OFFER 1
Optional Entry
WEEK ONE
ACTIONS
Conduct stakeholder interviews (C-Suite, department heads) to understand business priorities and risk tolerance
Review Cyber Insurance Policy for high-level coverage gaps, notification expectations, and compliance requirements
Meet with Managed Service Providers and/or IT Department to assess systems management practices and patching cadence
Meet with security systems service providers to assess security coverage and capabilities
Review Security Scorecard (pending firm project lead creating Security Scorecard account and claiming the domain)
Optional (Additional Cost)
Perform external vulnerability scan and / or penetration test - adds detailed External attack surface report with prioritized remediation timeline based on risk rating (critical / high / medium)
DELIVERABLES
External domain security assessment w/ actionable recommendations on improving client facing security posture
WEEK TWO
ACTIONS
Review existing security policies, procedures, and documentation for completeness
Assess identity and access management policies: privileged access, MFA adoption, password policies
Evaluate backup and disaster recovery capabilities (test frequency, offsite storage, RTO/RPO, rehydration concerns)
Review security awareness training program / review most recent phishing test results
Review Asset Inventory
DELIVERABLES
Policy Gap Analysis (CIS Controls or industry specific (OCGs)
WEEK THREE
ACTIONS
Review incident response plan
Assess vendor / third-party risk management processes
Evaluate data classification and protection controls (encryption, DLP, data retention)
Review compliance posture against applicable regulations (list to be provided by GC - ex. GDPR, HIPAA, SOC2 Type2, PCI-DSS, FTC Safeguards)
DELIVERABLES
incident response capability assessment
Third-party risk exposure assessment
Compliance gap assessment with remediation roadmap
WEEK THREE
ACTIONS
Synthesize findings into strategic security roadmap
Prioritize initiatives by risk reduction, cost, and business impact
Present findings to leadership with budget estimates for recommended improvements
Develop 12-month implementation timeline
DELIVERABLES
Security Risk and Exposure Assessment
Executive summary (board ready, 3-5 pages)
Detailed Technical Findings report (20–30 pages)
Immediate Risk Reduction Actions (0-90 days) (if this is a stand alone engagement)
OR 90 day quick action plan (if moving to Phase Two)
Twelve month strategic security roadmap with budget range
Security maturity scorecard (baseline for future measurement)