Back To Case Studies
Case Study
Cybersecurity Foundations Assessment for a Growing Manufacturing Company
Blackwood Enterprises conducted a cybersecurity foundations assessment for a growing manufacturing company seeking greater visibility into the security risks emerging across its expanding technology environment.
The organization supported commercial and residential customers and increasingly relied on cloud platforms, enterprise business systems, third-party vendors, digital workflows, and externally accessible customer and employee services. These technologies supported collaboration, service delivery and continued growth, but the governance practices surrounding them had not matured at the same pace.
Leadership wanted an independent view of the company’s current cybersecurity position and a practical improvement plan aligned with normal business operations.
The assessment reviewed identity and access management, administrative privileges, vendor accountability, customer-data visibility, security documentation, employee account lifecycle practices and externally visible digital assets.
The review found that the organization’s principal cybersecurity challenge was not a single isolated technical weakness. Risk had accumulated through several connected conditions:
Access was not consistently reviewed after it was granted.
Some reviewed accounts held broader administrative privileges than their operational responsibilities required.
Responsibility for several important vendors was not clearly documented.
Customer information was distributed across systems without one maintained view of its locations and movement.
Important processes depended on institutional knowledge.
Publicly visible digital assets were not managed through one centralized inventory.
Onboarding, role changes and offboarding were handled inconsistently across departments.
The most urgent improvement areas were recurring access governance and the control of administrative privileges. These issues received the highest rating because inappropriate or excessive access could materially increase the impact of credential compromise, phishing, employee error or unauthorized activity.
The organization’s overall cybersecurity maturity was assessed as Developing. Foundational controls and capable operational practices were present, but several security activities remained informal, inconsistently documented or dependent on individual employees.
A Defined level of maturity was considered a reasonable 12-month target if leadership assigned clear ownership, implemented the priority recommendations and established recurring review processes.
The engagement gave leadership a clearer and more connected view of cybersecurity risk across people, processes, technology and third-party relationships. It also provided a sequenced roadmap for improving governance without requiring a large compliance initiative or disrupting normal operations.
Note:
This case study has been anonymized to protect client confidentiality. Identifying details have been removed or generalized while preserving the engagement’s scope, methodology and assessment conclusions.

Client Overview and Business Context
The client is a mid-sized manufacturing organization serving commercial and residential markets.
Its daily operations depend on a combination of:
Microsoft 365
Cloud-based document and storage platforms
Enterprise resource planning systems
Accounting and financial systems
Project-management tools
Third-party service providers
Customer-facing portals
Employee-facing portals
External websites, domains and online services
These systems support customer communication, financial management, project delivery, workforce collaboration, document storage and business administration.
As the organization grew, its technology environment became more complex. Additional employees required access, more vendors supported operations and customer information was distributed across a wider range of systems.
Many security decisions were handled effectively through normal operational judgment. However, the organization lacked one consistent governance layer covering access, ownership, vendors, customer data, documentation and externally accessible assets.
Leadership recognized that practices appropriate for an earlier stage of growth would need to become more structured as the business continued to scale.
Cybersecurity was therefore considered not only a technical concern, but also an operating requirement connected to:
Business continuity
Customer confidence
Employee productivity
Financial protection
Vendor reliability
Operational accountability
Responsible growth
Business Challenge
The organization had adopted modern technology and maintained meaningful operational discipline, but cybersecurity governance had not been formalized consistently across the business.
The central challenge was:
Foundational controls existed, but leadership did not have one reliable operating view of who had access, who owned important systems and vendors, where customer information was located or which public-facing assets required ongoing oversight.
Several conditions contributed to this challenge.
User access was generally managed by business and technology teams, but recurring access reviews were not consistently documented. Permissions could therefore remain in place after an employee’s responsibilities changed.
Some reviewed accounts retained administrative privileges beyond their normal operational requirements. This increased the potential impact of a compromised account or accidental change.
Vendor relationships supported important business functions, but internal responsibility for several critical vendors was not formally assigned.
Customer information was managed across multiple platforms without one maintained map showing the principal storage locations, transfers and responsible owners.
Some important security and employee-lifecycle practices depended on knowledge held by experienced personnel rather than documented procedures.
Publicly discoverable domains, portals and other digital assets were not tracked through a centralized inventory.
Onboarding, internal transfers and employee departures were handled differently across departments, creating inconsistency in how access was granted, changed and removed.
These were not separate or unrelated deficiencies. They were connected symptoms of an organization whose operating and technology complexity had grown faster than its formal security-governance practices.
Engagement Objective
The engagement was designed to provide leadership with a practical and business-focused understanding of the organization’s cybersecurity position.
The primary objectives were to:
Evaluate current cybersecurity governance practices.
Review how user access was granted, maintained and reviewed.
Assess the use and justification of administrative privileges.
Improve visibility into important vendor relationships and dependencies.
Examine how customer information was stored and handled across systems.
Evaluate the maturity of security procedures and supporting documentation.
Review onboarding, role-change and offboarding practices.
Identify publicly visible digital assets associated with the organization.
Prioritize the most important areas for near-term improvement.
Develop a practical roadmap for progressing from Developing toward Defined maturity.
The engagement was intended to help leadership determine where limited time and resources should be directed first.
It was not designed to provide formal certification, penetration-test assurance or a guarantee that a security incident could not occur.
Scope and Methodology
Assessment Approach
Blackwood evaluated the organization across three connected dimensions.
People
The review considered:
Who approved access
Who used administrative privileges
Who owned important systems and vendors
How responsibilities were communicated
How access changed when employees joined, transferred or left
Where important security knowledge was concentrated
Process
The review considered:
Access-request and approval practices
Recurring access reviews
Administrative privilege governance
Vendor ownership and oversight
Customer-data handling
Employee account lifecycle procedures
Security documentation
External asset tracking
Escalation and accountability practices
Technology
The review considered the major platforms and digital services supporting business operations, including:
Productivity and collaboration platforms
Cloud-storage services
Enterprise resource planning systems
Accounting platforms
Project-management tools
Customer and employee portals
Third-party applications
Administrative accounts
Domains and other externally visible assets
Assessment Activities
The engagement included:
Leadership interviews
Technical and operational walkthroughs
Review of available policies and procedures
Identity and access-management review
Administrative account and privilege review
Vendor inventory and ownership review
Customer-data handling and flow review
Account lifecycle process review
Asset inventory review
Passive review of publicly available information
Identification of associated external domains, portals and services
Qualitative maturity analysis
Development of prioritized findings
Preparation of an executive improvement roadmap
The external visibility work relied on publicly available information and passive observation. No attempt was made to exploit, alter or gain unauthorized access to any identified system.
Scope Limitations
The engagement focused on governance, visibility, accountability and foundational security practices.
It did not include:
Active penetration testing
Vulnerability exploitation
Password attacks
Credential testing
Phishing simulations
Social engineering
Active testing of production systems
Source-code review
Detailed cloud-configuration auditing
Malware analysis
Formal regulatory or compliance auditing
Legal or privacy opinions
Certification against a security standard
Continuous security monitoring
Incident-response services
The presence of a publicly visible asset did not mean that the asset was vulnerable.
Similarly, the absence of a finding did not guarantee that an undiscovered technical weakness did not exist.
The assessment conclusions were limited to the information, systems, processes and observations available within the engagement scope.
Key Business Areas Reviewed
Business area | Assessment focus | Business relevance |
Identity management | User accounts, permissions and access decisions | Helps ensure access reflects current responsibilities and business need |
Administrative access | Elevated accounts and privileged permissions | Reduces the potential impact of credential theft, misuse or error |
System ownership | Accountability for important technology platforms | Supports maintenance, access review, escalation and decision-making |
Vendor governance | Ownership and oversight of third-party relationships | Improves accountability for external dependencies |
Customer-data visibility | Principal locations, systems, transfers and owners | Supports incident response, privacy oversight and customer confidence |
Security documentation | Procedures, standards and operational records | Reduces dependence on individual employees |
External asset visibility | Domains, portals and other internet-accessible services | Helps the company maintain, review and retire public assets responsibly |
Account lifecycle | Onboarding, internal transfers and offboarding | Helps access change consistently with employment status and role |
Governance and reporting | Ownership, review frequency and leadership visibility | Converts security activity into a repeatable operating process |
Operational resilience | Technology dependencies and continuity considerations | Supports continued service during disruption |
Observed Strengths and Existing Practices
The assessment identified several positive characteristics that provided a strong foundation for improvement.
Area | Observed strength |
Leadership engagement | Leadership actively participated and demonstrated a clear interest in improving cybersecurity governance |
Modern technology adoption | The organization used scalable cloud and business platforms supporting collaboration and growth |
Operational discipline | Strong ownership and accountability were already present across many non-security business processes |
Security awareness | Employees demonstrated awareness of common threats such as phishing and account compromise |
Continuity awareness | Management understood the importance of protecting operations and customer information |
Existing controls | Basic identity, account and technology-management practices were already in place |
Practical decision-making | The organization sought proportionate improvements rather than security activity for its own sake |
Improvement readiness | Stakeholders were willing to review privileges, clarify ownership and formalize procedures |
The organization was not starting from an unmanaged or wholly reactive position.
In particular, the company’s existing operational culture created a valuable foundation. Leadership and employees were already familiar with concepts such as ownership, process consistency, quality and continuity.
The opportunity was to extend that same discipline into cybersecurity governance.
Current-State and Maturity Assessment
Blackwood used the following maturity model to describe the organization’s current state and recommended direction.
Maturity level | Description |
Initial | Practices are informal, reactive or highly dependent on individual employees |
Developing | Foundational controls exist, but execution, ownership or documentation remains inconsistent |
Defined | Responsibilities, procedures, inventories and review cycles are documented and consistently applied |
Managed | Control performance is measured, reported and governed through recurring oversight |
Optimized | Practices are continuously improved using evidence, automation and measured performance |
Overall Current-State Rating: Developing
The organization had implemented foundational security practices and demonstrated a capable operating culture.
However, several important activities lacked one or more of the following:
Clearly documented ownership
Consistent procedures
Recurring review
Centralized visibility
Evidence of completion
Organization-wide application
The organization therefore aligned most closely with the Developing level.
Recommended 12-Month Target: Defined
A Defined level was considered a reasonable 12-month target if leadership:
Assigned owners for critical systems, vendors and security processes
Reduced and governed administrative access
Introduced recurring access reviews
Standardized employee account lifecycle procedures
Documented customer-data locations and responsibilities
Established an external asset inventory
Implemented document ownership and review cycles
Created recurring leadership reporting
Reaching the target would depend on implementing and sustaining the recommended controls. The assessment itself did not move the company automatically to Defined maturity.
Long-Term Direction: Managed
After Defined practices were established, the organization could begin moving toward Managed maturity by:
Measuring whether access reviews were completed on time
Tracking the number of privileged accounts
Monitoring unresolved ownership gaps
Reporting overdue vendor reviews
Measuring completion of lifecycle controls
Reviewing external asset changes
Reporting progress and exceptions to leadership
Domain-Level Current-State Assessment
Domain | Current state | Recommended direction |
Access governance | Developing | Documented and recurring access certification |
Administrative privilege management | Developing | Least-privilege model with separate privileged accounts and review |
System ownership | Developing | Assigned ownership across critical systems |
Vendor governance | Developing | Central inventory, accountable owners and recurring review |
Customer-data visibility | Developing | Maintained data-location and flow documentation |
Security documentation | Developing | Controlled procedures with owners and review dates |
External asset visibility | Early Developing | Central inventory and periodic passive review |
Account lifecycle | Developing | One standardized process across departments |
Cybersecurity reporting | Initial–Developing | Recurring measures and executive oversight |
Finding and Priority Methodology
Findings were evaluated using qualitative analysis based on:
Sensitivity of the access, system or information involved
Potential operational consequence
Potential effect on customer information
Level of authority associated with the condition
Dependence on manual or informal practices
Existing control effectiveness
Likelihood of permissions or assets becoming outdated
Effect on business continuity and accountability
Practical urgency of the recommended action
Rating Scale
Rating | Definition |
High | The issue could materially increase the likelihood or impact of unauthorized access, operational disruption or loss of control |
Medium | The issue could create inconsistent operations, unnecessary exposure or reduced visibility and should be addressed through a planned improvement cycle |
Low | The issue presents limited immediate consequence and may be addressed through normal maturity improvement |
Priority Scale
Priority | Expected response |
Immediate | Begin corrective action within 0–3 months |
Near-Term | Address within 3–6 months |
Medium-Term | Address within 6–12 months |
Ongoing | Maintain through recurring review and governance |
Ratings represented the relative importance of each condition within the engagement scope. They were not predictions that an incident would occur.
Executive Findings Summary
ID | Finding area | Description | Rating | Priority |
F-01 | Access governance | Existing user access was not consistently reviewed and formally recertified | High | Immediate |
F-02 | Administrative privileges | Some reviewed accounts held elevated permissions beyond normal operational requirements | High | Immediate |
F-03 | Vendor ownership | Responsibility for several important vendors was not clearly documented | Medium | Near-Term |
F-04 | Customer-data visibility | Customer information was distributed across systems without one maintained map | Medium | Near-Term |
F-05 | Security documentation | Important procedures depended on institutional knowledge | Medium | Near-Term |
F-06 | External asset visibility | Publicly visible digital assets were not maintained through one central inventory | Medium | Medium-Term |
F-07 | Account lifecycle | Onboarding, internal transfers and offboarding varied across departments | Medium | Near-Term |
Detailed Findings
F-01: Establish Recurring Access Governance
Business Context
Employees require access to different systems and information based on their roles.
As responsibilities change, existing permissions should be reviewed to confirm that they remain appropriate. Without recurring review, access can accumulate over time even when each original approval was reasonable.
Observation
Formal and recurring access reviews were not consistently documented across the systems examined during the engagement.
Existing Practices
Access decisions were generally managed by business or technology teams.
Managers and system administrators understood the need to control access, but there was no consistently applied process for periodically confirming whether current permissions remained appropriate.
Illustrative Scenario
An employee changes roles and no longer requires access to a financial, operational or customer-information system.
The access is not removed because the employee remains with the company and no recurring review is scheduled.
Months later, the unnecessary permission remains active. If the employee’s credentials are compromised, the account provides access to information or functionality unrelated to the employee’s current duties.
Remaining Gap
Initial access approval did not always include a defined future review date.
The organization therefore could not consistently demonstrate that access remained aligned with current roles and business need.
Risk Statement
The absence of recurring access reviews could allow outdated or excessive permissions to remain active.
Business Impact
Potential consequences could include:
Employees retaining unnecessary access
Increased exposure following credential compromise
Greater difficulty investigating inappropriate activity
Reduced confidence in internal access controls
Inconsistent treatment of access across departments
Difficulty demonstrating appropriate governance to customers, insurers or other stakeholders
Rating and Priority
Rating: High
Priority: Immediate
Recommendations
Establish recurring access reviews for important systems.
Begin with:
Administrative accounts
Financial systems
Customer-information repositories
Microsoft 365 administrative roles
Enterprise resource planning systems
Cloud-storage platforms
Customer and employee portals
Assign an accountable system owner for each review.
Require the owner or appropriate manager to confirm that each user’s access remains justified.
Document:
Reviewer
Review date
Users examined
Access retained
Access changed
Access removed
Exceptions
Next review date
Use a quarterly review cycle for privileged or high-risk systems and a proportionate schedule for lower-risk platforms.
Include contractors, temporary users and external service providers where applicable.
Expected Business Benefit
Recurring access reviews would reduce privilege accumulation, improve accountability and give leadership greater confidence that permissions remain aligned with current responsibilities.
F-02: Reduce and Control Administrative Privileges
Business Context
Administrative accounts can change configurations, create users, modify permissions and affect important business systems.
Because these accounts hold greater authority, unnecessary administrative access can significantly increase the consequences of phishing, credential theft, misuse or accidental error.
Observation
Several reviewed accounts retained elevated privileges beyond what appeared necessary for their normal operational responsibilities.
Existing Practices
Administrative access was controlled to some degree, and elevated permissions were generally associated with employees supporting business or technology operations.
The primary issue was not uncontrolled access to every system. It was that administrative privileges had not been consistently reassessed against current responsibilities.
Illustrative Scenario
An employee uses the same account for everyday email, web browsing and administrative activities.
The employee is targeted through a phishing message and unknowingly enters credentials into a fraudulent login page.
Because the account retains administrative authority, successful compromise could allow the attacker to create additional accounts, alter configurations, access sensitive information or interfere with business systems.
Remaining Gap
The organization lacked a consistently documented process for:
Justifying elevated access
Separating privileged accounts from everyday accounts
Reviewing administrative permissions
Removing privileges that were no longer required
Recording approved exceptions
Risk Statement
Excessive or insufficiently governed administrative access could increase the impact of credential compromise, misuse or error.
Business Impact
Potential consequences could include:
Unauthorized changes to important systems
Exposure of customer or business information
Business disruption
Increased recovery effort
Greater incident impact
Reduced accountability for sensitive changes
Difficulty confirming appropriate privilege control
Rating and Priority
Rating: High
Priority: Immediate
Recommendations
Identify all administrative and privileged accounts across the reviewed environment.
For each account:
Confirm the current owner.
Document the business justification.
Remove privileges that are no longer required.
Separate standard and administrative accounts where practical.
Require multi-factor authentication.
Prohibit unnecessary shared administrative accounts.
Review activity and permissions periodically.
Establish an approval process for new privileged access.
Document exceptions where technical limitations prevent the preferred control.
Apply the principle of least privilege, under which users receive only the authority required for their responsibilities.
Review privileged access quarterly and after material role changes.
Expected Business Benefit
Reducing unnecessary administrative access would lower the potential impact of credential theft or accidental change while improving accountability for sensitive activity.
F-03: Assign Clear Ownership for Critical Vendors
Business Context
The organization relied on third-party platforms and service providers for important operational functions.
Each significant vendor relationship should have an internal owner responsible for understanding the business purpose, coordinating decisions and ensuring that relevant access, contract and operational issues are addressed.
Observation
Several important vendor relationships did not have clearly documented internal ownership.
Existing Practices
Business teams maintained vendor relationships and worked with providers when operational needs arose.
However, accountability was not always captured in one central record.
Illustrative Scenario
A critical vendor announces a material service change, security incident or contract requirement.
Several departments use the service, but no employee has clearly documented responsibility for coordinating the response.
Decision-making is delayed while leadership determines who owns the relationship, which systems depend on it and what actions are required.
Remaining Gap
Vendor use was known operationally, but ownership, criticality and accountability were not consistently documented.
Risk Statement
Unclear vendor ownership could delay decisions, weaken oversight and create uncertainty during incidents, contract changes or access reviews.
Business Impact
Potential consequences could include:
Delayed response to vendor incidents
Missed renewal or contract requirements
Inconsistent access oversight
Unclear responsibility for customer-data handling
Dependence on informal employee knowledge
Reduced visibility into external operational dependencies
Rating and Priority
Rating: Medium
Priority: Near-Term
Recommendations
Maintain a centralized vendor inventory.
For each important vendor, record:
Vendor name
Business purpose
Internal owner
Supporting department
Systems or processes supported
Customer or business information involved
Administrative users
Contract or renewal information
Criticality
Escalation contact
Review date
Assign both a primary owner and a backup where appropriate.
Define the responsibilities of the vendor owner, including:
Coordinating renewals
Reviewing significant service changes
Confirming access
Maintaining contact information
Escalating incidents
Supporting customer or insurance questions
Prioritize vendors that support critical operations or handle sensitive information.
Expected Business Benefit
Clear vendor ownership would improve accountability, accelerate decisions and strengthen the organization’s oversight of important external dependencies.
F-04: Document Customer-Data Locations and Responsibilities
Business Context
Customer information was handled across several business systems.
Leadership needs sufficient visibility to understand where important information is stored, which vendors support it and who is responsible for each repository.
This visibility supports security, incident response, privacy decisions and customer confidence.
Observation
Customer information existed across multiple platforms without one maintained record showing the principal locations, transfers and owners.
Existing Practices
Employees understood how customer information was used within their areas of responsibility.
The information was being managed operationally, but no centralized view combined the relevant systems and ownership information.
Illustrative Scenario
A suspected account compromise affects one business platform.
Leadership needs to determine:
What customer information was stored there
Whether the information was copied elsewhere
Which vendor supported the platform
Who owned the system
Which customers might be affected
Without a maintained data map, the organization must reconstruct the answers through interviews during an already time-sensitive event.
Remaining Gap
Knowledge of customer-data handling was distributed across employees and systems rather than maintained through an approved central record.
Risk Statement
Limited customer-data visibility could delay incident response, complicate oversight and reduce confidence in decisions concerning retention, vendors and access.
Business Impact
Potential consequences could include:
Slower incident investigation
Difficulty identifying affected information
Inconsistent customer responses
Reduced visibility into vendor involvement
Greater dependence on particular employees
Difficulty managing retention or deletion requirements
Less effective prioritization of system protections
Rating and Priority
Rating: Medium
Priority: Near-Term
Recommendations
Develop and maintain a high-level customer-data map.
For each major repository or platform, document:
Information category
Collection source
Storage location
Business purpose
Internal owner
Vendor involvement
Principal users or departments
Transfer or integration relationships
Retention responsibility
Criticality
Link the data map to the system and vendor inventories.
Assign an owner responsible for approving updates.
Review the map when new systems, integrations or vendors are introduced.
Use the maintained record to support incident response, customer questions and technology decisions.
Expected Business Benefit
Improved customer-data visibility would support faster incident decisions, clearer accountability and stronger oversight of systems and vendors handling customer information.
F-05: Convert Institutional Knowledge Into Controlled Procedures
Business Context
Experienced employees often develop effective ways of performing important tasks.
As an organization grows, however, relying primarily on memory and informal instruction can create inconsistency, especially during staff turnover, leave, role changes or periods of high workload.
Observation
Several important security and account-management activities relied substantially on undocumented knowledge held by experienced personnel.
Existing Practices
Employees had practical knowledge of how work should be performed and generally understood their responsibilities.
The gap was that the organization did not always maintain approved, accessible and current procedures.
Illustrative Scenario
An employee responsible for offboarding, vendor administration or access approval is unavailable.
Another employee must complete the task but cannot locate a current procedure describing:
Which systems must be reviewed
Who must approve the action
What evidence should be retained
How exceptions should be handled
The process is completed based on judgment, but an important step is missed.
Remaining Gap
Critical practices could be performed differently depending on the employee involved.
The organization also lacked a consistent method for assigning document ownership and review dates.
Risk Statement
Dependence on institutional knowledge could reduce operating consistency and create continuity gaps during employee or organizational change.
Business Impact
Potential consequences could include:
Missed access or security steps
Inconsistent execution across departments
Slower onboarding or offboarding
Greater dependence on experienced employees
Increased disruption during turnover or absence
Difficulty confirming how controls operate
Repeated effort to recreate procedures
Rating and Priority
Rating: Medium
Priority: Near-Term
Recommendations
Document the highest-priority security and lifecycle procedures first.
Initial procedures should include:
User onboarding
Internal role changes
Employee offboarding
Administrative access approval
Access review
Vendor onboarding and ownership
External asset registration
Security incident escalation
For each procedure, record:
Purpose
Scope
Responsible owner
Required approvals
Steps
Evidence to retain
Exceptions
Review frequency
Last review date
Next review date
Store current procedures in a central location accessible to the appropriate employees.
Archive outdated versions.
Review documents after material changes to systems, vendors or organizational responsibilities.
Expected Business Benefit
Controlled procedures would improve consistency, reduce dependence on individual employees and support continuity as the organization continues to grow.
F-06: Establish Visibility Into Externally Accessible Assets
Business Context
Organizations often operate multiple domains, websites, portals and online services.
Over time, assets may be introduced for projects, vendors, campaigns or operational purposes. If ownership and status are not tracked, assets can remain publicly visible after their original purpose has changed or ended.
Observation
The passive external review identified multiple publicly visible digital assets associated with the organization, but no centralized inventory was available showing ownership, purpose and current status.
Existing Practices
The organization maintained its principal websites and business portals.
The gap concerned consolidated visibility across the broader collection of associated domains and internet-accessible services.
Illustrative Scenario
A public portal or subdomain was created for a previous project or vendor relationship.
The service remains externally accessible, but the employee who originally managed it has changed roles or left.
When a relevant vulnerability is announced, the company cannot quickly determine whether the asset remains active, who owns it or whether action is required.
Remaining Gap
The organization did not maintain one approved record of:
External asset
Business purpose
Owner
Hosting or vendor relationship
Current status
Required review date
Retirement decision
The assessment did not establish that the identified assets were vulnerable. The concern was that untracked assets are more difficult to maintain and retire responsibly.
Risk Statement
Insufficient external asset visibility could make publicly accessible services more difficult to govern, maintain and decommission.
Business Impact
Potential consequences could include:
Forgotten or outdated services remaining online
Delayed response to relevant vulnerabilities
Unclear responsibility for public portals
Increased phishing or impersonation opportunities
Continued costs for unused services
Slower investigation of suspicious external activity
Reduced confidence in the completeness of asset oversight
Rating and Priority
Rating: Medium
Priority: Medium-Term
Recommendations
Create and maintain a centralized external asset inventory.
Record:
Domain or service
Business purpose
Owner
Technical contact
Hosting provider or vendor
Authentication requirement
Current status
Renewal date
Criticality
Last review date
Planned retirement date, where applicable
Require new public assets to be registered before launch.
Perform periodic passive external reviews to identify unexpected or unrecorded assets.
Review assets after organizational changes, vendor transitions and major projects.
Retire or redirect services that are no longer required.
Monitor important domain registrations and renewals.
Expected Business Benefit
A maintained external asset inventory would improve accountability, support faster vulnerability response and reduce the risk associated with forgotten or unmanaged public services.
F-07: Standardize Account Lifecycle Controls
Business Context
Employee access changes throughout the employment lifecycle.
New employees need timely access to perform their jobs. Employees changing roles may need different permissions. Departing employees require prompt removal of access.
A consistent process supports both productivity and security.
Observation
User provisioning, role-change and deprovisioning practices varied across departments.
Existing Practices
Departments had methods for onboarding and offboarding employees.
Managers, administrators and business teams understood their responsibilities, but the sequence, documentation and confirmation steps were not standardized across the organization.
Illustrative Scenario
An employee transfers from one department to another.
New access is granted for the new role, but previous permissions are not reviewed because the employee remains active in the organization.
The account gradually accumulates access across multiple departments.
Remaining Gap
The organization lacked one lifecycle process covering:
New hires
Contractors
Temporary staff
Internal transfers
Extended leave
Departures
System or vendor ownership reassignment
Risk Statement
Inconsistent account lifecycle processes could result in delayed access removal, excessive permissions or incomplete ownership transitions.
Business Impact
Potential consequences could include:
Employees retaining access from previous roles
Delayed removal of departing-user access
Inconsistent onboarding
Greater administrative effort
Missed reassignment of system or vendor ownership
Reduced visibility into who approved access
Difficulty demonstrating reliable lifecycle control
Rating and Priority
Rating: Medium
Priority: Near-Term
Recommendations
Develop one organization-wide account lifecycle process.
The process should define:
Request initiation
Required approvals
Standard role access
Privileged-access approval
Completion responsibility
Required timeframes
Evidence retention
Exception handling
Ownership reassignment
Final confirmation
Use standardized checklists for:
New employees
Contractors
Internal transfers
Departures
Connect the lifecycle process to the system, vendor and access inventories.
Require explicit review of existing access during internal transfers.
For departures, confirm that access has been addressed across:
Microsoft 365
Financial systems
Enterprise resource planning systems
Project-management tools
Cloud storage
Administrative accounts
Customer and employee portals
Vendor platforms
Shared credentials, where any remain
Expected Business Benefit
A consistent lifecycle process would improve onboarding efficiency, reduce outdated access and make responsibilities clearer across departments.
Engagement Outputs
The engagement produced a structured assessment of the organization’s current cybersecurity foundation.
Principal outputs included:
Executive cybersecurity maturity assessment
Current-state governance analysis
Identity and access-management observations
Administrative privilege findings
Vendor ownership and accountability observations
Customer-data visibility findings
Security-documentation assessment
Account lifecycle assessment
Passive external asset observations
Prioritized findings register
12-month improvement roadmap
Recommended 90-day operating focus
Executive discussion of priorities and implementation sequence
The engagement identified and prioritized improvement opportunities.
It did not represent completion of the recommended implementation work.
Documented Engagement Outcomes
By the conclusion of the assessment:
Leadership had a clearer view of how cybersecurity risks were accumulating across access, privileges, vendors, customer data, documentation and external assets.
The organization’s current maturity had been assessed using a defined model.
The highest-priority issues had been separated from longer-term maturity improvements.
Access governance and administrative privilege management had been identified as the most urgent areas for action.
Leadership had an independent view of vendor accountability and customer-data visibility concerns.
Public asset visibility had been evaluated through a passive external review.
The organization had a sequenced roadmap for progressing from Developing toward Defined maturity.
Cybersecurity recommendations had been connected to operational resilience, customer information, business continuity and accountability.
The engagement did not measure a quantified reduction in cybersecurity risk because implementation and ongoing operation of the recommendations were outside the assessment outcome.
The principal value was improved visibility, prioritization and a practical direction for action.
Prioritized Improvement Roadmap
Immediate Priorities: 0–3 Months
Priority action | Recommended activity | Business value |
Review administrative privileges | Identify elevated accounts and remove permissions that are not operationally required | Reduces the potential impact of credential compromise or error |
Enforce privileged multi-factor authentication | Require stronger authentication for administrative access wherever supported | Makes stolen passwords less likely to result in sensitive access |
Separate everyday and privileged accounts | Use distinct accounts for normal work and administrative tasks where practical | Reduces exposure of administrative credentials |
Assign critical system owners | Record accountability for important systems and platforms | Improves decisions, access reviews and escalation |
Assign critical vendor owners | Identify accountable internal owners for important third parties | Strengthens vendor oversight and incident coordination |
Launch recurring access reviews | Begin with privileged, financial and customer-information systems | Identifies outdated access before it accumulates |
Document lifecycle procedures | Establish standard onboarding, transfer and offboarding steps | Reduces inconsistent access changes |
Assign roadmap ownership | Identify the executive and operational owners responsible for implementation | Prevents recommendations from remaining unactioned |
Medium-Term Priorities: 3–6 Months
Priority action | Recommended activity | Business value |
Complete vendor ownership records | Document owners, purpose, criticality and data involvement for important vendors | Improves accountability and renewal decisions |
Develop customer-data maps | Record principal customer-information locations, transfers and owners | Supports incident response and customer trust |
Formalize privileged-access reviews | Establish recurring review, approval and exception processes | Sustains the reduction of excessive privileges |
Centralize security procedures | Maintain controlled documentation with owners and review dates | Reduces dependence on institutional knowledge |
Standardize account lifecycle processes | Apply one process across departments | Improves productivity and access consistency |
Classify important systems | Rank systems based on operational importance, access sensitivity and customer information | Supports proportionate oversight |
Establish evidence retention | Keep evidence of reviews, approvals and lifecycle completion | Improves accountability and future assurance |
Review security awareness needs | Focus training on phishing, credential protection and administrative access | Reinforces the controls most relevant to identified risks |
Long-Term Priorities: 6–12 Months
Priority action | Recommended activity | Business value |
Establish external asset management | Maintain a current inventory of public domains, portals and online services | Reduces the risk of forgotten or unmanaged assets |
Conduct periodic passive reviews | Reassess the organization’s publicly visible environment | Identifies unexpected changes and unrecorded services |
Mature vendor-risk governance | Classify and review vendors based on criticality and information access | Focuses oversight on material dependencies |
Develop cybersecurity measures | Track access reviews, privileged accounts, ownership gaps and overdue actions | Gives leadership evidence of progress |
Establish recurring executive reporting | Report priorities, exceptions and unresolved risks | Creates sustained governance visibility |
Conduct an incident-response exercise | Test leadership and operational coordination through a realistic scenario | Improves readiness before a disruption |
Reassess maturity | Evaluate progress from Developing toward Defined | Confirms whether procedures are operating consistently |
Review assurance requirements | Consider formal frameworks only where customer, insurance or business value justifies them | Avoids unnecessary compliance activity |
Recommended 90-Day Operating Focus
The first 90 days should concentrate on the actions most likely to reduce material exposure and establish clear accountability.
Recommended Sequence
1. Confirm Privileged Access
Create a complete list of reviewed administrative and elevated accounts.
Confirm the owner, purpose and business justification for each one.
2. Remove Unnecessary Privileges
Reduce permissions that are no longer required and separate normal and administrative accounts where practical.
3. Enforce Strong Authentication
Require multi-factor authentication for remaining privileged accounts wherever supported.
Document any exception.
4. Assign System and Vendor Owners
Establish clear accountability for the systems and vendors supporting critical business operations.
5. Begin Recurring Access Reviews
Start with the highest-risk systems and record all decisions and changes.
6. Standardize Employee Lifecycle Processes
Implement one onboarding, internal-transfer and offboarding procedure across departments.
7. Assign Implementation Responsibility
Designate an executive sponsor and operational owners for each roadmap workstream.
8. Conduct a 90-Day Review
Evaluate:
Privileged access removed
Multi-factor authentication coverage
Ownership assignments completed
Access reviews performed
Lifecycle procedures adopted
Outstanding exceptions
Resources required for the next phase
This sequence would address the most urgent access concerns while creating the governance foundation needed for the remaining roadmap.
Client Perspective
Leadership valued the assessment’s ability to bring several cybersecurity concerns into one connected and prioritized view.
The engagement helped clarify that the company’s principal challenge was not one isolated technical defect. Instead, risk had accumulated through a combination of access, administrative privileges, vendor relationships, customer-data visibility, employee lifecycle practices and external assets.
Particularly valuable aspects included:
Clear prioritization of immediate and longer-term improvements
Independent validation of leadership’s existing concerns
Better visibility into access-management risk
Greater understanding of vendor dependencies
Improved awareness of where customer information was handled
Identification of gaps in public asset visibility
A practical roadmap aligned with business operations
A maturity target that leadership could use to guide the next 12 months
This section summarizes the value reported through the engagement context. It should not be presented as a direct client quotation unless the client approves specific wording.
Conclusion
The Cybersecurity Foundations Assessment found that the organization’s most significant challenge was not one technical weakness.
The greater concern was the accumulation of risk caused by inconsistent governance, incomplete ownership and limited visibility across a growing operating environment.
The two highest-priority findings involved recurring access governance and administrative privilege management. Without structured review, employees could retain access beyond current need, while excessive administrative authority could increase the impact of phishing, credential compromise or human error.
Additional improvement areas involved:
Vendor ownership
Customer-data visibility
Security documentation
Externally accessible asset tracking
Employee account lifecycle controls
The organization also demonstrated meaningful strengths. Leadership was engaged, employees understood common security concerns and the company already maintained a disciplined operational culture.
These strengths provided a credible foundation for improvement.
The organization’s overall maturity was assessed as Developing. A Defined level was considered achievable within 12 months if ownership was assigned, priority controls were implemented and recurring review processes became part of normal operations.
The recommended roadmap was designed to be practical and proportionate. It did not require the organization to begin with a large certification program or introduce unnecessary complexity.
Instead, it focused first on:
Reducing excessive access
Protecting privileged accounts
Establishing ownership
Standardizing lifecycle controls
Improving visibility
Creating evidence of recurring governance
Implementing these actions would help the organization reduce preventable cybersecurity exposure while strengthening business continuity, operational accountability and customer confidence.
The long-term objective was not simply to create more security documentation. It was to establish a repeatable cybersecurity operating model that could mature alongside the business.
Engagement Summary
Category | Summary |
Public case-study title | Strengthening Cybersecurity Governance and Operational Resilience for a Growing Manufacturer |
Engagement type | Cybersecurity Foundations Assessment |
Client environment | Mid-sized manufacturing organization serving commercial and residential markets |
Primary business concern | Cybersecurity governance had not matured at the same pace as operational and technology growth |
Primary areas reviewed | Identity, access, administrative privileges, vendors, customer data, documentation, external assets and account lifecycle |
Assessment approach | Leadership interviews, walkthroughs, documentation review, operational analysis and passive external visibility review |
Overall maturity | Developing |
Recommended 12-month target | Defined, conditional on implementation and recurring operation |
Highest-rated findings | Access governance and administrative privileges |
Other priority areas | Vendor ownership, customer-data visibility, documentation, external assets and account lifecycle |
Principal output | Prioritized cybersecurity improvement roadmap |
Principal engagement value | Improved leadership visibility, prioritization and implementation direction |
Important exclusions | No penetration testing, exploitation, social engineering, certification or continuous monitoring |
