Back To Case Studies

Case Study

Cyber Risk & Data Protection Assessment of a Cloud-Based Financial Management Platform

Blackwood Enterprises conducted an independent Security Readiness Assessment for a cloud-based financial management platform that stores, processes and enables the sharing of sensitive personal, household and business financial information.

The engagement was designed to evaluate how the platform’s security controls, user-access model, information-sharing features and supporting operational practices contributed to the protection of financial records and the preservation of user trust. The assessment considered not only technical controls, but also the interaction between people, processes and technology across common user workflows.

The review identified identity security as the platform’s primary area of risk concentration. Because a single user account could provide access to several financial profiles and categories of sensitive information, account compromise had the potential to create significant privacy, financial and reputational consequences.

Additional opportunities were identified in access governance, account recovery, audit visibility, shared-access management, financial-record protection and user security awareness.

The platform demonstrated several foundational security practices, including authenticated access, logical separation of financial profiles, user-controlled sharing and centralized information management. No critical control deficiencies were identified within the scope of the engagement.

The platform’s overall security maturity was assessed as Developing. Existing practices provided a functional foundation, but further formalization, automation and oversight would help the organization reduce exposure, improve operational resilience and strengthen customer confidence as the platform continued to grow.

The recommended direction was to prioritize stronger identity protection and recovery controls, followed by improved access governance, monitoring, record integrity and user-facing security practices.

Client Overview and Business Context

The client operates a cloud-based financial management platform used by individuals, families and small businesses to organize, analyze, store and share financial information through a centralized application.

The platform supports activities such as personal financial management, household financial tracking, small-business bookkeeping, receipt and document storage, financial reporting and collaboration with accountants, advisers, family members and other authorized users.

Users may maintain several financial profiles within one account environment. A single account could therefore contain personal financial information, household records, tax-related documentation and business financial data.

This operating model creates meaningful customer value by making information easier to organize and manage. It also creates a concentration-of-value risk. If one account is compromised, several categories of sensitive information may be exposed simultaneously.

Security was therefore important not only as a technical requirement, but also as a business requirement connected to customer trust, platform adoption, operational continuity and long-term growth.

Engagement Objective

The objective of the engagement was to identify realistic security and data-protection risks arising from the platform’s functionality, user behaviour and operational workflows.

The assessment was intended to:

Evaluate how effectively existing controls protected sensitive financial information.

Identify areas where platform features or user practices could contribute to unauthorized access, excessive permissions, information exposure, loss of data integrity or delayed detection of suspicious activity.

Assess the platform’s current level of security maturity.

Connect security findings to operational, financial and customer-trust considerations.

Provide practical and prioritized recommendations that could support continued platform growth.

The engagement was advisory in nature. It was not designed to provide formal certification, regulatory assurance or a guarantee that a security incident could not occur.

Scope and Methodology

Assessment Approach

Blackwood evaluated the platform across three connected dimensions:

People: How users, collaborators and administrators interacted with accounts, financial information, sharing permissions and recovery processes.

Process: How access was granted, reviewed, maintained and removed, and how records, permissions and security-related activities were governed.

Technology: How authentication, profile separation, information sharing, account recovery, logging and record-management capabilities supported the protection of sensitive information.

The assessment included:

  • Functional review of relevant platform capabilities

  • User-workflow analysis

  • Access-control and permission review

  • Information-sharing assessment

  • High-level data-flow analysis

  • Threat-scenario modelling

  • Qualitative risk analysis

  • Review of account-recovery dependencies

  • Evaluation of financial-record protection

  • Security-control mapping against recognized practices

  • Development of prioritized recommendations

The assessment was informed by generally accepted principles reflected in the NIST Cybersecurity Framework, CIS Critical Security Controls and ISO/IEC 27001 information-security management practices.

These frameworks were used as reference points rather than as formal audit or certification criteria.

Engagement Limitations

The engagement did not include:

  • Penetration testing

  • Vulnerability scanning

  • Source-code review

  • Detailed cloud-configuration assessment

  • Infrastructure-security testing

  • Formal compliance auditing

  • Legal or regulatory opinions

  • Certification against a security standard

  • Continuous security monitoring

  • Incident-response services

Findings were based on the platform functionality, information and workflows available during the engagement.

Key Information and Business Areas Reviewed

The platform stored or processed several categories of information with varying levels of sensitivity.

Information or business area

Sensitivity

Potential business impact if exposed or disrupted

User profile information

Moderate

Privacy concerns, customer support demand and reputational impact

Financial account information

High

Financial fraud, privacy exposure and loss of customer confidence

Receipts and invoices

High

Disclosure of financial activity and commercial information

Tax-related documents

High

Identity theft, fraud and legal or financial consequences

Business financial records

High

Operational disruption, reputational harm and strategic exposure

Financial reports and analytics

High

Inaccurate decisions, privacy concerns and financial exposure

Sharing and collaboration records

Moderate

Unauthorized disclosure and uncertainty regarding current access

Account-recovery processes

High

Unauthorized access through compromise of an external dependency

User permissions

High

Excessive or outdated access to sensitive financial information

Record integrity and recovery

High

Loss, modification or corruption of information relied upon by users

The presence of several high-sensitivity information categories increased the potential impact of account compromise and made identity security, access governance and record integrity particularly important.

Observed Strengths and Existing Controls

The assessment identified several positive practices that provided a foundation for continued security improvement.

Control area

Observed strength

Authentication

Users were required to authenticate before accessing account information

Profile separation

Personal, household and business profiles were logically separated within the platform

Information sharing

Users maintained direct control over collaboration and sharing relationships

Centralized information management

Financial records were maintained within a centralized platform environment

User visibility

Users could review financial activity and reporting information

Cloud-based architecture

Centralized hosting supported consistent platform management and control implementation

Customer control

Users retained meaningful control over the information and profiles they chose to share

Existing security foundation

No critical control deficiencies were identified within the assessment scope

These controls demonstrated that the platform was not beginning from an unmanaged security position. The principal opportunity was to make existing practices more consistent, visible and resilient as platform usage and data sensitivity increased.

Current-State and Maturity Assessment

Blackwood used the following maturity scale:

Maturity level

Description

Initial

Practices are informal, reactive or inconsistently applied

Developing

Foundational controls exist, but implementation and oversight remain partly manual

Defined

Practices are documented, repeatable and consistently assigned

Managed

Performance is measured, reviewed and actively governed

Optimized

Controls are continuously improved through automation, evidence and measured outcomes

Overall Maturity Rating: Developing

The platform demonstrated foundational controls in authentication, profile separation, user-managed sharing and centralized data management.

However, several important practices depended on individual user decisions or manual administration. Access reviews, permission expiration, recovery assurance, audit visibility and record-integrity protections had not yet reached a consistently defined or managed state.

The Developing rating did not indicate that the platform lacked security controls. It indicated that the next stage of maturity would require stronger governance, clearer ownership, improved monitoring and more systematic control operation.

Domain-Level Assessment

Control domain

Current state

Recommended direction

Authentication security

Password-based access with opportunities for stronger protection

Broader multi-factor authentication and risk-based login controls

Access governance

Permissions largely managed by individual users

Periodic reviews, clearer roles and automated governance

Information sharing

Manual sharing relationships

Time-limited, role-based and more visible access

Audit visibility

Limited historical access and sharing visibility

Comprehensive activity reporting and meaningful notifications

Account recovery

Material dependency on the user’s email account

Stronger identity verification and multi-factor recovery controls

Data integrity

Standard record-management capabilities

Version history, recovery capabilities and monitoring of important changes

Security communication

Security practices not always visible to users

Clearer communication, education and trust-supporting controls

Executive Business Risk Summary

Priority

Business risk

Potential operational impact

Rating

1

Account compromise affecting several financial profiles

Exposure of personal, household and business information through one authentication boundary

High

2

Unauthorized modification or deletion of financial records

Inaccurate reporting, recovery effort and loss of confidence in platform data

Medium-High

3

Access remaining active beyond legitimate need

Former collaborators or advisers retaining unnecessary access

Medium

4

Limited visibility into account and sharing activity

Delayed identification of unauthorized or inappropriate access

Medium

5

Recovery processes dependent on external email security

Platform access obtained through compromise of the user’s email account

Medium

6

Security incidents reducing customer confidence

User attrition, increased support demand and slower platform adoption

Medium

Risk-Rating Methodology

Findings were rated using qualitative analysis based on:

  • Likelihood of the scenario occurring

  • Sensitivity of the affected information

  • Potential financial, operational, privacy and reputational impact

  • Common user-behaviour patterns

  • Strength of existing controls

  • Remaining exposure after existing controls were considered

Likelihood Scale

Rating

Definition

Low

An uncommon scenario requiring significant effort or unusual conditions

Medium

A plausible scenario observed in comparable technology environments

High

A common attack path or operational failure pattern frequently observed in practice

Impact Scale

Rating

Definition

Low

Limited operational, financial or privacy consequences

Medium

Noticeable business, customer, financial or privacy consequences

High

Significant financial, legal, operational, privacy or reputational consequences

A risk rating represented the assessment of the remaining exposure within the defined engagement scope. It was not a prediction that the scenario would occur.

Detailed Findings

Priority 1: Strengthen Identity Security

Business Context

The platform allowed users to consolidate several categories of sensitive financial information within one account environment.

This simplified financial management for users, but it also increased the value of each account to a potential attacker.

Observation

A successful account compromise could provide access to personal, household and business financial profiles through one authentication boundary.

Existing Controls

The platform required account authentication and maintained logical separation between financial profiles.

These controls reduced casual or unauthorized access but did not eliminate the risks associated with password reuse, phishing, credential theft or compromise of recovery channels.

Illustrative Scenario

A user reuses a password that was previously exposed through an unrelated third-party data breach. An attacker attempts the same credentials against the platform and successfully authenticates.

The attacker may then access or export sensitive records across several financial profiles associated with the account.

Business Impact

Potential consequences could include:

  • Exposure of personal and business financial information

  • Disclosure of tax-related documents

  • Increased fraud or identity-theft risk

  • Customer support and investigation costs

  • Reduced confidence in the platform

  • Reputational and commercial consequences

Remaining Gap

Password-based authentication may not provide sufficient protection where credentials have been stolen, reused or obtained through phishing.

The concentration of several financial profiles under one account increases the impact of a successful compromise.

Risk Statement

Unauthorized account access could expose several categories of sensitive financial information simultaneously.

Rating

Likelihood: High
Impact: High
Overall rating: High

Recommendations

Increase the adoption of multi-factor authentication across the user base.

Consider requiring stronger authentication for high-risk actions, such as changing recovery information, exporting sensitive records or modifying important sharing relationships.

Introduce monitoring for suspicious login patterns, unusual devices, abnormal locations or repeated authentication failures.

Review authentication controls regularly as the platform’s user base and information sensitivity grow.

Strengthen account-recovery verification so that recovery processes do not weaken the protection provided by normal authentication.

Expected Business Benefit

Stronger identity controls would reduce the likelihood of unauthorized access while supporting user confidence in the platform’s ability to protect consolidated financial information.

Priority 2: Improve Financial-Record Protection and Recoverability

Business Context

Users rely on the platform’s financial records for budgeting, bookkeeping, tax preparation, reporting and business decisions.

The value of the platform therefore depends not only on confidentiality, but also on the integrity and availability of those records.

Observation

An attacker or unauthorized user who gained account access could potentially modify or delete information that users rely upon.

Existing Controls

The platform provided centralized document and record management, together with user-controlled permissions.

These practices created a useful foundation for consistent record handling.

Illustrative Scenario

An unauthorized individual gains access to an account and modifies or deletes financial information.

The account owner does not immediately identify the changes and later relies on incomplete or inaccurate records for reporting, tax preparation or operational decisions.

Business Impact

Potential consequences could include:

  • Inaccurate financial reporting

  • Lost or corrupted records

  • Business disruption

  • Increased recovery and support effort

  • Reduced confidence in platform information

  • Customer dissatisfaction or attrition

Remaining Gap

Existing controls may not provide sufficient visibility into material changes or an efficient method of restoring records after unauthorized modification or deletion.

Risk Statement

Unauthorized access, modification or deletion could affect the reliability of financial records used for important personal and business activities.

Rating

Likelihood: Medium
Impact: High
Overall rating: Medium-High

Recommendations

Introduce or expand version history for important financial records and documents.

Develop recovery capabilities that allow authorized users or administrators to restore information after accidental or unauthorized changes.

Increase visibility into material record modifications.

Consider notifications or review controls for high-impact changes.

Review access permissions regularly for users with the ability to modify or delete important information.

Expected Business Benefit

Improved record integrity and recoverability would help protect the reliability of the platform’s information, reduce recovery effort and support continued customer trust.

Priority 3: Formalize Shared-Access Governance

Business Context

The platform allowed users to share financial information with accountants, advisers, contractors, family members and other collaborators.

This functionality supported valuable business and household workflows, but created an ongoing need to manage who retained access and for how long.

Observation

Sharing permissions were managed manually, and no automated expiration or periodic review process was observed.

Existing Controls

Users had direct control over sharing relationships and could determine which individuals received access.

Illustrative Scenario

A contractor, accountant or adviser receives access for a temporary purpose. The relationship or engagement later ends, but the user does not remove the permission.

The external party continues to have access to financial information beyond the period of legitimate need.

Business Impact

Potential consequences could include:

  • Unauthorized access by former collaborators

  • Excessive permission accumulation

  • Privacy concerns

  • Uncertainty regarding who can access sensitive information

  • Increased support and incident-management requirements

Remaining Gap

Manual permission management creates a risk that access will remain active because users forget to remove it or cannot easily review all current sharing relationships.

Risk Statement

Access may remain active beyond legitimate business or personal need, increasing the likelihood of inappropriate information exposure.

Rating

Likelihood: Medium
Impact: Medium
Overall rating: Medium

Recommendations

Introduce optional or mandatory expiration dates for temporary sharing relationships.

Provide periodic reminders encouraging users to review active access.

Support clearer role-based permissions so that collaborators receive only the access required for their purpose.

Offer read-only access where editing capability is unnecessary.

Make active sharing relationships easy to review from a central location.

Consider distinguishing permanent relationships from temporary or engagement-based access.

Expected Business Benefit

Stronger sharing governance would reduce permission creep, improve customer control and make collaboration safer without removing the convenience that users value.

Priority 4: Expand Audit Visibility and Security Monitoring

Business Context

Users need sufficient visibility to understand who can access their financial information and whether important account activity has occurred.

Visibility also affects how quickly suspicious or inappropriate access can be identified and addressed.

Observation

Historical access activity, sharing changes and other significant account events were not fully visible to users.

Existing Controls

The platform provided standard account-management and reporting capabilities.

Illustrative Scenario

An external collaborator retains access for several months longer than intended. The access is not actively reviewed, and the account owner receives no meaningful reminder or indication that the relationship remains active.

The continued exposure is not identified until a later review or unrelated event.

Business Impact

Potential consequences could include:

  • Longer exposure periods

  • Delayed investigation of suspicious activity

  • Reduced ability to answer customer questions

  • Increased support burden

  • Lower confidence in the platform’s oversight capabilities

Remaining Gap

Limited historical visibility may prevent users and administrators from identifying unusual access, outdated sharing relationships or important account changes promptly.

Risk Statement

Insufficient monitoring and audit visibility could delay the identification of unauthorized, inappropriate or unexpected activity.

Rating

Likelihood: Medium
Impact: Medium
Overall rating: Medium

Recommendations

Expand audit logging for significant account, access, sharing and record-management events.

Provide users with accessible account-activity and access-history information.

Notify users when important changes occur, including new sharing relationships, recovery changes or logins from unusual environments.

Highlight active external access and relationships that have not been reviewed recently.

Develop a practical review process for security-relevant activity.

Expected Business Benefit

Improved visibility would support earlier detection, more efficient customer support and stronger confidence that users remain informed about access to their financial information.

Priority 5: Strengthen Account-Recovery Assurance

Business Context

Account recovery is necessary when a user loses access to credentials or authentication factors.

However, a recovery process can become an alternative route into an account if it depends too heavily on another system that has already been compromised.

Observation

Account recovery appeared to depend materially on access to the user’s email account.

Existing Controls

Recovery messages and verification were delivered through the user’s registered email address.

Illustrative Scenario

An attacker compromises a user’s email account through phishing or password reuse.

The attacker initiates a platform password reset, intercepts the recovery message and gains access without directly defeating the platform’s normal authentication controls.

Business Impact

Potential consequences could include:

  • Unauthorized access to several financial profiles

  • Exposure of sensitive documents

  • Fraud or identity-theft risk

  • Customer support and investigation costs

  • Reduced trust in the platform’s account-protection practices

Remaining Gap

Email-based recovery creates a security dependency on an external account that the platform does not control.

Risk Statement

Compromise of a user’s email account could enable unauthorized platform access through the recovery process.

Rating

Likelihood: Medium
Impact: Medium
Overall rating: Medium

Recommendations

Introduce additional identity-verification steps for sensitive recovery events.

Require multi-factor verification where possible during account recovery.

Provide clear notifications when recovery information is changed or a recovery process is initiated.

Apply additional review to recovery attempts exhibiting unusual characteristics.

Educate users about the importance of protecting the email accounts associated with the platform.

Review recovery workflows periodically to ensure that they do not provide a weaker path than standard authentication.

Expected Business Benefit

More resilient recovery controls would reduce the likelihood that attackers could bypass normal authentication while still allowing legitimate users to regain access.

Priority 6: Make Security Practices More Visible to Users

Business Context

The platform’s value depended partly on customers trusting it with increasingly sensitive financial information over time.

Users may not be able to evaluate the platform’s underlying technical controls directly. Their confidence is therefore influenced by the security features, communications and operating practices they can see.

Observation

The platform had foundational security capabilities, but opportunities existed to communicate security practices and user responsibilities more clearly.

Existing Controls

The platform centralized financial information, allowed users to manage sharing relationships and maintained logical separation between financial profiles.

Illustrative Scenario

A security incident affects a limited number of accounts. Public discussion or incomplete information creates broader concern among existing and prospective users.

Even where the direct technical impact is contained, uncertainty about the platform’s practices contributes to increased support requests, lower adoption or customer attrition.

Business Impact

Potential consequences could include:

  • Reduced user confidence

  • Slower customer acquisition

  • Increased support demand

  • Reputational harm

  • User attrition

  • Greater scrutiny from partners or stakeholders

Remaining Gap

Security improvements that are not visible or understandable to users may provide less trust value than controls supported by clear communication and user education.

Risk Statement

A security event or perceived weakness could reduce customer confidence even where the direct operational impact is limited.

Rating

Likelihood: Medium
Impact: Medium
Overall rating: Medium

Recommendations

Communicate relevant security practices in plain language.

Make important protective features visible and understandable to users.

Provide practical guidance on strong authentication, phishing awareness and secure sharing.

Explain user responsibilities without shifting accountability away from the platform.

Develop a clear process for communicating material security events and improvements.

Continue investing in controls that strengthen both actual protection and customer confidence.

Expected Business Benefit

Clearer security communication would help users make better decisions, increase adoption of protective features and reinforce the platform’s reputation as a trusted financial-information environment.

Prioritized Improvement Roadmap

Immediate Priorities: 0–3 Months

1. Increase Multi-Factor Authentication Adoption

Improve user awareness of multi-factor authentication and reduce friction in the enrolment process.

Evaluate whether stronger authentication should be required for sensitive actions or higher-risk account conditions.

Business value: Reduces the likelihood that stolen or reused passwords will result in account compromise.

2. Strengthen Account-Recovery Verification

Review the recovery process for excessive dependency on email-based verification.

Introduce additional checks for high-risk recovery events and notify users when recovery information or credentials are changed.

Business value: Reduces the likelihood that compromise of an external email account will lead to platform access.

3. Review Protection of Financial Records

Determine which records and actions are most important to preserve.

Evaluate version history, restoration capability and monitoring for significant modifications or deletions.

Business value: Protects the reliability of information used for reporting, bookkeeping and financial decisions.

4. Improve User Security Guidance

Provide practical guidance concerning password reuse, phishing, email-account protection and safe information sharing.

Business value: Helps reduce avoidable security incidents caused by common user behaviours.

5. Evaluate Suspicious-Login Monitoring

Define meaningful indicators of unusual account access and determine which events should trigger review, additional verification or user notification.

Business value: Supports earlier identification of account-compromise attempts.

Medium-Term Priorities: 3–6 Months

1. Establish Access-Review Workflows

Provide users with a clear and centralized way to review current sharing relationships and permissions.

Introduce periodic review reminders.

Business value: Reduces outdated access and strengthens customer control.

2. Introduce Permission-Expiration Options

Allow temporary access to expire automatically after a defined period.

Business value: Reduces the likelihood that collaborators will retain access after the original purpose has ended.

3. Expand Role-Based Permissions

Differentiate between viewing, editing, exporting and administrative access where practical.

Business value: Ensures collaborators receive only the capabilities required for their role.

4. Improve Sharing Visibility

Make active sharing relationships prominent and understandable.

Highlight relationships that are old, inactive or have not been reviewed recently.

Business value: Helps users make informed access decisions and reduces hidden exposure.

5. Develop Read-Only Collaboration Models

Provide safer collaboration options for accountants, advisers and other users who do not require modification rights.

Business value: Preserves collaboration while reducing the potential impact of unnecessary access.

Long-Term Priorities: 6–12 Months

1. Expand Audit Logging

Capture security-relevant events involving authentication, recovery, sharing, permissions and important record changes.

Business value: Improves investigation capability, accountability and operational oversight.

2. Provide Account-Activity Reporting

Allow users to review meaningful historical access and account activity without presenting excessive technical detail.

Business value: Increases transparency and helps users identify unexpected activity.

3. Mature Security Governance

Assign clear ownership for identity security, access governance, recovery controls, monitoring and user communication.

Document review frequencies, decision rights and escalation processes.

Business value: Converts individual security features into a coordinated operating system.

4. Enhance Data-Integrity Controls

Develop stronger versioning, restoration and high-impact-change monitoring capabilities.

Business value: Supports the continued reliability of information used for important financial activities.

5. Formalize Trust-Supporting Practices

Develop a consistent approach to security communications, customer education, incident transparency and the presentation of protective controls.

Business value: Strengthens user confidence and supports long-term platform adoption.

Recommended 90-Day Operating Focus

Although the complete roadmap extended over 12 months, the first 90 days should focus on the controls most likely to reduce material exposure quickly.

The recommended sequence was:

  1. Strengthen authentication and recovery controls.

  2. Improve protection and recoverability of important financial records.

  3. Introduce greater visibility into account access and sharing.

  4. Establish ownership and measures for the priority improvements.

  5. Reassess remaining risk after the initial controls are implemented.

This sequence would address the most significant risk concentration first while creating a practical foundation for broader governance and monitoring improvements.

Client Perspective

The following section is a paraphrased summary of the client’s reported experience and should be approved before external publication.

The client identified Blackwood’s focus on everyday platform usage as one of the engagement’s most valuable elements. The assessment considered how security risks could emerge through normal user behaviour, access-sharing practices and account-management workflows rather than treating security as a purely technical issue.

The engagement provided improved visibility into shared-access governance, user permissions, account-recovery dependencies and oversight of sensitive financial information.

The client also valued the independent review of existing controls and the practical nature of the recommendations. The assessment helped connect security considerations to broader priorities, including customer confidence, operational resilience and responsible platform growth.

Conclusion

The assessment identified identity security as the platform’s most significant area of risk concentration because one account could provide access to several categories of sensitive financial information.

Financial-record protection, shared-access governance, audit visibility, account recovery and visible security practices were also identified as important areas for improvement.

The platform demonstrated meaningful foundational controls, and no critical deficiencies were identified within the scope of the engagement. Its overall maturity was assessed as Developing, reflecting the presence of functional security practices that would benefit from greater consistency, automation, visibility and governance.

The recommended improvements were intended to strengthen the platform without introducing unnecessary operational complexity. Priority was placed on identity and recovery controls, followed by access governance, monitoring, record integrity and customer-facing security practices.

Implementing these recommendations would help reduce exposure to unauthorized access, excessive permissions, undetected activity and loss of record integrity. It would also support broader business objectives by strengthening operational resilience, customer trust and the platform’s ability to grow responsibly.

Engagement Summary

Category

Summary

Engagement type

Security Readiness Assessment

Client environment

Cloud-based financial management platform

Primary objective

Evaluate security, governance and operational controls affecting sensitive financial information

Business focus

Customer trust, operational resilience and responsible growth

Primary areas reviewed

Identity security, access governance, data protection, account recovery, information sharing, audit visibility and record integrity

Assessment approach

People, process and technology review

Referenced practices

NIST Cybersecurity Framework, CIS Critical Security Controls and ISO/IEC 27001 principles

Overall maturity

Developing

Highest-priority finding

Identity security and account-compromise concentration

Recommended direction

Strengthen authentication and recovery first, followed by governance, visibility and record-integrity controls

Important exclusions

No penetration testing, vulnerability scanning, source-code review, infrastructure assessment, formal audit or certification