Explore

The Compliance Dungeon

🧙‍♀️ Field Notes of a Compliance Adventurer Scroll Entry #17 – The Dungeon So Far

⁠

I’ve ventured deep into the Compliance Dungeon, torch in one hand, risk register in the other.

What began in the quiet Courtyard of Curiosity with minor quests and warm-up scrolls has grown into a full-blown campaign. Each level deeper reveals more shadowy frameworks, ancient policies, and forgotten artifacts buried beneath years of technical debt and neglect.

My journey so far:

🧾 Adventurer:

Anonymous User

⁠

🪙 XP Earned:

275

⁠

🧰 Current Title:

Level 2 – Scroll Scribe

⁠

I’ve mapped the terrain using our XP Tracker, with every completed quest granting me new abilities, roles, and protections for the realm. My path is tracked by dungeon level, with each layer holding its own secrets and threats.

🗺️ Dungeon Progress Overview:

⁠

🪴 Level 0 – Courtyard of Curiosity:⁠

🔹🔹⬜⬜⬜⬜⬜⬜⬜⬜

⁠

🏕️ Level 1 – Forest of Foundational Policies⁠

🔹🔹🔹🔹⬜⬜⬜⬜⬜⬜

⁠

🌾 Level 2 – Plains of Risk & Inventory⁠

🔹🔹🔹⬜⬜⬜⬜⬜⬜⬜

⁠

🏰 Level 3 – Enclave of Access Control⁠

🔹🔹🔹🔹🟦⬜⬜⬜⬜⬜

⁠

☠️ Level 4 – Catacombs of Incident Response⁠

⬜⬜⬜⬜⬜⬜⬜⬜⬜⬜

⁠

🐉 Level 5 – The Audit Boss Fight⁠

⬜⬜⬜⬜⬜⬜⬜⬜⬜⬜

⁠

Below lies the Master Quest Log — a living grimoire of every known challenge, from foundational scroll-crafting to mighty audits. Each quest includes your Assigned Class, Control Area, XP Value, and Framework Tags — so you always know what part of the realm you’re reinforcing.

⁠

The dungeon is long. The dragons are many. But this scroll will tell the tale of a practitioner who did not falter.

Let the record show: compliance is no longer a checklist… it is a quest. 🗡️📜🔥

XP Dashboard

Progress Bar

Rank

Total XP Earned

% Completion

🔹🔹⬜⬜⬜⬜⬜⬜⬜⬜

Level 2 – Scroll Scribe

275

21%

There are no rows in this table

⁠

Quest Log

Quest Log

Status

Quest Name

Description

Dungeon Level

Assigned Class

Control Area

Framework Tags

Assigned To

Completion Date

Complete?

Quest Type

XP Earned

XP Value

Send a Fun Security Reminder to Your Team

Share a meme or tip about phishing, MFA, or passwords in Slack/email.

Complete ✅

Update Your Own Passwords

Walk the talk—rotate your own creds in a secure password manager.

Complete ✅

Review One Outdated Policy

Pick any dusty doc, review it for accuracy, and mark it for future updates.

Complete ✅

Watch a 10-Minute Security Training Video

Stay sharp—watch something relevant from YouTube or a vendor library.

Complete ✅

Visibility matters. Even a casual look helps keep the village safe.

Complete ✅

Identify a Shadow IT Tool

Find something your team is using that isn’t in your asset inventory

Complete ✅

Add Two New Risks to Your Risk Register

Think creativity - what’s a risk no one’s thought of yet?

Complete ✅

Share an Awareness Resource Internally

Post a checklist, blog or infographic that helps others get smarter

Complete ✅

Host a “Lightning Talk” on a Security Topic

10-minute meeting or huddle. Get nerdy, be helpful

Complete ✅

Create a Personal Security Cheatsheet

Draft a 1-pager with your own security best practices, bookmarks, or tools.

Complete ✅

Clean Up an Old Shared Drive Folder

Delete/archive that dusty directory no one touches but everyone fears

Complete ✅

Review MFA Settings for Your Main Accounts

Log into key accounts and verify that MFA is enabled and functioning.

Complete ✅

Test Restoring a File from Backup

Grab a file from backup and walk through the restore process to confirm it's usable.

🎉 DONE! 🎉

Draft a “Security 101” doc for new hires

Write a simple internal doc or Notion page with onboarding security basics.

🎉 DONE! 🎉

Draft Acceptable Use Policy

Define the boundaries of technology use across the kingdom. From coffee shop Wi-Fi to forbidden torrent magic, lay the law of the land.

🎉 DONE! 🎉

Publish Password & Authentication Policy

Craft a sacred scroll that binds all users to secure credentials. Bonus points if it slays the ancient beast known as “Password123.”

🎉 DONE! 🎉

Create a Security Policy Approval Process

Document the path every new policy must follow to gain the royal seal of approval. Who reviews it? Who signs it? Where is it stored? Without this process, your scrolls of power may never become official doctrine. Establish the ritual.

Complete ✅

Create Remote Work & BYOD Policy

Establish the rules for mages and merchants working from afar, including what personal artifacts (devices) may access the realm.

Complete ✅

Document Data Classification & Handling Policy

Identify the kingdom’s crown jewels—and specify how they're to be guarded, handled, and never left in unlocked carriages (or USBs).

Complete ✅

Define Roles & Responsibilities (RACI) for Security

Clarify who defends what part of the realm. Define the sentinels, scribes, and spellcasters responsible for each control domain.

Complete ✅

Conduct Asset Inventory (Hardware & Software)

Map all magical items and cursed relics (aka devices and applications) under your domain. If it connects, it gets cataloged.

Complete ✅

Draft Data Classification Policy

Define the types of data that flow through your kingdom—public, internal, confidential, restricted—and how each should be handled, protected, and enchanted. This quest ensures every scroll, crystal, and magical message receives the correct level of protection across the realm.

Complete ✅

Create Risk Register with Top 10 Risks

Chronicle the most fearsome threats facing the realm—from phishing banshees to shadow IT spirits—and assign them risk ratings.

Complete ✅

Review Vendor Data Processing Agreement (DPA)

Examine the DPA terms for privacy, security, and compliance obligations. Identify any gaps in vendor alignment with your control environment.

Complete ✅

Run First Risk Assessment Workshop

Gather the Council of Stakeholders to assess and align on top risks. May require coffee and charisma modifiers.

Complete ✅

Tag Crown Jewels (Critical Data/Systems)

Identify the realm’s most precious data vaults and enchanted systems. These require the strongest wards and attention.

🎉 DONE! 🎉

Define Risk Appetite & Scoring Methodology

Determine how much peril the kingdom is willing to tolerate before raising shields. Standardize how risk is scored across domains.

🎉 DONE! 🎉

Implement MFA for All Admin Accounts

Enchant all administrative accounts with multi-factor defenses. The stronger the spell, the harder it is for invaders to breach.

🎉 DONE! 🎉

Review User Roles & Permissions (RBAC)

Ensure each adventurer has only the powers they need. Too much access, and they may accidentally unleash data dragons.

🎉 DONE! 🎉

Create Access Control Policy

Define the sacred rules of access—who can enter which chamber, and what they may do within. No “Open All Doors” spell allowed.

Complete ✅

Establish Account Termination Process

Build a ritual for revoking access when heroes leave the party (aka employee offboarding). Prevent ghost accounts from lingering.

Complete ✅

Review Privileged Accounts & Add Alerts

Audit the kingdom’s highest-powered accounts and place magical tripwires to detect suspicious activity in real time.

Complete ✅

Write Incident Response Plan

Forge a battle plan for digital war. Who fights, who speaks, and what scrolls must be summoned when an attack strikes.

Complete ✅

Set Up IR Communication Matrix

Define how and to whom alerts are sent during an incident. Build a comms tree worthy of a royal decree.

Complete ✅

Conduct Tabletop Exercise (Stimulated Attack)

Simulate a breach scenario. Practice what the team would do if the firewall fell and monsters got in. No actual screaming necessary.

Complete ✅

Document Lessons Learned Playbook

After every battle, there are lessons. Document them, share them, and feed them to the lore library so others may be wiser.

Complete ✅

Write Business Continuity Plan

Craft a sacred scroll outlining how your organization will survive major disruptions—be it dragon fire (natural disaster), warlocks of outage (downtime), or data storms (cyberattacks). The plan should define critical systems, RTOs/RPOs, team responsibilities, and recovery procedures. This is the cornerstone of true operational resilience.

Complete ✅

Review Backup and Recovery Procedures

Summon your system recovery mages and examine the runes they’ve carved into your backup rituals. Is your data being preserved regularly? Can you restore it when calamity strikes? Identify gaps and improvements in your backup strategy—and test your power with a recovery drill.

Complete ✅

Prepare Evidence Folder for SOC2 or ISO 27001

Gather your enchanted scrolls, annotated diagrams, and control artifacts into one mighty archive—ready to present to the Auditor Dragon.

Complete ✅

100

Map Controls to ISO 27001 Annex A

Review existing security controls and formally map them to ISO/IEC 27001 Annex A requirements. Note any deltas for corrective action planning.

Complete ✅

Document Framework Control Mappings

Chart a crosswalk between your security controls and the major frameworks (SOC 2, ISO 27001, NIST CSF, CIS). This master document proves your kingdom’s alignment and serves as the ultimate spellbook when fending off auditor dragons. Clarity here brings victory.

Complete ✅

There are no rows in this table

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.