Owner: CISO  ·  Reviewed: Quarterly  ·  Frameworks: SOC 2 Type II, ISO 27001

What this is

This page is the single calendar view of every recurring, triggered, or SLA-driven activity referenced in Neuroscale’s policies and procedures. It is built for:
  • The CISO, to see every commitment in one place and assign owners + due dates.
  • Auditors, to map a control to the cadence and the evidence location.
  • Program leads (Engineering, CHRO, Legal, IT), to see what their team owes the program over the next quarter.
Each row links back to the source policy section so you can read the full requirement in context. Owner names follow the docs verbatim — where the policy says “the CISO” or “CHRO,” that’s what appears here. v1.0 of the policy set was approved on May 8, 2026. The first-due cadence dates below still need to be scheduled into the calendar; remaining placeholders are tracked in Finalization Tasks → Section 6.

Upcoming highlights

Schedule these before the audit window opens:
  • SOC 2 Type I (point-in-time) — observation date May 8, 2026. Auditor: Prescient Assurance (engaged via Vanta). Type I report delivered in the quarter following observation; bridges the gap until the Type II window closes.
  • SOC 2 Type II observation periodAugust 1, 2026 – August 1, 2027. Auditor: Prescient Assurance. Fieldwork begins in August 2027; report delivered in the subsequent quarter.
  • Quarterly access review — next due August 8, 2026 (Q3), then November 8, 2026, then quarterly thereafter. Owned by the CISO. Covers user, admin, and service accounts.
  • Annual penetration test — first cycle due by May 8, 2027, and after any major architectural change. Vendor selection still open per Finalization Tasks → Tooling.
  • Annual policy re-acknowledgement — first cycle due May 8, 2027 (one year after v1.0 effective date). Every employee and contractor re-acknowledges all 24 policies (22 in /policies/ + 2 in /legal/) in Vanta.
  • Annual BC/DR test including backup-restore — first cycle due by May 8, 2027.
  • Annual incident-response tabletop / IR plan test — first cycle due by May 8, 2027.

Annual

ActivityCadence / TriggerOwnerSourceEvidence
Policy review (every policy)AnnualPolicy owner (the CISO for security policies)How to use these docs → Reviewing & updating policiesVersion-history row updated; PR in this repo
Policy re-acknowledgement (all employees + contractors)AnnualCHRO + VantaHR Security → Information security awareness, education & training; Acceptable Use → AcknowledgementVanta acknowledgement records
Security-awareness trainingAnnual (and at hire)CHRO via VantaHR Security → Information security awareness, education & trainingVanta training-completion report
Secure-development / OWASP training (engineers)Annualthe CISO + EngineeringSecure Development → Developer training; Secure Coding → Common-vulnerability trainingTraining vendor completion records (Vanta)
BC/DR test including backup-restore testAnnualthe CISOBusiness Continuity → Policy; Operations Security → Information backupBC/DR test report; restore-test ticket in Linear
Incident-response tabletop / IR plan testAnnualthe CISOIncident Response → Additional requirementsTabletop minutes and findings; SharePoint evidence library
Penetration test (applications + production network)Annual (and after major changes)the CISO + EngineeringOperations Security → Technical vulnerability management; Vulnerability Management → Sources of findingsPen-test report; remediation tickets
Network-security assessment (incl. major-change review)Annualthe CISO + EngineeringOperations Security → Systems security assessment & requirementsAssessment report
Production network-config / firewall rule reviewAnnualEngineeringOperations Security → Configuration & hardening; Configuration & Hardening → Network standardsNetwork-config review ticket; IaC PR diff
Risk assessment (formal)Annualthe CISORisk Management → Practical application; Risk Management → 4. MaintainVanta risk register snapshot; risk-assessment report
Risk reporting to executive leadershipAt least annualthe CISORoles & Responsibilities → CISOBoard / executive deck; meeting minutes
Cloud-service-agreement review (high-risk providers)Annualthe CISO + CFOThird-Party Management → Service selection & usage scopeVendor file in Vanta; signed agreement on file
Vendor re-review (Tier-High)Annualthe CISO + CFOVendor Risk Assessment → ProcessRe-review record in Vanta vendor inventory
Vendor re-review (Tier-Medium)Every 2 years (biennial)the CISO + CFOVendor Risk Assessment → ProcessRe-review record in Vanta vendor inventory
Supplier service-delivery / performance reviewAnnualthe CISO + CFOThird-Party Management → Monitoring & reviewSupplier review record
Annual performance review (incl. policy & Code-of-Conduct adherence)AnnualCHRO + managersHR Security → Competence & performance assessmentHRIS performance record
Data-retention requirements reviewAnnualthe CISO + data ownersData Management → Annual review; Data Retention MatrixUpdated retention matrix; PR in this repo
Internal retention & disposal procedure reviewAnnualEngineeringData Retention Matrix → Internal retention & disposalProcedure-review ticket
Legal-hold review with counselAnnualGeneral CounselData Management → Legal holdsLegal-hold tracker
Long-lived API key rotationAnnual (or on personnel change)EngineeringSecrets Management → RotationVault audit-device rotation log
AWS shared-responsibility / controls inventory reviewAnnualthe CISO + EngineeringConfiguration & Hardening → Cloud providerVanta controls inventory

Quarterly

ActivityCadence / TriggerOwnerSourceEvidence
User-account access reviewQuarterlythe CISOAccess Control → Access reviews; Access Reviews → CadenceSigned-off review document in SharePoint evidence library
Privileged / admin-account access reviewQuarterlythe CISOAccess Reviews → CadenceSigned-off review document in SharePoint evidence library
Service-account access reviewQuarterlythe CISOAccess Reviews → CadenceSigned-off review document in SharePoint evidence library
Kubernetes RBAC reviewQuarterlyEngineeringConfiguration & Hardening → Orchestration securityRBAC review ticket
Vulnerability scan — public-facing production systemsQuarterly (at least)the CISO + EngineeringOperations Security → Technical vulnerability management; Vulnerability Management → Sources of findingsDetectify scan report; tickets for findings
Risk-register reviewQuarterlythe CISOCompliance Frameworks → How controls are tested; Risk Management → Risk response, treatment, and trackingVanta risk register
Vulnerability remediation status report to leadershipQuarterlythe CISOVulnerability Management → TrackingLeadership deck / Linear vulnerabilities board

Monthly

No strictly monthly cadences are defined in the current policy set. The closest cadences below monthly are continuous (daily/weekly) and the closest above are quarterly. If a monthly review is added (e.g., monthly endpoint-compliance dashboard review), record it here.
ActivityCadence / TriggerOwnerSourceEvidence
None defined

Continuous

ActivityCadence / TriggerOwnerSourceEvidence
Backups of in-scope systemsDailyEngineeringOperations Security → Information backupAWS Backup job history
Cross-region backup replicationContinuousEngineeringOperations Security → Information backupAWS replication metrics
Production logging — auth, CRUD, security-settings, admin accessContinuousEngineeringOperations Security → Logging & monitoring; Logging & Monitoring → What we logBetter Stack / CloudWatch / S3 Object Lock bucket
Log retention — Security & audit logs90 days hot / 13 months totalEngineering + CISOOperations Security → Log retention tiersBetter Stack + S3 (Object Lock)
Log retention — Application logs30 days hot / 90 days totalEngineeringOperations Security → Log retention tiersBetter Stack retention config
Log retention — Database / data-access logs90 days hot / 13 months totalEngineeringOperations Security → Log retention tiersRDS / CloudWatch / S3
Log retention — Infra & change logs90 days hot / 2 years totalEngineeringOperations Security → Log retention tiersGitHub / CloudTrail / S3
Anti-malware / EDR (Rippling) on endpointsContinuous; auto-updatesIT (the CISO)Operations Security → Protection from malwareRippling console
Email threat detection (Material)Continuousthe CISOOperations Security → Protection from malwareMaterial console
Web filtering / secure DNSContinuousthe CISOOperations Security → Web filteringRippling config
File integrity monitoring / IDSContinuousEngineeringOperations Security → File integrity monitoring & intrusion detectionFIM/IDS alerts
Threat-intelligence collection & analysisContinuousthe CISOOperations Security → Threat intelligenceInternal intel notes; Slack #security
Vanta continuous-control monitoringDailythe CISOCompliance Frameworks → How controls are testedVanta dashboard
Mobile-device lock after inactivityAfter 5 minutesAll employees / contractorsInformation Security → Mobile device policy; Data Management → Confidential dataRippling compliance report
Full-disk encryption on all laptops / mobilesContinuousIT (the CISO)Cryptography → Operational requirementsRippling / FileVault / BitLocker reports
Clear-screen / clear-deskContinuousAll employeesInformation Security → Clear screen, clear deskManager observation; periodic walk-through
Static / dependency / secret scanning on every PRContinuous (per PR)EngineeringSecure Development → Application vulnerability management; Secure Coding → ToolingGitHub checks; Semgrep / Snyk / gitleaks reports
Container scanningContinuous (per build)EngineeringSecure Coding → ToolingTrivy / Snyk Container reports
Code review on every PR (≥1 approval, non-author)Continuous (per PR)EngineeringCode Review → RequirementsGitHub PR record
Vulnerability triage status reviewWeeklythe CISO + EngineeringVulnerability Management → TrackingLinear “Vulnerabilities” board
Clock synchronization (NTP)ContinuousEngineeringOperations Security → Clock synchronization; Logging & Monitoring → Clock synchronizationAWS Time Sync configuration
Privileged-action loggingContinuousEngineeringAccess Control → Privileged accessS3 Object Lock audit-log bucket

Triggered

ActivityCadence / TriggerOwnerSourceEvidence
Background check (Checkr)At hireCHROHR Security → Screening; Onboarding → Before day 1Checkr report on file
Signed offer / IP / NDA / Code-of-Conduct acknowledgementAt hireCHROHR Security → Terms & conditions of employment; Onboarding → Before day 1Signed agreements in HRIS
Security-awareness training (initial)At hireCHRO via VantaHR Security → Information security awareness, education & training; Onboarding → Within first weekVanta training record
Policy acknowledgement (all 24 policies (22 in /policies/ + 2 in /legal/))At hireNew hire via VantaOnboarding → Within first weekVanta acknowledgement record
Identity + standard access bundle provisionedAt hire (after HR onboarding completes)IT (the CISO)Access Control → Provisioning; Access Management → ProvisioningLinear “Access” tickets
MFA enrollmentAt hireNew hire + ITOnboarding → Day 1IdP MFA-enrolment status
Role-specific access onboarding (e.g., production access training)Within 30 days of hireManager + ITOnboarding → Within first 30 daysLinear onboarding ticket
Access review on role changeTriggered (promotion / demotion / transfer)the CISOAccess Control → Access reviews; Access Reviews → CadenceAccess-change ticket; signed-off review
Access modification on role changeTriggered (promotion / demotion / transfer)Manager + system owner + ITAccess Management → Change requestsLinear access-change ticket
Privileged-access elevation approvalTriggered (per request)the CISO or system ownerAccess Management → Change requestsApproval recorded in ticket
Offboarding workflow (disable IdP, revoke sessions, remove groups, revoke prod access, rotate shared secrets, suspend email, collect device, file evidence)At terminationCHRO + IT + SecurityOffboarding → Checklist (IT / Security); HR Security → Termination processOffboarding ticket + signed return form
Asset return at terminationAt terminationDeparting user + ITAsset Management → Return of assets; Offboarding → DevicesReturn form; Rippling disposition record
Lost / stolen device reportOn lossReporter → IT / SecurityAsset Management → Loss or theft of assets; Information Security → Mobile device policyHelpdesk ticket; security-incident ticket if applicable
Security-event / incident reportImmediately on discoveryReporter → security@neuroscale.aiInformation Security → Security incident reporting; Incident Response → ReportingLinear “Security Incidents” project
Incident response activation (P0/P1)On verified incidentIncident Manager (the CISO or CTO)Incident Response → Escalation; Incident Response → Incident response processIncident ticket; war-room channel; RCA
Root-cause analysisAfter every verified P0 incidentIncident ManagerIncident Response → DocumentationRCA in Linear incident ticket
Emergency change retrospective reviewWithin 24 hours of emergency changeEngineering on-call + the CISO if security-relatedOperations Security → Change management; Change Management → Emergency changeRetrospective PR or ticket
Vendor risk assessmentBefore sharing Confidential data / granting prod access / signing contractthe CISO + CFOVendor Risk Assessment → When to run an assessment; Third-Party Management → Third-party risk managementTiering + due-diligence packet in Vanta
Secret rotation on compromiseImmediate (treat as P0 / P1)Engineering + SecuritySecrets Management → On compromiseIncident ticket; Vault audit-device rotation log
Customer-data deletionTriggered by contract terminationCTO / EngineeringData Management → Data & device disposal; Data Retention Matrix → Customer accountsDeletion job log; ticket reference
Disposal of devices / media holding Confidential dataTriggered by EOL / damageIT (the CISO)Asset Management → Asset disposal & re-use; Data Retention Matrix → DevicesWipe record or Certificate of Destruction (COD)
BC/DR plan activationOn office unavailability or major regional eventthe CISO + executive staffBusiness Continuity → Plan activationActivation log; comms timeline

SLA-driven

ActivitySLAOwnerSourceEvidence
Access termination (offboarding)Within 24 business hours of separation; immediate for involuntary / high-privilegeCHRO + ITAccess Control → Removal & adjustment; Offboarding → SLAs; Access Management → DeprovisioningOffboarding ticket timestamps
Access-review remediation executionWithin 5 business days of sign-offIT (the CISO)Access Reviews → ProcessAccess-change ticket close-out time
Records of permission / privilege changesRetained at least 1 yearIT (the CISO)Access Control → Provisioning; Access Reviews → RecordsAccess-change ticket history
Offboarding evidence retentionAt least 1 yearCHRO + ITOffboarding → RecordsSharePoint evidence library
COD (Certificate of Destruction) retention1 yearITData Retention Matrix → Devices; Offboarding → DevicesCOD on file
Vulnerability remediation — Critical7 daysEngineeringOperations Security → Technical vulnerability management; Vulnerability Management → Remediation SLAsLinear vulnerability ticket
Vulnerability remediation — High30 daysEngineeringVulnerability Management → Remediation SLAsLinear vulnerability ticket
Vulnerability remediation — Medium60 daysEngineeringVulnerability Management → Remediation SLAsLinear vulnerability ticket
Vulnerability remediation — Low90 daysEngineeringVulnerability Management → Remediation SLAsLinear vulnerability ticket
Application vulnerability patchingWithin 90 days of discoveryEngineeringSecure Development → Application vulnerability managementPatch ticket / deploy record
P0 alert acknowledge5 minutesEngineering on-callLogging & Monitoring → AlertingBetter Stack timeline
P0 begin remediation15 minutesEngineering on-callLogging & Monitoring → AlertingBetter Stack timeline
P1 alert acknowledge / begin remediation15 min / 1 hrEngineering on-callLogging & Monitoring → AlertingBetter Stack timeline
Mobile device lock after inactivityAfter 5 minutesAll employees / contractorsInformation Security → Mobile device policy; Data Management → Confidential dataRippling compliance report
Password length / lockout12 chars (8 only as a fallback floor where a system cannot be configured higher); lock after 6 failed attemptsITAccess Control → Password policyIdP / SSO config
Web certificate max expirationUp to 1 yearEngineeringCryptography → Recommended cryptographic key usageACM cert inventory
Symmetric data-at-rest key max expiration1 yearEngineeringCryptography → Recommended cryptographic key usageKMS rotation config
Customer-data deletion after contract terminationWithin 60 days of terminationCTO / EngineeringRecords Retention Schedule → Customer data; Data Retention Matrix → Customer accountsDeletion job log
Log retention (hot — security/audit)90 daysEngineeringOperations Security → Log retention tiers; Logging & Monitoring → RetentionBetter Stack retention config; S3 Object Lock
Log retention (hot — application)30 daysEngineeringOperations Security → Log retention tiersBetter Stack retention config
Security-policy archive retention1 year after archivethe CISOData Retention MatrixSharePoint policy archive
Breach notification — externalWithout undue delay per contracts and lawCEO + General CounselIncident Response → External communications and breach reportingBreach-notice records (Legal)
Whistleblower investigation records retention7 years from disposition (longer with legal hold)General CounselWhistleblower → RecordsLegal investigations file

Audit-evidence map

For SOC 2 / ISO 27001 evidence collection, this is where each control’s artifact should live. When in doubt, drop it in Vanta and the SharePoint evidence library — auditors check both.
Evidence typePrimary locationSecondary / supporting
Policy acknowledgement recordsVanta
Security-awareness + secure-dev training recordsVanta
Access-review sign-offsSharePoint evidence libraryLinear access-change tickets
Access-change tickets / approvalsLinear (“Access” team queue)SharePoint
Onboarding completionLinear (CHRO onboarding workflow)Vanta (training, ack)
Offboarding completion (deprovisioning + device return + COD)Linear (CHRO offboarding workflow)SharePoint evidence library
Background-check reportsCheckrHRIS
Asset inventoryVanta + Rippling
Risk register & risk-assessment reportVanta risk registerSharePoint
Vendor due-diligence packets + re-reviewsVanta vendor inventorySharePoint
Incident tickets, RCAs, post-mortemsLinear (“Security Incidents” project)Slack #security-incidents
Pen-test, vulnerability-scan, network-assessment reportsSharePoint evidence libraryLinear “Vulnerabilities” board for findings
Vulnerability tickets + remediation statusLinear “Vulnerabilities” boardGitHub PRs
Change-management records (PRs, deploys, retros)GitHubLinear
Code-review approvalsGitHub
CI security-scan results (SAST, SCA, secrets, container)GitHub Advanced Security + Snyk + gitleaks + Trivy
Production logs (auth, CRUD, security settings, admin access)Better Stack (app), CloudWatch (infra), S3 Object Lock (audit)
On-call response timesBetter Stack
Backup job history + restore-test resultsAWS BackupLinear restore-test ticket
BC/DR test minutes / IR tabletop minutesSharePoint evidence library
Endpoint compliance (FDE, MDM, lock timeout, EDR)RipplingVanta
Email threat-detection eventsMaterial console
Secrets storage + rotation logsHashiCorp Vault (audit device → Better Stack + AWS S3 Object Lock)Dashlane (dev)
Whistleblower / ethics reports + investigationsLegal investigations fileAnonymous service vendor (todo)
Legal-hold trackerSharePoint Legal folder — Legal-Hold register (GC owner)
Breach-notification recordsLegal investigations file

How this calendar is maintained

  • Quarterly review by the CISO. Stale rows are corrected; new rows are added for any policy changes since the last review.
  • PR coupling. Any change to a policy or procedure that adds, removes, or retimes a recurring activity must update this page in the same PR. The reviewer rejects the PR if this page is out of sync.
  • First-due dates are filled in when the v1.0 policy set takes effect — see Finalization Tasks → Effective dates.
  • Source of truth for cadence is always the linked policy / procedure. If this page disagrees with a policy, the policy wins and this page is corrected.
Anchors on this page are derived from heading text in the linked file (Mintlify lowercases and replaces spaces / non-alphanum with hyphens). Mintlify’s broken-link checker does not validate fragments — verify anchors manually when changing a referenced heading.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani