HERE'S WHY
While Drata automatically monitors your controls and gathers evidence, there are some tasks that need to be completed every 12 months to ensure your company maintains its security posture. Drata will send an email notifying you of this 9 months after your first policy was approved (to allow time to reaffirm prior to the 12 month mark).
BEFORE DIVING IN
Some actions are the responsibility of those with Admin or Information security leads within Drata, while others might be shared with others in your organization. Some tasks may be managed outside of Drata. In addition, there are actions your employees have to take every 12 months to maintain compliance.
HERE'S HOW
The items listed below should be updated, executed and/or implemented every 12 months, even if there are no changes from the previous year.
Complete the following in Drata:
Review, update, and approve all policies in the Policy Center
In order to create a new policy version that your personnel and contractors can acknowledge, you will at least need to update the policy renewal date, and select the option for a "material change." This will allow you to proceed with a new version which you can then approve.
Keep in mind that many frameworks require review and approval of your policies annually so make sure to select a policy renewal date that aligns with your compliance program goals.
Once reviewed and approved, please instruct your personnel to sign in to Drata and acknowledge the policies—suggested email template
Note: Set the 'Policy Acceptance Grace Period' in the 'Information Security Policy' to give personnel a window of time to acknowledge/re-acknowledge policies before associated tests fail
If applicable, reset the Annual Security Awareness Training from the Personnel page for all or select individuals (or manually upload new evidence)
Complete your company's Annual Risk Assessment and upload the file to 'Evidence Library'
Review Vendor agreements, update information, and upload current compliance reports
Upload proof of annual Access Control Review
Upload current versions of the following documents to Evidence Library:
Annual Penetration Test
Architecture Diagram
Business Continuity Plan/Data Recovery Plan
Network Diagram
Review and update Account Information as needed
Upload latest evidence for any controls that do not have an automated test, including Custom Controls
Ensure current employees and contractors do the following:
Review and acknowledge policies in Drata
Complete the Annual Security Awareness Training—either within Drata or upload proof of completion
Annual compliance best practices associated to controls:
Conduct access control review
Conduct employee performance reviews
Review and update job descriptions as needed
Annual compliance tasks reminder email
Twice a year, Drata will send all admins an email with a reminder to perform tasks that are best practice to perform annually, along with a link to this article. This email is first sent 9 months after the first employee acknowledges one of your policies. The second email is sent 11 months after the first employee acknowledges one of your policies. Then, we send each of the two aforementioned emails annually according to the date they were first sent.
Additional Resources: