In partnership with

Beyond the Checklist: The 90-Day Proactive Security Plan

Compliance proves controls exist. Proactive security proves they work.

Passing an audit is a snapshot. Attackers don’t run on your audit calendar. If you want to stay secure between audits, you need a short, focused plan that stabilizes basics, pressure-tests your defenses, and builds a cadence your team can sustain.

Reality Check (2025 Data)

This year’s HIPAA breach portal numbers tell the story:

• 81% of breaches are Hacking/IT incidents

• Most incidents hit network servers (59%) and email (27%)

• ~33.9 million individuals affected year-to-date
  These are the control surfaces to harden first.

This week, automotive giant Stellantis announced a major breach of data for North American customers after a third-party service provider’s platform was hacked. Stellantis reports it detected unauthorized access to the platform and immediately activated its incident response protocols. This incident shows how proactive compliance efforts and response plans can minimize impact as Stellantis states none of its financial or other sensitive personal information was exposed.

Day 0–30: Stabilize the Basics

Start with controls that reduce the most risk the fastest.

• Identity: Enforce SSO + MFA on all admin, production, and third-party consoles. Remove dormant and shared accounts.

• Logging: Ensure system, access, and email security logs are enabled, retained, and reviewable; capture admin actions.

• Backups: Verify backup coverage and successful restores for critical systems and email. Document the last test date.

• Email hardening: Tighten phishing filters, attachment policies, and external sender banners; enable user-reporting.

• Server exposure: Patch internet-facing services, rotate keys, and confirm endpoint protection is healthy across servers.

💡 VanRein Compliance partners with you to enforce SSO/MFA, enable and retain key logs, validates a live backup restore, hardens email and internet-facing servers, and tracks policies in VRC1 so you can show progress immediately.

Days 31–60: Pressure-Test Your Defenses

Turn controls into muscle memory.

• Tabletop exercise (ransomware/vendor compromise): Walk through containment, comms, restores, and notifications. Capture action items with owners and dates.

• Phishing simulations + coaching: Run targeted campaigns, then coach teams; track improvement, not just click rates.

• High-risk vendor attestations: Collect AI data-handling commitments (no training on your data, retention limits, region boundaries) and breach SLAs.

• Incident playbooks: Finalize step-by-step runbooks for ransomware, email takeover, and vendor breach scenarios.

💡 VanRein Compliance facilitates tabletop exercises, helps you run targeted phishing simulations with coaching, and assists in drafting vendor AI/data-handling attestations with contract language (no-training, retention, region boundaries, breach SLAs).

Days 61–90: Prove and Sustain

Make your program visible and repeatable.

• Evidence folder: Centralize current policies, screenshots, logs, training certs, tabletop notes, and vendor evidence.

• Access recertification: Review privileged access for admins, service accounts, and vendors; remove or right-size entitlements.

• Change hygiene: Track production changes with tickets, approvals, and rollbacks; sample for completeness each week.

• Log reviews: Assign owners to review identity, endpoint, and email alerts; escalate anomalies with tickets.

💡 VanRein Compliance helps you assemble audit-ready evidence folder in VRC1, run an admin access review, formalize change-management sampling, and set a log-review rhythm for leadership.

Framework Mapping

• SOC 2: Access (CC6), monitoring (CC7), change management (CC8), vendor risk (CC9)

• HIPAA Security Rule: Risk analysis, access controls, audit controls, integrity, transmission security

• ISO 27001: Asset management, access control, logging/monitoring, supplier relationships, backup, change

• NIST CSF 2.0: Govern → Identify → Protect → Detect → Respond → Recover

Bottom Line

Audits confirm you have controls. Proactive practice confirms they work when it counts. A focused 90-day plan—stabilize, test, prove—turns compliance from a point-in-time checkbox into a living security habit that withstands real attacks.

📞 Book a Proactive Defense Session
VanRein Compliance will run your tabletops, launch phishing drills, lock down vendor AI commitments, and stand up a cadence that keeps you secure between audits.

Founders need better information.

Get a single daily brief that filters the noise and delivers the signals founders actually use.

All the best stories — curated by a founder who reads everything so you don't have to.

And it’s totally free. We pay to subscribe, you get the good stuff.

Get the brief

Make It a Habit: Security Cadence That Sticks

Security isn’t a project. It’s a calendar.

Audits happen once or twice a year. Attacks happen every day. The way you stay secure between audits is by giving security a predictable rhythm: the right reviews, at the right pace, owned by the right people. Here’s a cadence you can put on the calendar and actually keep.

Monthly: Keep the Pulse

Short, recurring tasks that prevent drift.

• Risk register updates tied to real changes (new systems, vendors, data flows).

• Access reviews for admins, service and break-glass accounts; kill dormant and shared creds.

• AI hygiene checks: spot-check prompt/output logs, retention settings, and “no training” flags.

• Vulnerability triage with SLA tracking; patch high/critical items first.

• Telemetry sanity: review identity, endpoint, email, and server alerts; ticket anomalies.

• Vendor watch: note incidents, subprocessor changes, and renewal deadlines.

Quarterly: Test, Tidy, and Prove

Bigger motions that validate controls and update evidence.

• Incident tabletop (rotate scenarios: ransomware, email takeover, vendor breach); publish action items.

• Vendor confirmations: quarterly AI/data-handling attestations (no-training, retention, region), breach SLAs, and evidence refresh.

• Evidence hygiene: tidy policies, logs, screenshots, and training certs; sample change tickets for completeness.

• Backup & restore test with RPO/RTO measured and recorded.

• External exposure check: scan attack surface and close easy wins.

Biannual: Raise the Bar

Deeper checks build resilience.

• Enterprise phishing campaign plus targeted coaching; track improvement by team.

• BCP/DR exercise: partial or full failover; document lessons and updates.

• Pen test (annual for many orgs; biannual for high-risk apps) and remediation tracking.

• Policy reset: refresh based on what changed in your stack and risk profile; log management approval.

• Leadership briefing: control health, incidents, vendor posture, and risk trendlines for execs/board.

VRC Tools Make Cadence Effortless

• VRC1 workspace for tasks, owners, due dates, evidence, and cadence calls.

• Phishing simulator to help you measure and improve the human layer.

• Tabletop playbooks for ransomware, email takeover, and vendor breach.

• Vendor governance kit with AI clauses and quarterly attestation templates.

• VRC Training Platform for compliance & security courses, plus a Group Management Dashboard so leaders can manage team more efficiently.

Bottom Line

Security maturity isn’t a pile of documents—it’s a reliable rhythm your team executes without drama. When you can show month-to-month activity, quarterly testing, and biannual resilience checks, you turn compliance from an event into an operating system. Customers, auditors, and leadership trust what you can prove any day of the year.

🧭 Get your Security Cadence in place.
VanRein Compliance will help you set the calendar, assign owners, and stand up the playbooks, drills, and dashboards that keep you secure between audits.
Book your Strategy Call Today.