How_To__Manage_Workflow_Checks_on_Sprinto
What is Workflow Checks?
A workflow check is a process-driven check that helps remind you to run a workflow process periodically per the defined SLA. A workflow process typically is a periodic action or status check of the system configuration that one has to do to meet compliance framework requirements.
For example, a workflow check “MFA is enabled for the critical system” requires you to check the system configuration of your critical systems, ensuring that the Multi-Factor Authentication (MFA) setting is enabled. This check is periodic and requires evidence against the activated workflow check to pass it. A typical evidence for the respective workflow check could be the system view screen capture showcasing the MFA setting configuration for the critical system.
Another example of a workflow check is “Security training is completed.” As per the compliance framework requirement, all active staff members should undergo security training periodically, ensuring that all staff members are well aware of the security protocols to follow during their regular tasks. To run the respective workflow check, you must create a security training campaign and ensure all the staff members complete the training. A potential evidence to upload against the workflow check could be the security training completion status for all the active staff members.
Why Workflow Checks Are Important?
The popular security framework SOC 2 Type II measures the organization's controls implementation and effectiveness over some time (12 months). Hence, organizations must ensure compliance requirements are met throughout this period across all control categories.
The workflow check reminds you to take action as per the defined SLA on the periodic security compliance tasks, such as security training completion, organization policy acknowledgment, etc. Workflow checks also help monitor the organization's risk profile, people, and vendors as it changes and grows its operations. The workflow check ensures that the organization meets the compliance framework requirements during the compliance measurement period.
How Does Sprinto’s Workflow Checks Works?
Workflow checks are process-driven monitors that help users to meet the following requirements:
System Status Check: The workflow check reminds users to ensure the system is in a specific state per the compliance framework requirements. The user must run the check upon activation and upload the relevant evidence proving the system state meets the compliance requirement. Examples of workflow checks for system status are employee device status reporting, MFA configuration enabled, Auto-screen lock enabled, etc.
Periodic Process Adherence: A workflow check reminds users to run a compliance process periodically. Compliance processes are requirements posted from the security frameworks, and users need to run the check and submit the relevant evidence as proof of process adherence. For example, the compliance framework requirement is to ensure all the active staff members undergo security training periodically, acknowledge organization policies, report device status, etc.
Organizations Using Third-Party Platforms: Organizations with the infrastructure to monitor compliance requirements, like, device status monitoring, people details management, infrastructure monitoring, etc., and do not want to migrate to Sprinto for the monitoring, can utilize the workflow checks to meet their compliance goals. Users can set up the required workflow check based on their security compliance framework goals and periodically run those checks to ensure they meet the framework requirement.
Once the workflow check is added and configured. The check gets activated per the defined time period frequency in the check’s configuration details and notifies the assigned stakeholder to take the necessary action.
The activated workflow check could be found under the “pending work” space on Sprinto dashboard. You can also find the activated workflow check under the applicable compliance sections of the app or on the dedicated “Workflow check” section.
You can find the workflow check in the following status:
Note: Due date is calculated based on the workflow check activation date. SLA for few special cases of workflow check differ from the below mentioned behavior of the workflow check.
Status
Due Date
Description
Due
The due date to run the workflow check is equal to or less than seven days.
Run the workflow check, and attach the relevant evidence against the check to pass it.
Critical
The due date to run the workflow check is equal to or less than Two days.
Run the workflow check, and attach the relevant evidence against the check to pass it.
Failing
The due date passed to run the workflow check.
Run the workflow check, and attach the relevant evidence against the check to pass it. If required, you can mark the failing workflow check as a special case and add the necessary details to define the special case that led to the failing workflow check.
Passing
The workflow check is run and completed for the current cycle.
Require no action until the next cycle activation of the workflow check.
To use Workflow Check, follow these steps:
Set up Workflow Check: Add Workflow Check to your Sprinto app. You can add Workflow Check through the dedicated "Workflow Check" section or individual compliance sections. Check out Adding Workflow Check or Adding Custom Workflow Check for more information.
Run Workflow Check: After you add and define workflow checks, you need to run the workflow check as and when they get activated based on the defined activation frequency. Check out Running Workflow Check.
Activate/Deactivate Workflow Check: If an operation or process changes in your organization, you may need to deactivate a previously configured Workflow Check. Check out Deactivating or Activating Workflow Check.
Getting Started With Workflow Check:
You can get start by setting up the workflow checks on Sprinto. Setting up workflow check can be done by by the two following ways:
Through “Workflow check” Section: Sprinto offers a dedicated “Workflow check” section on the Sprinto app, allowing you to add, manage, or run the workflow checks. You can utilize the available filters to navigate or find the relevant workflow check for you. All the workflow checks are categorized by the security compliance categories.
Through Security Compliance Sections: To activate a workflow check for a specific security compliance category, go to that section and turn on the workflow check from the respective compliance section. This way, you'll only see the checks related to that particular compliance category.
Note: Some app sections, such as Policies, Training, Risks, and Incidents, do not have workflow checks mapped by default. You cannot activate any workflow checks for these sections.
However, by default, few of the workflow checks gets activated based on the selected compliance security framework and their control requirements. You can find these activated workflow checks on both workflow checks and individual compliance sections.
Refer to the below user guides to learn more about adding and running a workflow check:
User Guides:
How to Add Custom Workflow Check?
Managing Workflow Checks:
You might have to do some administrative tasks after setting up the workflow check and running it regularly. The managing activities include:
If "Evidence review required" is enabled, the assigned reviewer must review the evidence submitted through these workflow checks.
Deactivating irrelevant workflow checks.
Manually triggering the workflow check cycle if there are changes in the organization.
Refer to the user guide below for more information on managing workflow checks.
User Guides:
How To Deactivate/Activate Workflow Check?
How To Review Evidence From The Workflow Check?
How To Manually Trigger The Workflow Check?
Workflow Check Details:
Following are the workflow checks that you can find under the “Workflow check” section:
Note: The additional scope of workflow checks are for the users who monitors their compliance parameters like, vendor management, Organization policies, Infrastructure monitoring, etc., by themself (outside of Sprinto), but wants to ensure the compliance requirement is met on Sprinto. Users can setup the required workflow check based on their security compliance framework goals, and periodically run those checks to ensure that they meet the framework requirement.
Note: Below are a few of the most commonly used workflow checks from each compliance category. If you do not find your workflow check in the below tables, navigate to Security Hub > Workflow Check > Add workflow check, then click on the desired compliance category. You can find details of each workflow check and instructions to run the workflow check.
Staff members:
This are the workflow checks related to the staff members details management:
Workflow Check
Description
Evidence Details
Hiring evaluations for new hires
All new hires must go through an evaluation process for all the job roles. Must record the evaluation report for each new hire.
Upload the hiring evaluation report as evidence against the workflow check. If required download the report templates.fill in the details, and upload as evidence.
Background checks for new hires
All new hires must go through a background check that verifies the details provided by the staff member. Record the background verification check report for each new hire.
Upload the background check report as evidence against the workflow check. If required download the report templates. fill in the details, and upload as evidence.
Performance Evaluations
Evaluate and review all employees’ performance periodically. Record the performance evaluation report for all individual employees.
Upload the performance evaluation report for all the employees as evidence against the workflow check.
Security Training for new hires
All new hires must undergo a security training program designed by the organization, ensuring that the new hires are aware of the necessary security measures to be taken while performing their job related activities.
Upload the security-training completion status screen capture or email notification for all the new hires.
Periodic Security Training
All the staff members must undergo a periodic security training campaign.
Upload the security-training completion status screen capture or email notification for all active staff members.
Access Control:
This are the workflow check associated to the access control of the organization infrastructure resources.
Workflow Check
Description
Evidence Details
Office365 user MFA is enabled
Enable Multi-Factor Authentication (MFA) configuration on Office365 account.
Upload the screen capture of the system view showcasing the MFA configuration of Office365.
Google Workspace user MFA is enabled
Enable MFA configuration on Google Workspace account.
Upload the screen capture of the system view showcasing the MFA configuration of Google Workspace.
Mongo Atlas user MFA is enabled
Enable MFA configuration on Mongo Atlas account.
Upload the screen capture of the system view showcasing the MFA configuration of Mongo Atlas.
Role based access control to critical systems
Control the user access role-based for all the critical systems.
Upload the screen capture or file showcasing the critical system access is granted based on the job role.
Review user access rights to view sensitive data like PAN number
Review the rights of the user that can view sensitive data, like PAN number, Personal Identification number, etc.
Upload the list of users that has access to view the sensitive data.
Review user access rights to view cryptographic keys
Review the rights of the user that can view the cryptographic keys. Cryptographic keys are used to access the stored encrypted data.
Upload the list of users that has access to the cryptographic keys.
Following are the workflow checks associated with the organization’s infrastructure monitoring:
Workflow Check
Description
Evidence Details
Deny by default firewall ruleset should be set up on all production hosts
Configure the firewall ruleset for all the production hosts to, by default, deny all other internet traffic other than the one from the organization policies. The firewall ruleset applies to both ingress and egress traffic, i.e., traffic from the Internet to internal sources and traffic from internal sources to the Internet.
Upload the screen capture of the system view showcasing the security groups having denied by default ruleset applied to all the inbound and outbound traffic.
Production server CPUs are monitored
Monitor the production server CPU’s bandwidth utilization. Ensure the CPU utilization maintains a healthy margin to avoid the bottleneck on production server.
Upload the screen capture of the system view showcasing the list of instances and their monitoring.
Database backup is done regularly
Ensure to regularly back up the database. You can utilize the automatic backup feature of the database if available.
Upload the screen capture of the system view showcasing the list of backup instances or the auto-backup configuration of the database.
Database encryption enabled
Ensure that the data stored in the database is encrypted at rest or in transit. Encryption ensures the information stays secure and unreadable even if someone unauthorized gets hold of it.
Upload the screen capture of the system view showcasing data stored is encrypted on the database.
Database availability is monitored regularly
Ensure the availability of the database. A database with robust infrastructure maintains a higher availability without impacting critical services.
Upload the system view's screen capture showcasing the database's availability history.
Data backup restoration
Perform the data backup restoration to test the system's integrity. This test ensures data restoration from the last backup instance in data loss or digital attack scenarios.
Upload the report from the data backup restoration activity performed internally in the organization. Learn more about the data backup restoration test.
Disaster recovery
Ensure that the organization has a detailed and robust disaster recovery plan.
Upload the report from the disaster recovery plan performed internally by the organization to test the effectiveness of the recovery plan.
Management Review:
The following workflow checks are allocated for the management reviews required to ensure the various compliance actions taken by the assigned stakeholders:
Workflow Check
Description
Evidence Details
Org Structure Review
As per the compliance framework requirement, review the org structure periodically.
Upload the file showcasing the detailed org structure.
Risk Assessment Report is reviewed by management
Management must review the organization's risk assessment performed by the assigned Infosec officer.
Upload the management’s risk assessment review report. Copy the template and fill in the details to upload as evidence if required.
Vendor Risk Assessment Report is reviewed by management
Management must review the organization’s vendor risk assessment performed by the assigned Infosec officer.
Upload the management’s vendor risk assessment review report. Copy the template and fill in the details to upload as evidence if required.
Internal audit is reviewed by management
Management must review the internal audit performed internally in the organization.
Upload the management’s internal audit review report. Copy thetemplate and fill in the details to upload as evidence if required.
Internal Audit
As per compliance framework requirements, an internal audit must perform internally in the organization. The objective behind the internal audit is to assure and consulting activities designed to add value and improve an organization’s operations.
Upload the management’s internal audit review report. Copy thetemplate and fill in the details to upload as evidence if required.
Review of operations by board of directors
The board of directors must review the organization’s operations at least once every 3 months.
Upload the screen capture showcasing the meeting invite with the board members to review the organization’s operations.
Internal Audit as per PCI DSS requirements
The organization ensures to conduct an internal audit of the following areas as per PCI DSS requirements: * Daily log reviews * Firewall rule-set reviews * Applying configuration standards to new systems * Responding to security alerts * Change management processes * Patch compliance
Upload the screen capture or evidence file showcasing all the applicable PCI DSS areas are met.
Privacy:
The following workflow checks are designed to meet the compliance requirement for the privacy control of the organization:
Workflow Check
Description
Evidence Details
Management review of contractual obligations
Management must review the contractual obligations towards the customers per the privacy and security frameworks.
Upload the evidence file describing the contractual obligations. Refer to the template to describe the obligations.
Records of Processing Activities (ROPA) & Data flow map
As per security frameworks like GDPR, CCPA, and others, a record of Processing Activities (ROPA) must be maintained. You must maintain a record of all the data collected, stored, and processed for business operations.
Upload the list of activities that collects employee-related data, storage, and processing. Refer to the template to fill in the details and upload them as evidence.
Data Subject Access Requests (SARs) processed within SLA
A Data Subject Access Request (DSAR) is an inquiry made to a company by a data subject inquiring about what data subject's personal information has been collected, stored, and used. Anyone who is a data subject can submit a request, which needs to be processed within specified SLAs.
Upload the evidence file with details like requestor details, purpose, internal owner, status, etc. Refer to the template to fill in the details and upload them as evidence.
User Consent is collected using a cookie banner
User consent must be taken in the cookie banner form before collecting or processing the users information as per the privacy regulations.
Upload the screen capture showcasing the cookie banner status and term of service.
Appointment of an EU representative
An organization must appoint an EU representative to act as a point of contact between the organization, authorities, and data subjects. This showcases the organization comply with all the compliance requirements.
Upload the screen capture of the document showcasing the appointed EU representative by the organization.
Appointment of a UK representative
An organization must appoint an UK representative to act as a point of contact between the organization, authorities, and data subjects. This showcases the organization comply with all the compliance requirements.
Upload the screen capture of the document showcasing the appointed UK representative by the organization.
Review of the privacy policy
Organizations must review the privacy policy regularly and maintain them. The attorney must review the policy regularly to keep the company abreast of any changes per their business requirements.
Fill in the privacy policy-related details in the template, and the attorney must review the template.
Risk Assessment:
The following workflow check is allocated for managing the risk assessment:
Workflow Check
Description
Evidence Details
Risk Assessment
Risk assessment assesses an organization’s risk profile based on its operations and structure. The risk assessment must be done periodically.
Upload the evidence file showcasing the risk assessment is done.
Endpoint Security:
The following workflow checks are assigned for managing the endpoint security compliance requirement:
Workflow Check
Description
Evidence Details
Staff device OS is up-to-date
The staff device must run on the latest Operating System (OS).
Upload the screen capture of system view showcasing the device's OS version.
Staff Device management
The staff device configuration must meet the organization’s device management policy.
Upload the screen capture of the device configuration showcasing that the device management policy is enforced.
Staff Devices should have Data Leakage Protection running
Data loss prevention (DLP) is a process for protecting enterprise data from loss or malicious compromise. Endpoint DLP tools are used to meet the compliance requirement.
Upload the screen capture of the system view showcasing the DLP tool implementation on the system.
Staff devices should have Web filtering enabled
Web filtering software is installed on the staff devices. Web filtering software restricts the usage of certain websites through the staff device to manage the device's security.
Upload the screen capture of the system view showcasing the web filtering software implementation.
Staff devices inventory should be maintained
Organization must maintain a inventory list of the staff devices.
Upload the evidence file showcasing the inventory list of staff devices.
Staff devices should have Anti-Malware Detection and Prevention enabled
All the critical staff devices must run an Anti-malware detection and prevention solution.
Upload the screen capture of the system view showcasing the anti-malware and prevention solution implementation on all the critical staff devices.
Staff devices should have its storage encrypted
All critical staff devices must have encrypted storage.
Upload the screen capture of the critical staff devices showcasing the storage is encrypted.
Vulnerabilities:
The following workflow checks are assigned to manage the vulnerabilities related compliance requirements:
Workflow Check
Description
Evidence details
Vulnerability scanning is done periodically
The vulnerability scan must be done for the codebase periodically to ensure safety from external attacks.
Upload the evidence file that showcases the performed vulnerability scan and identification of the following points: * Identified vulnerabilities * Vulnerabilities severity. * Discovery date * Current Status * Resolution date
External ASV Scan.
The organization must periodically perform a vulnerability scan via. An external vendor that is a Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC).
Upload a screen capture/scan report showcasing the current vulnerabilities status of the system.
Network Scan
The organizations must perform the network scan periodically or whenever any significant change in the network system occurs.
Upload the screen capture/ scan report showcasing the current network scan results of the network system.
External Libraries (Dependency) should be scanned for vulnerabilities
The organization must implement technical measures to identify updates for applications that use third-party or open-source libraries by leveraging global threat intelligence about threat signatures and vulnerability databases. It should also consider implementing automated & recurring processes so that human errors can be avoided.
Upload the screenshot or latest scan report showing the vulnerabilities identified in the codebase since the last evidence upload. The evidence should mention the severity of the vulnerability, the discovery date, the current status, and the date of resolution.
Application code should be scanned for vulnerabilities
Application code must be scanned periodically for the presence of vulnerabilities.
Upload the screenshot or latest scan report showing the vulnerabilities identified in the application since the last evidence upload. The evidence should mention the severity of the vulnerability, the discovery date, the current status, and the date of resolution.
Network components should be scanned for vulnerabilities
Vulnerabilities in a physical environment also apply in a virtual environment. Configuration flaws/vulnerabilities in the servers, firewalls, or networks will be vulnerable to exploits. Defense-in-depth techniques should be leveraged for physical, logical, administrative, and similar controls.
Upload the screenshot or latest scan report showing the vulnerabilities identified in the infrastructure assets or network since the last evidence upload. The evidence should mention the severity of the vulnerability, the discovery date, the current status, and the date of resolution.
Vendors:
The following workflow check is assigned for vendor management related compliance requirement:
Workflow Check
Description
Evidence Details
Vendor Risk Assessment
Vendor risk assessment assesses an organization’s vendor risk profile based on its services and tools. The risk assessment must be done periodically.
Upload the evidence file showcasing the vendor risk assessment is done.
Code Repos:
Workflow Check
Description
Evidence Details
Peer Review of All Planned Application Code Changes
All the code changes pushed to code repositories hosting the production code must be reviewed by the peer review before the deployment.
Upload the evidence file showcasing the assigned peer-reviewed for each code change pushed and reviewer details. Refer to the template to fill in the necessary details and upload it as evidence.
List of Code Repositories
Organization’s must maintain a list of code repositories that directly contributes to the production side of the product/service.
Upload the evidence file showcasing the list of code repositories. Refer to the template to fill in the necessary details and upload it as evidence.
Deployment Notifications
Code deployment notification configuration must be enabled. The assigned stakeholder must be notified for each code changes deployment.
Upload the screen capture of the system view showcasing the deployment notification setting is configured.
Others:
Workflow Check
Description
Evidence Details
Legal, statutory, regulatory and contractual requirements should be reviewed
All the relevant legislative statutory, regulatory, and contractual requirements and the organization’s approach must be explicitly identified, documented, and maintained up-to-date.
Organizations should identify all legislation applicable to their organization to meet the requirements for their type of business. If the organization conducts business in other countries, your legal counsel should consider compliance in all relevant countries. Refer to the template to fill in the necessary details and upload it as evidence.
PCI DSS Compliance management charter
Senior management must establish cardholder data protection and a PCI DSS compliance program to include the following points: * Overall accountability for maintaining PCI DSS compliance * Creating a PCI DSS compliance program charter and communicating it to executive management
Upload the PCI Management Charter. Refer to the template to fill in the necessary details and upload it as evidence.
Information Security Management System Scope
Define the Information Security Management System (ISMS) Scope. The ISMS scope must be reviewed and updated periodically.
Download a copy of the template to fill in the necessary details and upload it as evidence against the workflow check.
Information Security Management System Manual
An Information Security Management System (ISMS) manual explains the organization’s controls implementation to comply with the security framework ISO 27001.
Download a copy of the template to fill in the necessary details and upload it as evidence against the workflow check.