1Asset and baseline review
This capability covers identification of business-critical systems, ownership, risk categories, current controls, exposed services, and configuration maturity. Activities include stakeholder interviews, asset mapping, access review, and baseline checklist preparation. Client inputs include system lists, admin contacts, vendor details, and access policies. Deliverables include an asset register, baseline summary, and review notes. Technology involvement depends on systems in scope. The business value is better prioritization. Exclusions include full forensic investigation unless separately scoped.
Inputs
System inventory, owners, access methods
Deliverables
Baseline register and risk summary
2Identity and access controls
This capability reviews users, roles, multi-factor authentication, dormant accounts, shared accounts, vendor access, privileged accounts, and approval workflows. Activities include permission review, access cleanup recommendations, MFA enforcement planning, and secure credential-sharing guidance. Client inputs include user lists, role definitions, HR changes, and vendor access requirements. The business value is reduced account-related exposure. Dependencies include client approval before removing or changing access.
Technology
Identity providers, admin consoles, SSO, password managers
Exclusions
Employment policy and legal advice
3Cloud, server, and endpoint hardening
This capability covers hosting, cloud accounts, servers, storage, network rules, backup settings, logging, update visibility, and endpoint policies. Activities include baseline checks, exposure review, configuration recommendations, and approved remediation support. Client inputs include platform access, maintenance windows, backup expectations, and business-critical service definitions. The business value is improved stability and reduced misconfiguration risk. Dependencies include vendor limitations and change-control approvals.
Deliverables
Configuration checklist and change log
Quality control
Rollback notes and post-change validation
4Website and application hardening
This capability focuses on CMS settings, ecommerce plugins, application configuration, security headers, secrets handling, dependency visibility, repository access, deployment workflows, and basic application exposure. Activities include configuration review, issue prioritization, developer coordination, and validation. Client inputs include hosting details, repository access, staging environments, and release constraints. The business value is improved customer-facing system protection. This is not a substitute for a full penetration test unless separately arranged.
Platforms
CMS, ecommerce, SaaS, custom apps
Dependencies
Developer access, staging, release approvals
5Documentation and reporting
This capability turns security work into usable business records. Activities include remediation trackers, evidence logs, leadership summaries, exception registers, operating checklists, and ongoing review reports. Client inputs include reporting preferences, internal ownership, and audience needs. Deliverables may support audits, leadership review, vendor management, and handover continuity. The business value is clearer governance and repeatability. Exclusions include statutory audit certification or legal compliance opinions.
Outputs
Evidence register, issue tracker, management report
Business value
Better decisions and continuity