used to rely on a spreadsheet.
Even though an automated system like CySPOT is easier and more efficient for teams, a simple spreadsheet is a great place to start to identify what needs to be done in a 12-month cycle, who is responsible, and when it is due.
To help, we're offering our template for free download here.
We've found that an ISP checklist can help in several ways:
1. Inventory what needs to be done
2. Cleary identify who is responsible
3. Communicates and tracks deadlines
4. Exhibits to auditors and examiners that you take it seriously
5. Use the filter feature to just see tasks assigned to a specific person or due in the next 30 days
To read more of the benefits or to find out more about our CySPOT portal, you can read this post from last fall:
http://bedelsecurity.com/is-it-time-to-take-the-organization-of-your-information-security-program-to-the-next-level/
And if you know someone else that can benefit from this template, please feel free to share!