Back To Case Studies

Case Study

Cybersecurity Foundations Assessment for a Growing Manufacturing Company

Blackwood Enterprises conducted a cybersecurity foundations assessment for a growing manufacturing company seeking greater visibility into the security risks emerging across its expanding technology environment.

The organization supported commercial and residential customers and increasingly relied on cloud platforms, enterprise business systems, third-party vendors, digital workflows, and externally accessible customer and employee services. These technologies supported collaboration, service delivery and continued growth, but the governance practices surrounding them had not matured at the same pace.

Leadership wanted an independent view of the company’s current cybersecurity position and a practical improvement plan aligned with normal business operations.

The assessment reviewed identity and access management, administrative privileges, vendor accountability, customer-data visibility, security documentation, employee account lifecycle practices and externally visible digital assets.

The review found that the organization’s principal cybersecurity challenge was not a single isolated technical weakness. Risk had accumulated through several connected conditions:

  • Access was not consistently reviewed after it was granted.

  • Some reviewed accounts held broader administrative privileges than their operational responsibilities required.

  • Responsibility for several important vendors was not clearly documented.

  • Customer information was distributed across systems without one maintained view of its locations and movement.

  • Important processes depended on institutional knowledge.

  • Publicly visible digital assets were not managed through one centralized inventory.

  • Onboarding, role changes and offboarding were handled inconsistently across departments.

The most urgent improvement areas were recurring access governance and the control of administrative privileges. These issues received the highest rating because inappropriate or excessive access could materially increase the impact of credential compromise, phishing, employee error or unauthorized activity.

The organization’s overall cybersecurity maturity was assessed as Developing. Foundational controls and capable operational practices were present, but several security activities remained informal, inconsistently documented or dependent on individual employees.

A Defined level of maturity was considered a reasonable 12-month target if leadership assigned clear ownership, implemented the priority recommendations and established recurring review processes.

The engagement gave leadership a clearer and more connected view of cybersecurity risk across people, processes, technology and third-party relationships. It also provided a sequenced roadmap for improving governance without requiring a large compliance initiative or disrupting normal operations.

Note:

This case study has been anonymized to protect client confidentiality. Identifying details have been removed or generalized while preserving the engagement’s scope, methodology and assessment conclusions.

Client Overview and Business Context

The client is a mid-sized manufacturing organization serving commercial and residential markets.

Its daily operations depend on a combination of:

  • Microsoft 365

  • Cloud-based document and storage platforms

  • Enterprise resource planning systems

  • Accounting and financial systems

  • Project-management tools

  • Third-party service providers

  • Customer-facing portals

  • Employee-facing portals

  • External websites, domains and online services

These systems support customer communication, financial management, project delivery, workforce collaboration, document storage and business administration.

As the organization grew, its technology environment became more complex. Additional employees required access, more vendors supported operations and customer information was distributed across a wider range of systems.

Many security decisions were handled effectively through normal operational judgment. However, the organization lacked one consistent governance layer covering access, ownership, vendors, customer data, documentation and externally accessible assets.

Leadership recognized that practices appropriate for an earlier stage of growth would need to become more structured as the business continued to scale.

Cybersecurity was therefore considered not only a technical concern, but also an operating requirement connected to:

  • Business continuity

  • Customer confidence

  • Employee productivity

  • Financial protection

  • Vendor reliability

  • Operational accountability

  • Responsible growth

Business Challenge

The organization had adopted modern technology and maintained meaningful operational discipline, but cybersecurity governance had not been formalized consistently across the business.

The central challenge was:

Foundational controls existed, but leadership did not have one reliable operating view of who had access, who owned important systems and vendors, where customer information was located or which public-facing assets required ongoing oversight.

Several conditions contributed to this challenge.

User access was generally managed by business and technology teams, but recurring access reviews were not consistently documented. Permissions could therefore remain in place after an employee’s responsibilities changed.

Some reviewed accounts retained administrative privileges beyond their normal operational requirements. This increased the potential impact of a compromised account or accidental change.

Vendor relationships supported important business functions, but internal responsibility for several critical vendors was not formally assigned.

Customer information was managed across multiple platforms without one maintained map showing the principal storage locations, transfers and responsible owners.

Some important security and employee-lifecycle practices depended on knowledge held by experienced personnel rather than documented procedures.

Publicly discoverable domains, portals and other digital assets were not tracked through a centralized inventory.

Onboarding, internal transfers and employee departures were handled differently across departments, creating inconsistency in how access was granted, changed and removed.

These were not separate or unrelated deficiencies. They were connected symptoms of an organization whose operating and technology complexity had grown faster than its formal security-governance practices.

Engagement Objective

The engagement was designed to provide leadership with a practical and business-focused understanding of the organization’s cybersecurity position.

The primary objectives were to:

  • Evaluate current cybersecurity governance practices.

  • Review how user access was granted, maintained and reviewed.

  • Assess the use and justification of administrative privileges.

  • Improve visibility into important vendor relationships and dependencies.

  • Examine how customer information was stored and handled across systems.

  • Evaluate the maturity of security procedures and supporting documentation.

  • Review onboarding, role-change and offboarding practices.

  • Identify publicly visible digital assets associated with the organization.

  • Prioritize the most important areas for near-term improvement.

  • Develop a practical roadmap for progressing from Developing toward Defined maturity.

The engagement was intended to help leadership determine where limited time and resources should be directed first.

It was not designed to provide formal certification, penetration-test assurance or a guarantee that a security incident could not occur.

Scope and Methodology

Assessment Approach

Blackwood evaluated the organization across three connected dimensions.

People

The review considered:

  • Who approved access

  • Who used administrative privileges

  • Who owned important systems and vendors

  • How responsibilities were communicated

  • How access changed when employees joined, transferred or left

  • Where important security knowledge was concentrated

Process

The review considered:

  • Access-request and approval practices

  • Recurring access reviews

  • Administrative privilege governance

  • Vendor ownership and oversight

  • Customer-data handling

  • Employee account lifecycle procedures

  • Security documentation

  • External asset tracking

  • Escalation and accountability practices

Technology

The review considered the major platforms and digital services supporting business operations, including:

  • Productivity and collaboration platforms

  • Cloud-storage services

  • Enterprise resource planning systems

  • Accounting platforms

  • Project-management tools

  • Customer and employee portals

  • Third-party applications

  • Administrative accounts

  • Domains and other externally visible assets

Assessment Activities

The engagement included:

  • Leadership interviews

  • Technical and operational walkthroughs

  • Review of available policies and procedures

  • Identity and access-management review

  • Administrative account and privilege review

  • Vendor inventory and ownership review

  • Customer-data handling and flow review

  • Account lifecycle process review

  • Asset inventory review

  • Passive review of publicly available information

  • Identification of associated external domains, portals and services

  • Qualitative maturity analysis

  • Development of prioritized findings

  • Preparation of an executive improvement roadmap

The external visibility work relied on publicly available information and passive observation. No attempt was made to exploit, alter or gain unauthorized access to any identified system.

Scope Limitations

The engagement focused on governance, visibility, accountability and foundational security practices.

It did not include:

  • Active penetration testing

  • Vulnerability exploitation

  • Password attacks

  • Credential testing

  • Phishing simulations

  • Social engineering

  • Active testing of production systems

  • Source-code review

  • Detailed cloud-configuration auditing

  • Malware analysis

  • Formal regulatory or compliance auditing

  • Legal or privacy opinions

  • Certification against a security standard

  • Continuous security monitoring

  • Incident-response services

The presence of a publicly visible asset did not mean that the asset was vulnerable.

Similarly, the absence of a finding did not guarantee that an undiscovered technical weakness did not exist.

The assessment conclusions were limited to the information, systems, processes and observations available within the engagement scope.

Key Business Areas Reviewed

Business area

Assessment focus

Business relevance

Identity management

User accounts, permissions and access decisions

Helps ensure access reflects current responsibilities and business need

Administrative access

Elevated accounts and privileged permissions

Reduces the potential impact of credential theft, misuse or error

System ownership

Accountability for important technology platforms

Supports maintenance, access review, escalation and decision-making

Vendor governance

Ownership and oversight of third-party relationships

Improves accountability for external dependencies

Customer-data visibility

Principal locations, systems, transfers and owners

Supports incident response, privacy oversight and customer confidence

Security documentation

Procedures, standards and operational records

Reduces dependence on individual employees

External asset visibility

Domains, portals and other internet-accessible services

Helps the company maintain, review and retire public assets responsibly

Account lifecycle

Onboarding, internal transfers and offboarding

Helps access change consistently with employment status and role

Governance and reporting

Ownership, review frequency and leadership visibility

Converts security activity into a repeatable operating process

Operational resilience

Technology dependencies and continuity considerations

Supports continued service during disruption

Observed Strengths and Existing Practices

The assessment identified several positive characteristics that provided a strong foundation for improvement.

Area

Observed strength

Leadership engagement

Leadership actively participated and demonstrated a clear interest in improving cybersecurity governance

Modern technology adoption

The organization used scalable cloud and business platforms supporting collaboration and growth

Operational discipline

Strong ownership and accountability were already present across many non-security business processes

Security awareness

Employees demonstrated awareness of common threats such as phishing and account compromise

Continuity awareness

Management understood the importance of protecting operations and customer information

Existing controls

Basic identity, account and technology-management practices were already in place

Practical decision-making

The organization sought proportionate improvements rather than security activity for its own sake

Improvement readiness

Stakeholders were willing to review privileges, clarify ownership and formalize procedures

The organization was not starting from an unmanaged or wholly reactive position.

In particular, the company’s existing operational culture created a valuable foundation. Leadership and employees were already familiar with concepts such as ownership, process consistency, quality and continuity.

The opportunity was to extend that same discipline into cybersecurity governance.

Current-State and Maturity Assessment

Blackwood used the following maturity model to describe the organization’s current state and recommended direction.

Maturity level

Description

Initial

Practices are informal, reactive or highly dependent on individual employees

Developing

Foundational controls exist, but execution, ownership or documentation remains inconsistent

Defined

Responsibilities, procedures, inventories and review cycles are documented and consistently applied

Managed

Control performance is measured, reported and governed through recurring oversight

Optimized

Practices are continuously improved using evidence, automation and measured performance

Overall Current-State Rating: Developing

The organization had implemented foundational security practices and demonstrated a capable operating culture.

However, several important activities lacked one or more of the following:

  • Clearly documented ownership

  • Consistent procedures

  • Recurring review

  • Centralized visibility

  • Evidence of completion

  • Organization-wide application

The organization therefore aligned most closely with the Developing level.

Recommended 12-Month Target: Defined

A Defined level was considered a reasonable 12-month target if leadership:

  • Assigned owners for critical systems, vendors and security processes

  • Reduced and governed administrative access

  • Introduced recurring access reviews

  • Standardized employee account lifecycle procedures

  • Documented customer-data locations and responsibilities

  • Established an external asset inventory

  • Implemented document ownership and review cycles

  • Created recurring leadership reporting

Reaching the target would depend on implementing and sustaining the recommended controls. The assessment itself did not move the company automatically to Defined maturity.

Long-Term Direction: Managed

After Defined practices were established, the organization could begin moving toward Managed maturity by:

  • Measuring whether access reviews were completed on time

  • Tracking the number of privileged accounts

  • Monitoring unresolved ownership gaps

  • Reporting overdue vendor reviews

  • Measuring completion of lifecycle controls

  • Reviewing external asset changes

  • Reporting progress and exceptions to leadership

Domain-Level Current-State Assessment

Domain

Current state

Recommended direction

Access governance

Developing

Documented and recurring access certification

Administrative privilege management

Developing

Least-privilege model with separate privileged accounts and review

System ownership

Developing

Assigned ownership across critical systems

Vendor governance

Developing

Central inventory, accountable owners and recurring review

Customer-data visibility

Developing

Maintained data-location and flow documentation

Security documentation

Developing

Controlled procedures with owners and review dates

External asset visibility

Early Developing

Central inventory and periodic passive review

Account lifecycle

Developing

One standardized process across departments

Cybersecurity reporting

Initial–Developing

Recurring measures and executive oversight

Finding and Priority Methodology

Findings were evaluated using qualitative analysis based on:

  • Sensitivity of the access, system or information involved

  • Potential operational consequence

  • Potential effect on customer information

  • Level of authority associated with the condition

  • Dependence on manual or informal practices

  • Existing control effectiveness

  • Likelihood of permissions or assets becoming outdated

  • Effect on business continuity and accountability

  • Practical urgency of the recommended action

Rating Scale

Rating

Definition

High

The issue could materially increase the likelihood or impact of unauthorized access, operational disruption or loss of control

Medium

The issue could create inconsistent operations, unnecessary exposure or reduced visibility and should be addressed through a planned improvement cycle

Low

The issue presents limited immediate consequence and may be addressed through normal maturity improvement

Priority Scale

Priority

Expected response

Immediate

Begin corrective action within 0–3 months

Near-Term

Address within 3–6 months

Medium-Term

Address within 6–12 months

Ongoing

Maintain through recurring review and governance

Ratings represented the relative importance of each condition within the engagement scope. They were not predictions that an incident would occur.

Executive Findings Summary

ID

Finding area

Description

Rating

Priority

F-01

Access governance

Existing user access was not consistently reviewed and formally recertified

High

Immediate

F-02

Administrative privileges

Some reviewed accounts held elevated permissions beyond normal operational requirements

High

Immediate

F-03

Vendor ownership

Responsibility for several important vendors was not clearly documented

Medium

Near-Term

F-04

Customer-data visibility

Customer information was distributed across systems without one maintained map

Medium

Near-Term

F-05

Security documentation

Important procedures depended on institutional knowledge

Medium

Near-Term

F-06

External asset visibility

Publicly visible digital assets were not maintained through one central inventory

Medium

Medium-Term

F-07

Account lifecycle

Onboarding, internal transfers and offboarding varied across departments

Medium

Near-Term

Detailed Findings

F-01: Establish Recurring Access Governance

Business Context

Employees require access to different systems and information based on their roles.

As responsibilities change, existing permissions should be reviewed to confirm that they remain appropriate. Without recurring review, access can accumulate over time even when each original approval was reasonable.

Observation

Formal and recurring access reviews were not consistently documented across the systems examined during the engagement.

Existing Practices

Access decisions were generally managed by business or technology teams.

Managers and system administrators understood the need to control access, but there was no consistently applied process for periodically confirming whether current permissions remained appropriate.

Illustrative Scenario

An employee changes roles and no longer requires access to a financial, operational or customer-information system.

The access is not removed because the employee remains with the company and no recurring review is scheduled.

Months later, the unnecessary permission remains active. If the employee’s credentials are compromised, the account provides access to information or functionality unrelated to the employee’s current duties.

Remaining Gap

Initial access approval did not always include a defined future review date.

The organization therefore could not consistently demonstrate that access remained aligned with current roles and business need.

Risk Statement

The absence of recurring access reviews could allow outdated or excessive permissions to remain active.

Business Impact

Potential consequences could include:

  • Employees retaining unnecessary access

  • Increased exposure following credential compromise

  • Greater difficulty investigating inappropriate activity

  • Reduced confidence in internal access controls

  • Inconsistent treatment of access across departments

  • Difficulty demonstrating appropriate governance to customers, insurers or other stakeholders

Rating and Priority

Rating: High
Priority: Immediate

Recommendations

Establish recurring access reviews for important systems.

Begin with:

  • Administrative accounts

  • Financial systems

  • Customer-information repositories

  • Microsoft 365 administrative roles

  • Enterprise resource planning systems

  • Cloud-storage platforms

  • Customer and employee portals

Assign an accountable system owner for each review.

Require the owner or appropriate manager to confirm that each user’s access remains justified.

Document:

  • Reviewer

  • Review date

  • Users examined

  • Access retained

  • Access changed

  • Access removed

  • Exceptions

  • Next review date

Use a quarterly review cycle for privileged or high-risk systems and a proportionate schedule for lower-risk platforms.

Include contractors, temporary users and external service providers where applicable.

Expected Business Benefit

Recurring access reviews would reduce privilege accumulation, improve accountability and give leadership greater confidence that permissions remain aligned with current responsibilities.

F-02: Reduce and Control Administrative Privileges

Business Context

Administrative accounts can change configurations, create users, modify permissions and affect important business systems.

Because these accounts hold greater authority, unnecessary administrative access can significantly increase the consequences of phishing, credential theft, misuse or accidental error.

Observation

Several reviewed accounts retained elevated privileges beyond what appeared necessary for their normal operational responsibilities.

Existing Practices

Administrative access was controlled to some degree, and elevated permissions were generally associated with employees supporting business or technology operations.

The primary issue was not uncontrolled access to every system. It was that administrative privileges had not been consistently reassessed against current responsibilities.

Illustrative Scenario

An employee uses the same account for everyday email, web browsing and administrative activities.

The employee is targeted through a phishing message and unknowingly enters credentials into a fraudulent login page.

Because the account retains administrative authority, successful compromise could allow the attacker to create additional accounts, alter configurations, access sensitive information or interfere with business systems.

Remaining Gap

The organization lacked a consistently documented process for:

  • Justifying elevated access

  • Separating privileged accounts from everyday accounts

  • Reviewing administrative permissions

  • Removing privileges that were no longer required

  • Recording approved exceptions

Risk Statement

Excessive or insufficiently governed administrative access could increase the impact of credential compromise, misuse or error.

Business Impact

Potential consequences could include:

  • Unauthorized changes to important systems

  • Exposure of customer or business information

  • Business disruption

  • Increased recovery effort

  • Greater incident impact

  • Reduced accountability for sensitive changes

  • Difficulty confirming appropriate privilege control

Rating and Priority

Rating: High
Priority: Immediate

Recommendations

Identify all administrative and privileged accounts across the reviewed environment.

For each account:

  • Confirm the current owner.

  • Document the business justification.

  • Remove privileges that are no longer required.

  • Separate standard and administrative accounts where practical.

  • Require multi-factor authentication.

  • Prohibit unnecessary shared administrative accounts.

  • Review activity and permissions periodically.

  • Establish an approval process for new privileged access.

  • Document exceptions where technical limitations prevent the preferred control.

Apply the principle of least privilege, under which users receive only the authority required for their responsibilities.

Review privileged access quarterly and after material role changes.

Expected Business Benefit

Reducing unnecessary administrative access would lower the potential impact of credential theft or accidental change while improving accountability for sensitive activity.

F-03: Assign Clear Ownership for Critical Vendors

Business Context

The organization relied on third-party platforms and service providers for important operational functions.

Each significant vendor relationship should have an internal owner responsible for understanding the business purpose, coordinating decisions and ensuring that relevant access, contract and operational issues are addressed.

Observation

Several important vendor relationships did not have clearly documented internal ownership.

Existing Practices

Business teams maintained vendor relationships and worked with providers when operational needs arose.

However, accountability was not always captured in one central record.

Illustrative Scenario

A critical vendor announces a material service change, security incident or contract requirement.

Several departments use the service, but no employee has clearly documented responsibility for coordinating the response.

Decision-making is delayed while leadership determines who owns the relationship, which systems depend on it and what actions are required.

Remaining Gap

Vendor use was known operationally, but ownership, criticality and accountability were not consistently documented.

Risk Statement

Unclear vendor ownership could delay decisions, weaken oversight and create uncertainty during incidents, contract changes or access reviews.

Business Impact

Potential consequences could include:

  • Delayed response to vendor incidents

  • Missed renewal or contract requirements

  • Inconsistent access oversight

  • Unclear responsibility for customer-data handling

  • Dependence on informal employee knowledge

  • Reduced visibility into external operational dependencies

Rating and Priority

Rating: Medium
Priority: Near-Term

Recommendations

Maintain a centralized vendor inventory.

For each important vendor, record:

  • Vendor name

  • Business purpose

  • Internal owner

  • Supporting department

  • Systems or processes supported

  • Customer or business information involved

  • Administrative users

  • Contract or renewal information

  • Criticality

  • Escalation contact

  • Review date

Assign both a primary owner and a backup where appropriate.

Define the responsibilities of the vendor owner, including:

  • Coordinating renewals

  • Reviewing significant service changes

  • Confirming access

  • Maintaining contact information

  • Escalating incidents

  • Supporting customer or insurance questions

Prioritize vendors that support critical operations or handle sensitive information.

Expected Business Benefit

Clear vendor ownership would improve accountability, accelerate decisions and strengthen the organization’s oversight of important external dependencies.

F-04: Document Customer-Data Locations and Responsibilities

Business Context

Customer information was handled across several business systems.

Leadership needs sufficient visibility to understand where important information is stored, which vendors support it and who is responsible for each repository.

This visibility supports security, incident response, privacy decisions and customer confidence.

Observation

Customer information existed across multiple platforms without one maintained record showing the principal locations, transfers and owners.

Existing Practices

Employees understood how customer information was used within their areas of responsibility.

The information was being managed operationally, but no centralized view combined the relevant systems and ownership information.

Illustrative Scenario

A suspected account compromise affects one business platform.

Leadership needs to determine:

  • What customer information was stored there

  • Whether the information was copied elsewhere

  • Which vendor supported the platform

  • Who owned the system

  • Which customers might be affected

Without a maintained data map, the organization must reconstruct the answers through interviews during an already time-sensitive event.

Remaining Gap

Knowledge of customer-data handling was distributed across employees and systems rather than maintained through an approved central record.

Risk Statement

Limited customer-data visibility could delay incident response, complicate oversight and reduce confidence in decisions concerning retention, vendors and access.

Business Impact

Potential consequences could include:

  • Slower incident investigation

  • Difficulty identifying affected information

  • Inconsistent customer responses

  • Reduced visibility into vendor involvement

  • Greater dependence on particular employees

  • Difficulty managing retention or deletion requirements

  • Less effective prioritization of system protections

Rating and Priority

Rating: Medium
Priority: Near-Term

Recommendations

Develop and maintain a high-level customer-data map.

For each major repository or platform, document:

  • Information category

  • Collection source

  • Storage location

  • Business purpose

  • Internal owner

  • Vendor involvement

  • Principal users or departments

  • Transfer or integration relationships

  • Retention responsibility

  • Criticality

Link the data map to the system and vendor inventories.

Assign an owner responsible for approving updates.

Review the map when new systems, integrations or vendors are introduced.

Use the maintained record to support incident response, customer questions and technology decisions.

Expected Business Benefit

Improved customer-data visibility would support faster incident decisions, clearer accountability and stronger oversight of systems and vendors handling customer information.

F-05: Convert Institutional Knowledge Into Controlled Procedures

Business Context

Experienced employees often develop effective ways of performing important tasks.

As an organization grows, however, relying primarily on memory and informal instruction can create inconsistency, especially during staff turnover, leave, role changes or periods of high workload.

Observation

Several important security and account-management activities relied substantially on undocumented knowledge held by experienced personnel.

Existing Practices

Employees had practical knowledge of how work should be performed and generally understood their responsibilities.

The gap was that the organization did not always maintain approved, accessible and current procedures.

Illustrative Scenario

An employee responsible for offboarding, vendor administration or access approval is unavailable.

Another employee must complete the task but cannot locate a current procedure describing:

  • Which systems must be reviewed

  • Who must approve the action

  • What evidence should be retained

  • How exceptions should be handled

The process is completed based on judgment, but an important step is missed.

Remaining Gap

Critical practices could be performed differently depending on the employee involved.

The organization also lacked a consistent method for assigning document ownership and review dates.

Risk Statement

Dependence on institutional knowledge could reduce operating consistency and create continuity gaps during employee or organizational change.

Business Impact

Potential consequences could include:

  • Missed access or security steps

  • Inconsistent execution across departments

  • Slower onboarding or offboarding

  • Greater dependence on experienced employees

  • Increased disruption during turnover or absence

  • Difficulty confirming how controls operate

  • Repeated effort to recreate procedures

Rating and Priority

Rating: Medium
Priority: Near-Term

Recommendations

Document the highest-priority security and lifecycle procedures first.

Initial procedures should include:

  • User onboarding

  • Internal role changes

  • Employee offboarding

  • Administrative access approval

  • Access review

  • Vendor onboarding and ownership

  • External asset registration

  • Security incident escalation

For each procedure, record:

  • Purpose

  • Scope

  • Responsible owner

  • Required approvals

  • Steps

  • Evidence to retain

  • Exceptions

  • Review frequency

  • Last review date

  • Next review date

Store current procedures in a central location accessible to the appropriate employees.

Archive outdated versions.

Review documents after material changes to systems, vendors or organizational responsibilities.

Expected Business Benefit

Controlled procedures would improve consistency, reduce dependence on individual employees and support continuity as the organization continues to grow.

F-06: Establish Visibility Into Externally Accessible Assets

Business Context

Organizations often operate multiple domains, websites, portals and online services.

Over time, assets may be introduced for projects, vendors, campaigns or operational purposes. If ownership and status are not tracked, assets can remain publicly visible after their original purpose has changed or ended.

Observation

The passive external review identified multiple publicly visible digital assets associated with the organization, but no centralized inventory was available showing ownership, purpose and current status.

Existing Practices

The organization maintained its principal websites and business portals.

The gap concerned consolidated visibility across the broader collection of associated domains and internet-accessible services.

Illustrative Scenario

A public portal or subdomain was created for a previous project or vendor relationship.

The service remains externally accessible, but the employee who originally managed it has changed roles or left.

When a relevant vulnerability is announced, the company cannot quickly determine whether the asset remains active, who owns it or whether action is required.

Remaining Gap

The organization did not maintain one approved record of:

  • External asset

  • Business purpose

  • Owner

  • Hosting or vendor relationship

  • Current status

  • Required review date

  • Retirement decision

The assessment did not establish that the identified assets were vulnerable. The concern was that untracked assets are more difficult to maintain and retire responsibly.

Risk Statement

Insufficient external asset visibility could make publicly accessible services more difficult to govern, maintain and decommission.

Business Impact

Potential consequences could include:

  • Forgotten or outdated services remaining online

  • Delayed response to relevant vulnerabilities

  • Unclear responsibility for public portals

  • Increased phishing or impersonation opportunities

  • Continued costs for unused services

  • Slower investigation of suspicious external activity

  • Reduced confidence in the completeness of asset oversight

Rating and Priority

Rating: Medium
Priority: Medium-Term

Recommendations

Create and maintain a centralized external asset inventory.

Record:

  • Domain or service

  • Business purpose

  • Owner

  • Technical contact

  • Hosting provider or vendor

  • Authentication requirement

  • Current status

  • Renewal date

  • Criticality

  • Last review date

  • Planned retirement date, where applicable

Require new public assets to be registered before launch.

Perform periodic passive external reviews to identify unexpected or unrecorded assets.

Review assets after organizational changes, vendor transitions and major projects.

Retire or redirect services that are no longer required.

Monitor important domain registrations and renewals.

Expected Business Benefit

A maintained external asset inventory would improve accountability, support faster vulnerability response and reduce the risk associated with forgotten or unmanaged public services.

F-07: Standardize Account Lifecycle Controls

Business Context

Employee access changes throughout the employment lifecycle.

New employees need timely access to perform their jobs. Employees changing roles may need different permissions. Departing employees require prompt removal of access.

A consistent process supports both productivity and security.

Observation

User provisioning, role-change and deprovisioning practices varied across departments.

Existing Practices

Departments had methods for onboarding and offboarding employees.

Managers, administrators and business teams understood their responsibilities, but the sequence, documentation and confirmation steps were not standardized across the organization.

Illustrative Scenario

An employee transfers from one department to another.

New access is granted for the new role, but previous permissions are not reviewed because the employee remains active in the organization.

The account gradually accumulates access across multiple departments.

Remaining Gap

The organization lacked one lifecycle process covering:

  • New hires

  • Contractors

  • Temporary staff

  • Internal transfers

  • Extended leave

  • Departures

  • System or vendor ownership reassignment

Risk Statement

Inconsistent account lifecycle processes could result in delayed access removal, excessive permissions or incomplete ownership transitions.

Business Impact

Potential consequences could include:

  • Employees retaining access from previous roles

  • Delayed removal of departing-user access

  • Inconsistent onboarding

  • Greater administrative effort

  • Missed reassignment of system or vendor ownership

  • Reduced visibility into who approved access

  • Difficulty demonstrating reliable lifecycle control

Rating and Priority

Rating: Medium
Priority: Near-Term

Recommendations

Develop one organization-wide account lifecycle process.

The process should define:

  • Request initiation

  • Required approvals

  • Standard role access

  • Privileged-access approval

  • Completion responsibility

  • Required timeframes

  • Evidence retention

  • Exception handling

  • Ownership reassignment

  • Final confirmation

Use standardized checklists for:

  • New employees

  • Contractors

  • Internal transfers

  • Departures

Connect the lifecycle process to the system, vendor and access inventories.

Require explicit review of existing access during internal transfers.

For departures, confirm that access has been addressed across:

  • Microsoft 365

  • Financial systems

  • Enterprise resource planning systems

  • Project-management tools

  • Cloud storage

  • Administrative accounts

  • Customer and employee portals

  • Vendor platforms

  • Shared credentials, where any remain

Expected Business Benefit

A consistent lifecycle process would improve onboarding efficiency, reduce outdated access and make responsibilities clearer across departments.

Engagement Outputs

The engagement produced a structured assessment of the organization’s current cybersecurity foundation.

Principal outputs included:

  • Executive cybersecurity maturity assessment

  • Current-state governance analysis

  • Identity and access-management observations

  • Administrative privilege findings

  • Vendor ownership and accountability observations

  • Customer-data visibility findings

  • Security-documentation assessment

  • Account lifecycle assessment

  • Passive external asset observations

  • Prioritized findings register

  • 12-month improvement roadmap

  • Recommended 90-day operating focus

  • Executive discussion of priorities and implementation sequence

The engagement identified and prioritized improvement opportunities.

It did not represent completion of the recommended implementation work.

Documented Engagement Outcomes

By the conclusion of the assessment:

  • Leadership had a clearer view of how cybersecurity risks were accumulating across access, privileges, vendors, customer data, documentation and external assets.

  • The organization’s current maturity had been assessed using a defined model.

  • The highest-priority issues had been separated from longer-term maturity improvements.

  • Access governance and administrative privilege management had been identified as the most urgent areas for action.

  • Leadership had an independent view of vendor accountability and customer-data visibility concerns.

  • Public asset visibility had been evaluated through a passive external review.

  • The organization had a sequenced roadmap for progressing from Developing toward Defined maturity.

  • Cybersecurity recommendations had been connected to operational resilience, customer information, business continuity and accountability.

The engagement did not measure a quantified reduction in cybersecurity risk because implementation and ongoing operation of the recommendations were outside the assessment outcome.

The principal value was improved visibility, prioritization and a practical direction for action.

Prioritized Improvement Roadmap

Immediate Priorities: 0–3 Months

Priority action

Recommended activity

Business value

Review administrative privileges

Identify elevated accounts and remove permissions that are not operationally required

Reduces the potential impact of credential compromise or error

Enforce privileged multi-factor authentication

Require stronger authentication for administrative access wherever supported

Makes stolen passwords less likely to result in sensitive access

Separate everyday and privileged accounts

Use distinct accounts for normal work and administrative tasks where practical

Reduces exposure of administrative credentials

Assign critical system owners

Record accountability for important systems and platforms

Improves decisions, access reviews and escalation

Assign critical vendor owners

Identify accountable internal owners for important third parties

Strengthens vendor oversight and incident coordination

Launch recurring access reviews

Begin with privileged, financial and customer-information systems

Identifies outdated access before it accumulates

Document lifecycle procedures

Establish standard onboarding, transfer and offboarding steps

Reduces inconsistent access changes

Assign roadmap ownership

Identify the executive and operational owners responsible for implementation

Prevents recommendations from remaining unactioned

Medium-Term Priorities: 3–6 Months

Priority action

Recommended activity

Business value

Complete vendor ownership records

Document owners, purpose, criticality and data involvement for important vendors

Improves accountability and renewal decisions

Develop customer-data maps

Record principal customer-information locations, transfers and owners

Supports incident response and customer trust

Formalize privileged-access reviews

Establish recurring review, approval and exception processes

Sustains the reduction of excessive privileges

Centralize security procedures

Maintain controlled documentation with owners and review dates

Reduces dependence on institutional knowledge

Standardize account lifecycle processes

Apply one process across departments

Improves productivity and access consistency

Classify important systems

Rank systems based on operational importance, access sensitivity and customer information

Supports proportionate oversight

Establish evidence retention

Keep evidence of reviews, approvals and lifecycle completion

Improves accountability and future assurance

Review security awareness needs

Focus training on phishing, credential protection and administrative access

Reinforces the controls most relevant to identified risks

Long-Term Priorities: 6–12 Months

Priority action

Recommended activity

Business value

Establish external asset management

Maintain a current inventory of public domains, portals and online services

Reduces the risk of forgotten or unmanaged assets

Conduct periodic passive reviews

Reassess the organization’s publicly visible environment

Identifies unexpected changes and unrecorded services

Mature vendor-risk governance

Classify and review vendors based on criticality and information access

Focuses oversight on material dependencies

Develop cybersecurity measures

Track access reviews, privileged accounts, ownership gaps and overdue actions

Gives leadership evidence of progress

Establish recurring executive reporting

Report priorities, exceptions and unresolved risks

Creates sustained governance visibility

Conduct an incident-response exercise

Test leadership and operational coordination through a realistic scenario

Improves readiness before a disruption

Reassess maturity

Evaluate progress from Developing toward Defined

Confirms whether procedures are operating consistently

Review assurance requirements

Consider formal frameworks only where customer, insurance or business value justifies them

Avoids unnecessary compliance activity

Recommended 90-Day Operating Focus

The first 90 days should concentrate on the actions most likely to reduce material exposure and establish clear accountability.

Recommended Sequence

1. Confirm Privileged Access

Create a complete list of reviewed administrative and elevated accounts.

Confirm the owner, purpose and business justification for each one.

2. Remove Unnecessary Privileges

Reduce permissions that are no longer required and separate normal and administrative accounts where practical.

3. Enforce Strong Authentication

Require multi-factor authentication for remaining privileged accounts wherever supported.

Document any exception.

4. Assign System and Vendor Owners

Establish clear accountability for the systems and vendors supporting critical business operations.

5. Begin Recurring Access Reviews

Start with the highest-risk systems and record all decisions and changes.

6. Standardize Employee Lifecycle Processes

Implement one onboarding, internal-transfer and offboarding procedure across departments.

7. Assign Implementation Responsibility

Designate an executive sponsor and operational owners for each roadmap workstream.

8. Conduct a 90-Day Review

Evaluate:

  • Privileged access removed

  • Multi-factor authentication coverage

  • Ownership assignments completed

  • Access reviews performed

  • Lifecycle procedures adopted

  • Outstanding exceptions

  • Resources required for the next phase

This sequence would address the most urgent access concerns while creating the governance foundation needed for the remaining roadmap.

Client Perspective

Leadership valued the assessment’s ability to bring several cybersecurity concerns into one connected and prioritized view.

The engagement helped clarify that the company’s principal challenge was not one isolated technical defect. Instead, risk had accumulated through a combination of access, administrative privileges, vendor relationships, customer-data visibility, employee lifecycle practices and external assets.

Particularly valuable aspects included:

  • Clear prioritization of immediate and longer-term improvements

  • Independent validation of leadership’s existing concerns

  • Better visibility into access-management risk

  • Greater understanding of vendor dependencies

  • Improved awareness of where customer information was handled

  • Identification of gaps in public asset visibility

  • A practical roadmap aligned with business operations

  • A maturity target that leadership could use to guide the next 12 months

This section summarizes the value reported through the engagement context. It should not be presented as a direct client quotation unless the client approves specific wording.

Conclusion

The Cybersecurity Foundations Assessment found that the organization’s most significant challenge was not one technical weakness.

The greater concern was the accumulation of risk caused by inconsistent governance, incomplete ownership and limited visibility across a growing operating environment.

The two highest-priority findings involved recurring access governance and administrative privilege management. Without structured review, employees could retain access beyond current need, while excessive administrative authority could increase the impact of phishing, credential compromise or human error.

Additional improvement areas involved:

  • Vendor ownership

  • Customer-data visibility

  • Security documentation

  • Externally accessible asset tracking

  • Employee account lifecycle controls

The organization also demonstrated meaningful strengths. Leadership was engaged, employees understood common security concerns and the company already maintained a disciplined operational culture.

These strengths provided a credible foundation for improvement.

The organization’s overall maturity was assessed as Developing. A Defined level was considered achievable within 12 months if ownership was assigned, priority controls were implemented and recurring review processes became part of normal operations.

The recommended roadmap was designed to be practical and proportionate. It did not require the organization to begin with a large certification program or introduce unnecessary complexity.

Instead, it focused first on:

  • Reducing excessive access

  • Protecting privileged accounts

  • Establishing ownership

  • Standardizing lifecycle controls

  • Improving visibility

  • Creating evidence of recurring governance

Implementing these actions would help the organization reduce preventable cybersecurity exposure while strengthening business continuity, operational accountability and customer confidence.

The long-term objective was not simply to create more security documentation. It was to establish a repeatable cybersecurity operating model that could mature alongside the business.

Engagement Summary

Category

Summary

Public case-study title

Strengthening Cybersecurity Governance and Operational Resilience for a Growing Manufacturer

Engagement type

Cybersecurity Foundations Assessment

Client environment

Mid-sized manufacturing organization serving commercial and residential markets

Primary business concern

Cybersecurity governance had not matured at the same pace as operational and technology growth

Primary areas reviewed

Identity, access, administrative privileges, vendors, customer data, documentation, external assets and account lifecycle

Assessment approach

Leadership interviews, walkthroughs, documentation review, operational analysis and passive external visibility review

Overall maturity

Developing

Recommended 12-month target

Defined, conditional on implementation and recurring operation

Highest-rated findings

Access governance and administrative privileges

Other priority areas

Vendor ownership, customer-data visibility, documentation, external assets and account lifecycle

Principal output

Prioritized cybersecurity improvement roadmap

Principal engagement value

Improved leadership visibility, prioritization and implementation direction

Important exclusions

No penetration testing, exploitation, social engineering, certification or continuous monitoring