Compliance Tasks
Overview
Dash ComplyOps v2.8.0 introduces Compliance Tasks. Compliance Tasks reworks the previous Policy Calendar/Policy Activities functionality. (Update Dash to the latest version)
The Compliance Tasks feature enables organizations to keep track of important compliance activities, document actions taken, and attach evidence. Users can create Compliance Tasks associated with Administrative Policies or define Custom Tasks to related their security program. Users can set due dates for tasks, set email and Jira reminders and receive notifications as due dates approach.
What Is a Compliance Task?
A Compliance Task is a meeting, task, security event or review that the organization must complete on a regular interval. These activities are typically related to at least one or more compliance framework controls. In order for the organization to better maintain proper levels of compliance, these activities must be completed on time regularly.
Here are a few examples of policy activities:
Review compliance policies (Policy Management Policy)
Perform a Risk Assessment (Risk Management Policy)
Test the Incident Response Plan (Incident Response Plan)
Review AWS Users and Roles (System Access Policy)
Perform Penetration Test
These security tasks are typically defined as part of your Dash policies or security program. The Compliance Tasks feature enables your team to track any of these security or compliance activities and document your evidence and results.
Creating Compliance Tasks
In order to create a Compliance Task, you team can take the following steps
Go to Policy Center > Compliance Tasks > Click “Create New Task”
Or during the Policy creation process
Go to Policy Center -> Compliance Policies -> Edit Policy
Navigate to the question you would like to define a Compliance Task for.
Click on the “Add Task” button next to the policy question to create or edit a Compliance Task.
On creating a Compliance Task the following drawer will appear:
Task Creation
You will be prompted to define the following options when creating a Task:
Title - The name of the Compliance Task to be completed. Your team may consider creating Tasks to review questions, perform security tasks, or perform administrate tasks.
For Example – “Review compliance policies” or “Review role responsible for ABC”, or “Review users and roles in AWS IAM”
Description - A general description of the Compliance Task.
For Example - “Review and update all documents related to…..”, “Review all users and roles in AWS IAM…”
Task Schedule - The Task Schedule or “Due Date” for the Task you are creating.
Your can set Compliance Tasks to occur one-time or on a recurring basis - repeating Yearly, Monthly, Weekly, or Daily.
More options around specific months or weeks can be selected under these recurring options. Example. Teams can select “Monthly” and schedule a Task to occur every 3 months (quarterly), etc.
Assigned To - The Dash User assigned to this Task.
A user should be assigned in order to receive email notifications related to this Task.
Related Policy - The Dash policy related to this Task.
If the Task is directly related to a Dash policy or administrative standard, your team should define a “Related Policy” for the Task.
Task Reminders
After defining the Task, you can click “Next”. You will be presented with options for setting Task reminders. The options will look like this:
All reminders are optional and can also be edited later under each individual task.
Email Reminder - Send the assigned user of a Task an email at a specific time related to the due date/schedule.
This email reminder will only be sent if you have an Assigned User for the Compliance Task
If an email reminder is created for a date that has already occurred (IE. Setting a reminder for 3 days before an event due tomorrow), an email will be sent out to the Assigned User within 30 minutes.
Jira Card Creation - Create a Jira card at a certain time related to the Task due date/schedule.
In order for a Jira card to be created, your team will have to have a Jira connection configured in the Integration Settings and the “Create Compliance Event Reminders” enabled.
Once, you have set all desired options, you may click “Create Task”. This will create your Compliance Task and add it to the Compliance Tasks Schedule. Your Task will appear in Policy Center > Compliance Tasks in Dash.
Viewing Compliance Tasks
After creating Tasks, teams can view all scheduled tasks and track and document actions taken in the Compliance Tasks view.
You can view all Compliance Tasks by navigating to Policy Center > Compliance Tasks.
Active Tasks - View all “Active” Compliance Tasks.
Completed Tasks - View all “Complete” Tasks, including tasks marked as complete and removed/archived Tasks.
Create New Task - New tasks can be created by click on this button.
Tasks are ordered with all the overdue activities at the top, with most overdue first. The upcoming activities are sorted with soonest due Tasks first.
Managing Individual Compliance Tasks
From the Compliance Tasks page, you can click on individual Tasks to view, edit, document, and complete tasks. Individual Compliance Task Pages will look like this:
Editing and Completing Tasks
The Individual Compliance Tasks page provides options for managing the Task:
Remove Task - Remove the task from the Active Tasks list.
The task will be “Archived”, moved to the Completed Tasks list and become un-editable, evidence will be unable to be changed.
Edit - Open the Compliance Task panel to edit Task information such as Title, Description, Frequency (Schedule), etc.
Mark as Completed - Mark the Task as “Complete.
The task will be marked as “Complete”, moved to the Completed Tasks list and become un-editable, evidence will be unable to be changed.
If the task is recurring, a new task will show in the Active Tasks list for the next date.
Documenting & Evidence
Dash provides options for attaching specific documentation and evidence at the bottom of each individual task. Users have the following options for Task Documentation and Evidence:
Some fields may be more or less applicable to specific Tasks.
Findings - Any security findings found during the task
Actions - Actions taken to complete tasks
Resolutions - Steps taken to resolve security findings
Files & Evidence - Documentation, reviews, and audit files may be uploaded and stored as evidence
Teams may carefully document activities related to tasks and collect evidence in order to be better prepared for security evaluation and audits.