OFFER 1

Security Risk and Readiness Assessment (4-Week)

Optional Entry

WEEK ONE

ACTIONS

  • Conduct stakeholder interviews (C-Suite, department heads) to understand business priorities and risk tolerance

  • Review Cyber Insurance Policy for high-level coverage gaps, notification expectations, and compliance requirements

  • Meet with Managed Service Providers and/or IT Department to assess systems management practices and patching cadence

  • Meet with security systems service providers to assess security coverage and capabilities

  • Review Security Scorecard (pending firm project lead creating Security Scorecard account and claiming the domain)

Optional (Additional Cost)

  • Perform external vulnerability scan and / or penetration test - adds detailed External attack surface report with prioritized remediation timeline based on risk rating (critical / high / medium)

DELIVERABLES

  • External domain security assessment w/ actionable recommendations on improving client facing security posture

WEEK TWO

ACTIONS

  • Review existing security policies, procedures, and documentation for completeness

  • Assess identity and access management policies: privileged access, MFA adoption, password policies

  • Evaluate backup and disaster recovery capabilities (test frequency, offsite storage, RTO/RPO, rehydration concerns)

  • Review security awareness training program / review most recent phishing test results

  • Review Asset Inventory

DELIVERABLES

  • Policy Gap Analysis (CIS Controls or industry specific (OCGs)

WEEK THREE

ACTIONS

  • Review incident response plan

  • Assess vendor / third-party risk management processes

  • Evaluate data classification and protection controls (encryption, DLP, data retention)

  • Review compliance posture against applicable regulations (list to be provided by GC - ex. GDPR, HIPAA, SOC2 Type2, PCI-DSS, FTC Safeguards)

DELIVERABLES

  • incident response capability assessment

  • Third-party risk exposure assessment

  • Compliance gap assessment with remediation roadmap

WEEK THREE

ACTIONS

  • Synthesize findings into strategic security roadmap

  • Prioritize initiatives by risk reduction, cost, and business impact

  • Present findings to leadership with budget estimates for recommended improvements

  • Develop 12-month implementation timeline

DELIVERABLES

  • Security Risk and Exposure Assessment

  • Executive summary (board ready, 3-5 pages)

  • Detailed Technical Findings report (20–30 pages)

  • Immediate Risk Reduction Actions (0-90 days) (if this is a stand alone engagement)

    OR 90 day quick action plan (if moving to Phase Two)

  • Twelve month strategic security roadmap with budget range

  • Security maturity scorecard (baseline for future measurement)