TechHealth Solutions, Inc.

Cybersecurity Board Report

Reporting Period: Q3 2024 (July 1 - September 30, 2024)
Report Date: November 15, 2024
Presented by: Maria Chen, CISO
Classification: Board Confidential

Prepared for Board of Directors Meeting | November 2024

Executive Summary

Q3 2024 Security Posture & Material Risks

Overall Security Posture: TechHealth demonstrates a mature and improving security posture appropriate for a growth-stage healthcare SaaS company. We have 2 critical material risks requiring board attention, strong operational metrics exceeding industry benchmarks, and 7 strategic security projects aligned with business growth objectives.

Material Risks Requiring Board Attention

20 MindCare Acquisition Security Integration

Impact: $2-5M breach exposure, SOC 2 delay risk, HIPAA violation potential

Status: 25% complete, recovery plan in place

18 Vulnerability Management SLA Non-Compliance

Impact: 32% of high-severity vulnerabilities exceed 30-day SLA

Status: Staffing remediation approved (+2 FTE)

Key Performance Highlights

Risk Exposure Reduction

↓ 58%

YoY Improvement

Mean Time to Detect

12 min

120x faster than industry

Phishing Failure Rate

11%

39% improvement YoY

Strategic Projects Status

Project	Status	Completion	Business Impact
SOC 2 Type II Certification	On Track	69%	Unblocks $12.3M ARR
MindCare Security Integration	At Risk	25%	$2-5M risk reduction
FedRAMP Moderate Authorization	On Track	35%	Opens $25M+ federal market

1

Risk Heat Map

Material Risks Positioned by Likelihood & Impact

Risk Appetite Threshold: Board-approved limit = Risk Score >15 (requiring board visibility)
Risk Scoring: Likelihood (1-5) × Impact (1-5) = Risk Score (1-25)
Current Status: 2 risks out of appetite, 8 risks within appetite (monitored)

LIKELIHOOD	Low Impact			Vulnerability SLA Score: 18 🔄 Reduce	MindCare Integration Score: 20 🔄 Reduce
Very High (5)
High (4)		Phishing Score: 12 ↓ Trend	Vendor Risk Score: 15 ↔ Stable
Medium (3)	BYOD Score: 9 🔄 Reduce
Low (2)
	Low (2)	Med (3)	High (4)	V.High (5)	Critical (5)
	IMPACT (Financial + Reputational + Regulatory)

Risk Management Strategy Legend

Strategy	Application	Risk Count
🔄 Reduce	Implement controls to lower likelihood or impact	6 risks
✓ Accept	Risk within appetite with documented justification	2 risks
↔ Transfer	Cyber insurance coverage + vendor contract clauses	1 risk
⊘ Avoid	Exit activity entirely to eliminate risk	1 risk

2

Top Risk #1: MindCare Acquisition Security Integration

Risk Score: 20 (Likelihood: 4 × Impact: 5) | Out of Appetite

Why This Matters to the Board: The MindCare acquisition (closed June 2024, $8.5M) added 47,000 patient records but brought significant security gaps. Unresolved vulnerabilities could result in $2-5M breach exposure, delay SOC 2 certification (blocking $12.3M ARR), and create HIPAA violation risk.

Risk Description

Root Cause: MindCare's legacy infrastructure was not included in pre-acquisition security diligence. Post-acquisition scanning revealed 8 high-priority security gaps including unencrypted backups, missing MFA, excessive admin access, and legacy identity systems.

Business Context: This is our first acquisition. Integration timeline was aggressive (90 days) to hit Q3 revenue targets. Security integration now on critical path for SOC 2 audit completion (Jan 2025 deadline).

Current State (25% Complete)

✓ Network segmentation complete
✓ EDR deployed to all endpoints
⚠ Identity migration 40% complete
✗ Backup encryption pending (critical)
✗ MFA deployment at 35% (target: 95%)
✗ Access review incomplete

Target State (Q2 2025)

Full identity consolidation into Okta
AES-256 encryption on all backups
95% MFA adoption (MindCare users)
Zero standing admin access (PAM)
Quarterly access reviews established
SOC 2 scope inclusion validated

Risk Management Strategy

Primary Strategy: Reduction - Accelerate remediation with dedicated project team, consulting support ($180K), and executive oversight (CISO + CTO co-ownership)

Secondary Strategy: Acceptance (Interim) - Documented interim risk acceptance for 6 months with compensating controls: network segmentation isolates MindCare environment, enhanced monitoring for MindCare systems (SIEM alerts), weekly executive risk review meetings

Key Metrics & Progress Tracking

Metric	Current	Target	Deadline
Integration Completion	25%	100%	Q2 2025
Identity Migration	40%	100%	Q1 2025
MFA Adoption (MindCare Users)	35%	95%	Dec 2024
Backup Encryption	0%	100%	Dec 2024 (critical)
High-Severity Vulnerabilities	23 open	0 open	Q1 2025

Recovery Plan

Resource Addition: +1 Senior Security Engineer dedicated to MindCare integration (approved, starts Dec 2024)
Consulting Support: Engaged Deloitte for identity migration acceleration ($180K, 8-week engagement)
Timeline Adjustment: Extended target from Q4 2024 → Q2 2025 (realistic vs. overpromising)
Executive Oversight: Weekly CISO + CTO review meetings with board escalation path

3

Top Risk #2: Vulnerability Management SLA Non-Compliance

Risk Score: 18 (Likelihood: 4 × Impact: 4.5) | Out of Appetite

Why This Matters to the Board: TechHealth's vulnerability remediation is falling behind policy SLAs: 32% of high-severity vulnerabilities exceed the 30-day deadline. This increases exploitation risk, creates SOC 2 audit exposure, and could trigger customer contract compliance clauses requiring 95% SLA compliance.

Risk Description

Root Cause: Vulnerability volume increased 47% YoY (company growth + MindCare acquisition) but SecOps team remained flat at 4 FTE. Current workload: 280 vulnerabilities/month vs. 190 last year. Team capacity: 200 vulnerabilities/month at quality standards.

Business Impact: SOC 2 Type II audit requires 90% SLA compliance (currently at 68% for high-severity). Audit failure delays certification, blocking $12.3M ARR in delayed enterprise deals. 15 customer contracts have "95% vulnerability remediation within 30 days" clauses.

Current Performance vs. Policy

Severity	Policy SLA	Current Performance	Compliance Rate	Status
Critical	7 days	6.2 days avg	94%	Meeting SLA
High	30 days	42 days avg	68%	Non-Compliant
Medium	90 days	78 days avg	89%	At Risk

Trend Analysis (Past 12 Months)

Key Observations: Declining trend from 88% (Jan 2024) to 68% (Sep 2024). Volume increased 47% YoY (MindCare acquisition added 47 assets in June). Team capacity unchanged at 4 FTE. Without intervention, forecast shows continued decline to 62% by Dec 2024.

SOC 2 Impact: Type II audit requires ≥90% compliance. Current 68% creates audit risk and delays $12.3M ARR in enterprise deals.

Risk Management Strategy

Primary Strategy: Reduction

Staffing: +2 FTE Security Engineers (approved, hiring in progress, Jan 2025 start)
Automation: Deploy ServiceNow vulnerability workflow (reduces manual triage by 40%)
Prioritization: New risk-based scoring (CVSS + exploitability + asset criticality)

Secondary Strategy: Acceptance (Interim)

Documented: Board-approved interim acceptance (3 months) with compensating controls
Controls: Network segmentation limits blast radius, EDR detects exploitation attempts, penetration testing validates controls

Recovery Timeline & Expected Outcomes

Dec 2024: ServiceNow automation deployed → +40% triage efficiency

Jan 2025: +2 FTE Engineers start → +50% remediation capacity

Feb 2025: Backlog cleared → 80% SLA compliance achieved

Mar 2025: Sustained performance → 90%+ SLA compliance (SOC 2 requirement met)

4

Top Risk #3: Vendor Risk Management - Assessment Overdue

Risk Score: 15 (Likelihood: 3 × Impact: 5) | At Appetite Threshold

Why This Matters to the Board: TechHealth relies on 72 third-party vendors with data access. Policy requires annual security assessments, but 8 critical vendors (11%) are overdue for reassessment (12-18 months past due). This creates unknown exposure, SOC 2 audit finding risk, and potential HIPAA violation if vendor breach occurs.

Risk Description

Root Cause: Vendor risk program matured in 2023, establishing annual assessment requirement. Resource constraint: 1 FTE Third-Party Risk Manager for 72 vendors = 6 assessments/month required. MindCare acquisition added 12 new vendors (not budgeted), creating backlog.

Business Context: Healthcare SaaS operates in interconnected vendor ecosystem. 68% of healthcare breaches involve third parties (IBM). Regulatory scrutiny increasing: OCR HIPAA enforcement now includes vendor oversight failures.

Vendor Assessment Status

Vendor Category	Total Vendors	Current	Overdue	Risk Level
Critical (PHI Access)	18	10	8	High Risk
High (System Access)	24	22	2	Medium Risk
Medium (Limited Access)	30	30	0	Low Risk
TOTAL	72	62	10 (14%)

Critical Overdue Vendors (Partial List)

Vendor	Service	Data Access	Last Assessment	Overdue
CloudHealth Analytics	Data warehouse	Full PHI	May 2023	18 months
MediComm Systems	SMS notifications	Limited PHI	Aug 2023	15 months
DataSync Pro	Integration platform	Full PHI	Jun 2023	17 months

Risk Management Strategy

Primary Strategy: Reduction - Accelerate assessments with temporary contractor support, deploy automated vendor risk platform (SecurityScorecard continuous monitoring reduces annual assessment burden by 60%)

Secondary Strategy: Transfer - Cyber insurance covers third-party breach ($15M coverage includes vendor incidents), contract addendum requires vendors maintain cyber insurance + indemnification clauses

Tertiary Strategy: Acceptance (Interim) - Documented risk acceptance for 6-month catch-up period with compensating controls: quarterly vendor SOC 2 reports reviewed, network segmentation limits vendor access, enhanced logging/monitoring for vendor API calls

Remediation Plan

Immediate (Nov-Dec 2024): Complete 8 critical vendor reassessments (contractor support + internal overtime)
Short-Term (Q1 2025): Deploy SecurityScorecard continuous monitoring platform ($45K annual)
Medium-Term (Q2 2025): Clear remaining 2 overdue vendors, establish sustainable cadence
Long-Term (Q3 2025): Hire dedicated Vendor Risk Analyst (+1 FTE, budget approved for FY25)

5

Security Operations Metrics

Controllable Performance Indicators | Q3 2024

Vulnerability SLA Compliance

Critical Vulnerabilities

94%

7-day SLA compliance

Performance: 94% vs. 90% policy target
Trend: Stable (92% Q2 → 94% Q3)
Benchmark: 94% vs 85% industry avg (9% better)

High Vulnerabilities

68%

30-day SLA compliance

Performance: 68% vs. 90% policy target (22% gap)
Trend: Declining (88% Jan → 68% Sep)
Action: +2 FTE approved, Jan 2025 start

Phishing Resilience

Phishing Failure Rate

11%

↓ 39% improvement YoY

Phishing Reporting Rate

22%

↑ 5.5x increase YoY

Industry Benchmark

14%

We're 21% better

Why This Matters: Phishing is #1 attack vector in healthcare (73% of breaches per Verizon DBIR). Our 11% failure rate is 21% better than industry average (14%), demonstrating mature security awareness program.

Reporting Rate Context: 22% of employees now report suspicious emails (up from 4% in Jan 2024). Higher reporting = better threat intelligence and faster response.

Multi-Factor Authentication (MFA) Adoption

Corporate Users

98%

MFA Enabled

Target: 95% (exceeded by 3%)
Trend: 94% Q2 → 98% Q3
Remaining 2%: Contractors (BYOD project in progress)

BYOD Users

82%

MFA Enabled

Target: 95% (13% gap)
Trend: 76% Q2 → 82% Q3 (improving)
Action: BYOD MDM project (Q1 2025 completion)

6

Incident Response & Resilience Metrics

Detection, Response, and Recovery Performance

Mean Time to Detect (MTTD) & Mean Time to Respond (MTTR)

MTTD

12 min

120x faster than industry

MTTR

45 min

96x faster than industry

Industry Average

24 hrs / 3 days

MTTD / MTTR

Why This Matters: Speed of detection and response is the #1 factor in limiting breach impact. TechHealth's MTTD (12 minutes) and MTTR (45 minutes) are world-class, demonstrating mature SOC capabilities, effective tooling (SIEM + EDR + NDR), and practiced incident response procedures.

Incident Volume & Classification (Q3 2024)

Severity	Q3 Incidents	Avg MTTD	Avg MTTR	Trend vs Q2
Critical	0	N/A	N/A	Stable (0 in Q2)
High	2	8 min	32 min	↓ (4 in Q2)
Medium	12	15 min	58 min	↑ (9 in Q2)
Low	47	18 min	92 min	↑ (38 in Q2)

Incident Volume Context: Medium/Low incident increase reflects expanded monitoring (MindCare acquisition added 47 assets). Higher detection = more alerts, but no critical/high severity increase = effective threat management.

Notable Q3 Incidents: 2 high-severity incidents were phishing attempts with credential compromise. Both detected within 8 minutes (Okta anomaly detection), contained within 32 minutes (account disabled, password reset forced). Zero data exfiltration in either case.

Backup & Disaster Recovery

Backup Success Rate

99.8%

Q3 2024

Target: 99.5% (exceeded)
Failed Backups: 3 of 1,440 daily backups
RTO (Recovery Time Objective): 4 hours
RPO (Recovery Point Objective): 15 minutes

DR Test Results

Last: 6 mo ago

Overdue (policy: quarterly)

Last Test: April 2024 (successful)
Status: Q3 test delayed (MindCare integration priority)
Action: Q4 test scheduled (Dec 2024)
Risk: Medium (backups validated, recovery untested)

7

Security Projects & Remediation Plans

Strategic Initiatives Aligned with Business Objectives

Active Security Projects (Board-Level Visibility)

#	Project Name	Owner	Status	Completion	Target Date	Business Impact
1	SOC 2 Type II Certification	M. Chen	On Track	69%	Jan 2025	Unblocks $12.3M ARR in delayed deals
2	MindCare Security Integration	M. Chen / D. Park	At Risk	25%	Q2 2025	$2-5M breach risk reduction
3	BYOD Mobile Device Management	M. Chen	Behind	45%	Q1 2025 (was Q4 2024)	18% MFA gap closure, BYOD risk reduction
4	FedRAMP Moderate Authorization	M. Chen / J. Mitchell	On Track	35%	Q3 2025	Opens $25M+ federal market opportunity
5	Zero Trust Network Architecture	D. Park	On Track	78%	Dec 2024	Reduces lateral movement risk by 80%
6	Security Awareness Program Expansion	M. Chen	On Track	85%	Q4 2024	Target: <10% phishing failure rate
7	Vendor Risk Management Platform	M. Chen	On Track	60%	Q1 2025	60% reduction in assessment workload

Project Portfolio Summary

Total Active Projects

7

Board-level visibility

On Track / At Risk / Behind

5 / 1 / 1

71% on track

Total Budget

$2.8M

FY24-FY25

Projects Behind Schedule - Root Cause & Recovery

Behind Schedule BYOD Mobile Device Management (MDM)

Original Target: Q4 2024 | Revised Target: Q1 2025 (3-month delay)

Root Cause:

Technical Complexity: MobileIron integration with Okta took 6 weeks vs. planned 3 weeks (iOS certificate issues)
User Resistance: 22% of BYOD users concerned about privacy (company visibility into personal devices)
Resource Conflict: Security engineer allocated to MindCare integration (higher priority)

Recovery Plan:

Technical: iOS certificate issues resolved (Nov 2024), Android deployment on track
Change Management: Privacy FAQ published, "personal container" explained (company can't access personal apps/data)
Resource: Dedicated PM assigned (was shared resource), contractor support for enrollment wave (Dec-Jan)
Phased Rollout: Phase 1: Executives (Dec), Phase 2: Sales (Jan), Phase 3: All staff (Feb)

Business Impact: 3-month delay is acceptable. MFA gap (18% non-compliant) mitigated by compensating controls (network segmentation, enhanced monitoring). Zero security incidents attributed to BYOD devices in Q3.

8

Featured Projects: Resource Requirements & Risk Reduction

Detailed Breakdown of Top 3 Strategic Initiatives

Project #1: SOC 2 Type II Certification (69% Complete)

Business Driver: $12.3M ARR delayed in enterprise pipeline. 87% of healthcare enterprise RFPs require SOC 2 Type II. Certification unblocks 14 delayed deals (avg $880K ARR each).

Timeline: Audit Phase 1 (readiness): Aug-Oct 2024 (complete). Audit Phase 2 (3-month observation): Oct 2024-Jan 2025 (in progress). Audit Phase 3 (report): Jan 2025. Certificate issuance: Feb 2025.

Status: On Track | All 64 controls implemented and tested. 3-month observation period showing consistent compliance. Expected audit pass: 95% confidence.

Resource Category	Details	Cost
People	0.5 FTE CISO, 1.0 FTE Compliance Manager, 0.3 FTE Internal Audit	$180K (loaded labor)
Technology	Vanta compliance automation platform (annual license)	$24K
Consulting	Deloitte Type II audit + advisory (gap remediation support)	$125K
TOTAL INVESTMENT		$329K

Expected Risk Reduction: Audit findings resolved (8 medium findings closed), control environment maturity increased from ad-hoc to documented/repeatable, annual SOC 2 re-certification process established (ongoing compliance vs. point-in-time).

Project #2: MindCare Security Integration (25% Complete)

Business Driver: $8.5M acquisition (June 2024) added 47,000 patient records and $6M ARR, but inherited security debt. Unresolved gaps create $2-5M breach exposure and risk SOC 2 certification timeline.

Timeline: Discovery (Jul-Aug 2024): Complete. Remediation Phase 1 (network/endpoint): Sep-Dec 2024. Phase 2 (identity/access): Jan-Mar 2025. Phase 3 (validation): Apr-May 2025. Target completion: Q2 2025.

Status: At Risk | Behind schedule (planned 50%, actual 25%). Root cause: underestimated technical complexity + resource constraints. Recovery plan: +1 FTE, Deloitte consulting, extended timeline (realistic vs. aggressive).

Resource Category	Details	Cost
People	1.0 FTE Senior Security Engineer (new hire, Dec start), 0.5 FTE CISO, 0.3 FTE CTO	$220K (annual loaded)
Technology	PrivGuard PAM licenses (MindCare admins), MobileIron MDM expansion, backup encryption (Veeam)	$85K
Consulting	Deloitte identity migration (8-week engagement), penetration testing (post-integration validation)	$180K
TOTAL INVESTMENT		$485K

Expected Risk Reduction: Risk Score 20 → 6 (70% reduction). MindCare environment brought to TechHealth security standards: full identity consolidation (single sign-on), zero standing admin access (PAM), 95% MFA adoption, AES-256 backup encryption, quarterly access reviews.

Project #3: FedRAMP Moderate Authorization (35% Complete)

Business Driver: Federal healthcare market opportunity ($25M+ pipeline: VA, HHS, DoD). FedRAMP Moderate required for federal agencies. First mover advantage: only 3 of 12 competitors are FedRAMP authorized.

Timeline: Readiness assessment: Jul-Sep 2024 (complete). Remediation: Oct 2024-Mar 2025. 3PAO assessment: Apr-Jun 2025. Authorization: Q3 2025. 18-month total timeline (started Jul 2024).

Status: On Track | 127 of 325 controls implemented (35%). Aggressive but achievable timeline. Weekly PMO steering, CEO co-sponsorship (strategic priority).

Resource Category	Details	Cost
People	1.0 FTE Compliance Manager (dedicated), 0.5 FTE CISO, 0.5 FTE CTO, 0.3 FTE each: DevOps, Network, Security (5 FTE total)	$520K (18 months loaded)
Technology	GovCloud migration (AWS), continuous monitoring tools (Splunk federal), encryption/key mgmt (AWS KMS Federal)	$380K
Consulting	Coalfire (3PAO assessment), compliance automation (Tugboat Logic), gap remediation advisory	$450K
TOTAL INVESTMENT		$1.35M

Expected Business Impact: FedRAMP authorization opens federal healthcare market ($25M+ 3-year pipeline identified). ROI: $1.35M investment → $25M+ revenue opportunity = 1,750% ROI. Strategic moat: FedRAMP takes 18-24 months (first mover advantage).

9

Impact & ROI Achieved

Business Value from Security Investments (Past 12 Months)

Security Investment ROI

PAM Implementation: $2.1M Net Value (1,350% ROI)

Phishing Resilience: $702K Annual Value (1,463% ROI)

SOC 2 Certification: $12.3M ARR Unlocked (9,840% ROI)*

*Upon completion (Jan 2025). One-time $125K investment enables $12.3M recurring revenue.

Risk Reduction Achieved

Critical Risks Closed (Past 12 Months):
✅ Standing Privileged Access (PAM implementation)
✅ Unencrypted Backups (AES-256 encryption)
✅ Legacy System EOL (Oracle upgrade)

High Risks Reduced:
• Phishing/Credential Theft: Score 20 → 12 (40% reduction)
• Insider Threat (Privileged Access): Score 20 → 8 (60% reduction)

Total Risk Exposure Reduction

↓ 58%

Year-over-Year

Compliance Certifications

Certification	Status	Business Value
HIPAA	Certified	Enables healthcare market (required)
PCI DSS Level 2	Certified	Enables payment processing
HITRUST CSF	Certified	15% pricing premium capability
SOC 2 Type II	69% (Jan 2025)	Unblocks $12.3M ARR
FedRAMP	In Progress	$25M+ federal opportunity

Market Access: Each certification opens new market segments. SOC 2 required by 87% of enterprise customers. FedRAMP opens federal healthcare ($25M+ pipeline).

Key Efficiency Gains

PAM Session Duration

95%

↓ Reduction (4.2h → 23min)

Phishing Reporting

5.5x

↑ Increase (4% → 22%)

Admin Time Savings

380 hrs/mo

= 2.4 FTE recovered

10

Board Decision Required

Cyber Insurance Renewal & Coverage Increase

Current Situation: Existing policy ($5M coverage, $385K annual premium) expires March 31, 2025. Proposed increase to $15M coverage with 3-year commitment requires board approval (exceeds CFO's $50K variance authority + material contract + risk appetite confirmation).

Context Driving This Decision: Company growth ($48M → $68M ARR, +42% YoY), MindCare acquisition (+47K patient records), HIPAA breach fines increased 40%, market hardening (cyber insurance +25% industry-wide), favorable claims history (0 claims past 3 years).

Options & Recommendation

Option	Coverage	Annual Premium	3-Yr Cost	Risk Level
1. Maintain Status Quo	$5M	$455K (+18%)	$1.73M*	HIGH RISK $3-10M uncovered loss potential
2. Standard Increase ⭐ RECOMMENDED	$15M	$510K (+32%)	$1.53M (saves $203K)	LOW RISK Adequate for 99th percentile breach
3. Premium Coverage	$25M	$685K (+78%)	$2.06M	VERY LOW RISK Exceeds likely max loss by 2x

*Projected market rate increases if renewing annually without multi-year commitment

Management Recommendation: Option 2 ($15M Coverage)

✅ Rationale:
• Coverage Adequacy: $15M = 22% of ARR (industry best practice: 15-25% for SaaS healthcare)
• Cost Efficiency: 3-year commitment saves $203K vs. annual renewals (locks in rate before 2026 market hardening)
• Risk Transfer: Covers 99th percentile breach cost ($8-12M) with headroom
• Peer Benchmarking: 6 of 8 comparable healthcare SaaS companies carry $10-20M coverage
• Regulatory Alignment: Satisfies SEC expectations for material risk transfer (adequate given company size)

Risk Implications of Each Option

Option	Residual Risk	Regulatory Risk	Financing Risk
Option 1 ($5M)	$3-10M uncovered loss in major breach	SEC may view as inadequate	Could impair Series B raise ($30M target)
Option 2 ($15M)	$0-500K (only extreme tail event)	Meets SEC expectations	No impact; appropriate for investors
Option 3 ($25M)	Negligible ($0 realistic scenarios)	Exceeds requirements	$175K annual opportunity cost (1.0 FTE)

BOARD APPROVAL REQUESTED:

☐ Approve 3-year cyber insurance contract with Coalition Inc.

☐ Authorize $510K annual spend (FY25-FY27)

☐ Confirm $15M coverage limit aligns with board risk appetite

11

Methodology & Scope

Report Transparency, Data Sources, and Changes Log

Risk Assessment Framework

Framework Used: CIS Controls v8 (18 controls) as foundational assessment structure
Scoring Model: Likelihood (1-5) × Impact (1-5) = Risk Score (1-25)
Risk Appetite Threshold: Board-approved limit = Risk Score >15 (material risks requiring board visibility)
Assessment Frequency: Quarterly formal assessment, monthly monitoring of material risks
Validation: All risk scores reviewed by CISO + CFO, approved by CEO before board presentation

In Scope

✅ TechHealth corporate infrastructure (on-prem + AWS)
✅ TechHealth SaaS application (prod, staging, dev)
✅ MindCare acquired infrastructure (post-acquisition)
✅ Employee endpoints (corporate-issued + BYOD under MDM)
✅ Third-party vendors with data access (72 vendors)
✅ Security projects >$50K budget or board-approved

Out of Scope

❌ Pre-acquisition MindCare security posture
❌ Personal devices without MDM enrollment (est. 8%)
❌ Operational IT metrics (uptime, performance)
❌ Projects <$50K budget
❌ Vendors with no data access

Reporting Period

Metrics Period: Q3 2024 (July 1 - September 30, 2024)
Trend Data: 12-month lookback (October 2023 - September 2024)
Project Status: As of report date (November 15, 2024)
Audit Findings: FY24 Annual Audit (completed September 2024) + Q3 Continuous Monitoring
Industry Benchmarks: 2024 data (Verizon DBIR 2024 published June 2024)

Changes from Q2 2024 Report

Element	Q2 2024	Q3 2024	Reason for Change
Report Length	18 slides	12 slides	Board feedback: "too long, focus on material risks only"
Metrics Reported	23 metrics	9 metrics	Eliminated operational metrics, kept board-relevant only
Risk Universe	24 risks	10 risks	Applied materiality threshold (Risk Score >15), removed low risks
Additions	—	MindCare risk, SOC 2 progress, ROI slide	New material risk, board-requested visibility, value proof

Key Assumptions & Limitations

Risk Impact Valuations: Based on IBM Cost of Data Breach average ($9.48M for healthcare); TechHealth-specific impact may differ
Shadow IT: Estimated 5-8% of applications not in asset inventory (risk: unknown exposure)
Third-Party Risk: Vendor assessments rely on self-reported data (annual validation only)
Incident Data: MTTD/MTTR based on detected incidents (unknown incidents excluded by definition)
ROI Calculations: Based on modeled risk reduction (actual breach costs may vary)

Board Governance: Report Owner: Maria Chen, CISO (maria.chen@techhealth.com) | Report Reviewers: David Park (CFO), James Mitchell (CEO) | Board Review: Audit Committee (primary), Full Board (quarterly)

12

Appendix A: CIS Controls v8 Implementation Summary

Comprehensive Security Framework Assessment

Control Maturity Score: 78% (14 of 18 controls fully or substantially implemented)
Framework: CIS Controls v8 (Center for Internet Security) - Industry-recognized cybersecurity framework

#	CIS Control	Status	Gap	Business Impact
1	Inventory & Control of Enterprise Assets	Partial	Contractor devices not tracked	Medium - Unknown exposure
2	Inventory & Control of Software Assets	Full	None	Low - Complete visibility
3	Data Protection	Partial	MindCare backups unencrypted	High - HIPAA violation risk
4	Secure Configuration	Full	None	Low - SOC 2 compliant
5	Account Management	Partial	BYOD MFA gaps (18%)	Medium - Credential theft risk
6	Access Control Management	Partial	MindCare legacy groups not reviewed	Medium - Excessive permissions
7	Continuous Vulnerability Management	Needs Improvement	SLA non-compliance (32%)	High - Exploitation risk
8	Audit Log Management	Full	None	Low - 100% coverage
9	Email & Web Browser Protections	Full	None	Low - Strong phishing defense
10	Malware Defenses	Full	None	Low - EDR deployed
11	Data Recovery	Partial	DR test 6 months overdue	Medium - Recovery uncertainty
12	Network Infrastructure Management	Full	None	Low - Segmentation complete
13	Network Monitoring & Defense	Full	None	Low - NDR deployed
14	Security Awareness Training	Full	None	Low - 11% phishing rate
15	Service Provider Management	Partial	8 vendors overdue reassessment	Medium - Third-party risk
16	Application Software Security	Partial	Legacy apps not in SDLC	Medium - Unvetted code
17	Incident Response Management	Full	None	Low - Proven MTTD/MTTR
18	Penetration Testing	Full	None	Low - Annual + post-acquisition

Note: Full control details, safeguard implementation, and evidence available upon request from CISO.

Appendix A

Appendix B: Glossary & Acronyms

Technical Terms Defined for Board Accessibility

APT	Advanced Persistent Threat - Sophisticated, long-term cyberattack by well-funded adversaries (e.g., nation-state threat actors targeting healthcare IP)
BYOD	Bring Your Own Device - Policy allowing employees to use personal devices for work (e.g., BYOD MDM project to secure personal smartphones)
CIS Controls	Industry-standard cybersecurity framework with 18 controls (TechHealth assessment shows 78% control maturity)
EDR	Endpoint Detection & Response - Security tool that monitors endpoints for threats (CrowdStrike EDR deployed on 100% of endpoints)
FedRAMP	Federal Risk Authorization Management Program - US government cloud security certification (in progress - opens $25M+ federal market)
HIPAA	Health Insurance Portability & Accountability Act - US healthcare privacy law (required for all TechHealth operations)
MDM	Mobile Device Management - Software managing mobile devices for security (MobileIron MDM for BYOD project)
MFA	Multi-Factor Authentication - Login requiring 2+ verification methods (82% MFA adoption, target: 95%)
MTTD	Mean Time to Detect - Average time to detect security incident (12 minutes - 120x faster than industry avg of 24 hours)
MTTR	Mean Time to Respond - Average time to contain security incident (45 minutes - 96x faster than industry avg of 3 days)
PAM	Privileged Access Management - Controls for high-privilege admin accounts (PrivGuard PAM reduced session duration 95%: 4.2h → 23min)
Phishing	Fraudulent emails designed to steal credentials (failure rate: 18% → 11% = 39% improvement YoY)
Risk Appetite	Maximum risk the board is willing to accept (board-approved threshold: Risk Score >15)
Risk Score	Quantified risk level calculated as Likelihood (1-5) × Impact (1-5), where Impact = financial loss + reputational damage + regulatory penalty
SOC 2	Service Organization Control 2 - Security audit for service providers (Type II cert unblocks $12.3M ARR in delayed enterprise deals)
Vulnerability SLA	Policy timeframe for patching vulnerabilities (Critical: 7 days, High: 30 days, Medium: 90 days)
Zero Trust	Security model: "never trust, always verify" - TechHealth approach combines network segmentation + MFA + PAM

Appendix B