Using Compliance Tasks
Overview
Compliance Tasks enables organizations to keep track of important security activities, document actions taken, and attach evidence. Users can set due dates for tasks, documents any notes, attach related files or evidence and set email reminders and receive notifications as due dates approach.
What Is a Compliance Task?
A Compliance Task is a security event, administrative task, or review that the organization must complete on a regular interval. These activities are usually connected to at least one or more compliance framework controls.
Here are a few examples of Compliance Tasks:
Compliance Task | Related Policy | Compliance Requirement |
|---|---|---|
Perform a Risk Assessment | Risk Management Policy | SOC 2 CC3.1 - COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. HIPAA 164.308(a)(1)(ii)(B) Risk Management |
Review IAM Users and Roles | System Access Policy | SOC 2 CC6.3 - The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles HIPAA 164.312(a)(1) Access Control 164.312(a)(2)(i) Unique User Identification |
Review Audit Logs | Auditing Policy | SOC 2 CC7.2 - The entity monitors system components and the operation of those components for anomalies.. HIPAA 164.308(a)(5)(ii)(C) Log-in Monitoring |
Test the Incident Response Plan | Incident Response Plan | SOC 2 CC7.4 - The entity responds to identified security incidents by executing a defined incident response program.. HIPAA 164.308(a)(6)(i) Security Incident Procedures |
In order for an organization to maintain administrative standards and compliance requirements, security tasks should be tracked and conducted on a regular basis. These security tasks are typically defined as part of your Dash policies or security program. Dash Compliance Tasks enables your team to track these security or compliance activities and document your evidence and results.
Users can use Dash Compliance Tasks to:
Adopt Prebuilt Dash Tasksets - To create a set of ongoing tasks designed for meeting requirements and tracking evidence for specific compliance framework (HIPAA, SOC 2, etc)
Create Custom Tasks - To track one-time or recurring security and compliance tasks, and
Create A Compliance Taskset
In order to create a Compliance Task, you team can take the following steps
Login to Dash ComplyOps
In the left sidebar → Go to “Compliance Task” page
Click the “Create New Task/Taskset” button
You will be presented with a modal and options for creating a new task or a new task set
Dash ComplyOps provide the following prebuilt tasksets to jumpstart your compliance processes
Baseline Security - Security tasks recommended for ALL users and security programs
HIPAA/HITECH - Specific tasks and administrative requirements for HIPAA/HITECH compliance
SOC 2 - Specific tasks and administrative requirements for SOC 2 Type 1/Type 2 preparation
GDPR - Specific tasks for administrative requirements for GDPR compliance
We recommend enable tasksets as a baseline set of security tasks and then customizing and adding your own tasks to your Dash security program.
Click the “View Suggested Tasks” button to preview tasks for creation.
Check/uncheck all tasks that you would like to create.
The page lists all Compliance Tasks recommended for meeting security objective/compliance standard as well as the priority and frequency of these tasks.
Most of these options can be customized after the task creation
Scroll to the bottom and click the “Create Tasks” button.
You will see all of the new tasks in your Active Tasks list.
Note: If you “Create Tasks” for the same taskset multiple times you will see duplicates of the same tasks. So it is recommended that teams only implement up to 1 of each taskset.
Creating Compliance Tasks
In order to create a Compliance Task, you team can take the following steps
Login to Dash ComplyOps
In the left sidebar → Go to “Compliance Task” page
Click the “Create New Task/Taskset” button
You will be presented with a modal and options for creating a new task or a new task set
Click the “Create Task” button
You will be prompted to define the following options when creating a Task:
Task Name - The name of the Compliance Task to be completed. Your team may consider creating Tasks to perform security tasks, cloud operations or perform administrate tasks.
For Example – “Perform security assessment” or “Review role responsible for ABC”, or “Review Logs ABC”
Task Description - A general description of the Compliance Task.
For Example - “Review and update all documents related to…..”, “Review all users and roles in AWS IAM…”
Tags - Tags used for better organizing and seeing related issues.
You may consider adding tags related to category such as “Audit Logs”, etc
Priority - The priority related to a specific Task
The task priority can be set as Low, Medium, High or Critical.
Assignment - The Dash User assigned to this Task.
A user should be assigned in order to receive email notifications related to this Task.
Due Date - The “Due Date” for the Task you are creating.
Frequency - How frequently this task will occur.
Your can set Compliance Tasks to occur one-time or on a recurring basis - repeating Weekly, Monthly, Quarterly, or Annually.
Reminder - The Dash policy related to this Task.
Emails Reminders will be sent to the email of the user who is “Assigned” to the Task.
If a user is not assigned to the Task, the reminder will be sent to the Task creator.
Once you have entered all relevant information, click “Create Task”
You will see the new task in your Active Tasks list.
Viewing Compliance Tasks
After creating Tasks, teams can view all scheduled tasks and track and document actions taken in the Compliance Tasks view.
You can view all Compliance Tasks by navigating to Policy Center > Compliance Tasks.
Active Tasks - View all “Active” Compliance Tasks.
Completed Tasks - View all “Complete” Tasks, including tasks marked as complete.
Archived Tasks - View all “Archived” or “Removed” tasks
Create New Task - New tasks can be created by click on this button.
Tasks are ordered with all the overdue activities at the top, with most overdue first. The upcoming activities are sorted with soonest due Tasks first.
Managing Individual Compliance Tasks
From the Compliance Tasks page, you can click on an individual Tasks to view, edit, document, and complete tasks. Individual Compliance Task Pages will look like this:
Editing and Completing Tasks
The Individual Compliance Tasks page provides options for managing the Task:
Archive - Remove the task from the Active Tasks list.
The task will be “Archived”, moved to the Completed Tasks list and become un-editable, evidence will be unable to be changed.
Edit - Show options for editing Task information such as Assigned User, Description, Frequency (Schedule), Reminders, etc.
Mark as Completed - Mark the Task as “Complete.
The task will be marked as “Complete”, moved to the Completed Tasks list and become un-editable, evidence will be unable to be changed.
If the task is recurring, a new task will show in the Active Tasks list for the next date.
Documentation & Task Timeline
Dash provides options for attaching specific documentation and evidence at the bottom of each individual task. Users have the following options for Task Documentation and Evidence:
Some fields may be more or less applicable to specific Tasks.
Note - Any notes related to this Task or processes.
Findings - Any security findings found during the task
Actions - Actions taken to complete tasks
Resolutions - Steps taken to resolve security findings
As documentation is added, it will show on the Task History section:
This allows your team to keep a log of communication and keep evidence of actions taken
File Upload & Evidence
Documentation, reviews, and audit files may be uploaded and stored as evidence
Teams may carefully document activities related to tasks and collect evidence in order to be better prepared for security evaluation and audits.
