InsightTrack-GRC
Client logo
CSCPBC — HIPAA Risk Assessment
DG
Navigation
Dashboard
All findings 15
Update finding
Progress report
Contact Securance
Engagement
CSCPBC · HIPAA Security Assessment 2026
May 2026 – May 2027 · 16 findings
11 months remaining
Primary framework
HIPAA Security Rule
3 safeguards · 42 specs
6% overall remediated
Supporting frameworks
NIST CSF 2.0 — crosswalk
CIS Controls v8.1 — crosswalk
Remediation dashboard
Children’s Services Council of Palm Beach County
ENGAGEMENT
· Primary: HIPAA Security Rule
· Supporting: NIST CSF 2.0 CIS v8.1
Lead: Debra Gotlib  ·  Report: May 26, 2026
Total findings
16
Open
15
action needed
In progress
0
Remediated
1
6% complete
Risk accepted
0
3 urgent or critical findings require immediate action — unencrypted HBDS web traffic (no SSL), VPN users holding local admin on production servers, and ePHI not encrypted at rest.
Progress by HIPAA safeguard
Administrative
8%
Physical
100%
Technical
3%
Forward-looking
0%
Finding severity breakdown
Urgent (Level 5)1
Critical (Level 4)2
High (Level 3)6
Medium (Level 2)5
Low / advisory2
Top open findings
Ref.FindingSeverityControlAction
AA-5a
Unencrypted HBDS web traffic — no SSL on any IIS site
Urgent§164.312(e)(1)
AA-5b
VPN users hold local admin on HBDS production servers
Critical§164.312(a)(1)
HIPAA-6
ePHI at rest not encrypted — HBDS and SQL Server 2017
Critical§164.312(a)(2)(iv)
AA-2
Policy library — document control gaps, 7 missing policies
High§164.308(a)(1)
All findings
CSCPBC · HIPAA Risk Assessment 2026 · 16 findings
Ref.FindingSeverityControlStatusEvidenceUpdatedAction
AA-5a
Unencrypted HBDS web traffic
Technical · HBDS
Urgent§164.312(e)(1)OpenNone
AA-5b
VPN users hold local admin
Technical · HBDS
Critical§164.312(a)(1)OpenNone
HIPAA-6
ePHI at rest not encrypted
Technical · Encryption
Critical§164.312(a)(2)(iv)OpenNone
AA-2
Policy library — 7 missing policies
Administrative · Policy
High§164.308(a)(1)OpenNone
AA-6
SAMIS — passwords in HTTP, EOL jQuery
Technical · Third-party
High§164.312(e)(1)In progress1 fileJun 2
AA-7
Network share permissions — reviewed, appropriate
Physical · Network
Low§164.312(a)(1)CompliantN/AMay 26
Page 1 of 3 · 16 findings
All findings › AA-5a
1 of 16
Report: CSCPBC HIPAA Security Assessment 2026 Report date: May 26, 2026 Engagement: HIPAA Security Assessment 2026 Primary: HIPAA Security Rule
Finding AA-5a · Assessment Activities — HBDS Security
Unencrypted web traffic on all HBDS IIS sites — no SSL certificates installed
Urgent§164.312(e)(1)§164.312(e)(2)(ii)Technical safeguard
Report Fields — from Securance assessment
Statement of fact
All five IIS sites on both HBDS web servers (CSCOSCWEB1 and CSCEOCWEB1), including econsents.hbpbc.org and mobile.hbpbc.org, are bound to HTTP on port 80 with no SSL certificates installed. Web traffic carrying ePHI and electronic consent data is transmitted in cleartext.
Potential risk
Unencrypted external web endpoints handling consent and clinical data expose ePHI to interception. This is a direct violation of §164.312(e)(1) and creates a substantial likelihood of unauthorized access to ePHI.
Recommendation
Deploy SSL/TLS certificates on all five IIS sites and enforce HTTPS with HSTS. Coordinate with Palm Beach County IT to prioritize econsents.hbpbc.org and mobile.hbpbc.org. Verify no port 80 bindings remain after remediation.
Management response
Management agrees with this finding. The IT team will coordinate with Palm Beach County to procure and install SSL certificates on all affected IIS sites within 30 days.
Remediation Roadmap — Securance consultant (only present when engagement includes a Remediation Roadmap)
Specific remediation tasks
  • Procure SSL/TLS certificates for all five IIS site domains
  • Install and bind certificates on CSCOSCWEB1 and CSCEOCWEB1
  • Enforce HTTPS with HSTS headers. Redirect all port 80 traffic to 443.
  • Verify econsents.hbpbc.org and mobile.hbpbc.org are prioritized
  • Confirm no port 80 bindings remain post-implementation
Resource required: Palm Beach County IT + Securance
LOE: 8 days
Estimated cost: $2,400 (cert procurement + implementation)
Target completion: 06/30/2026
Dependencies: None
Roadmap status: In Progress
Also addressed by: NIST CSF PR.DS-02 — Equivalent CIS v8.1 CIS 9.2 — Partial CMMC SC.3.177 — Related
Person responsible for remediating this finding. Free text — enter name and title.
Update remediation status
Remediation notes
Evidence files
Drag files here or click to upload — screenshots, tickets, policies accepted
Not yet updated · Delivered May 26, 2026
Activity log
SC
Securance Consulting — finding published to engagement portal
May 26, 2026 · Risk: Urgent (Level 5)
No client updates yet.
Progress report
Point-in-time remediation snapshot · Generated on demand
Total findings
16
Open
15
94% unaddressed
Remediated
1
6% complete
Days elapsed
6
of 365-day window
By safeguard
Administrative (8)
8%
Physical (1)
100%
Technical (5)
0%
Forward-looking (2)
0%
Timeline
StartMay 26, 2026
EndMay 26, 2027
Days remaining359
Lead consultantDebra Gotlib
Contact Securance
Reach your engagement team directly
Your engagement team
DG
Debra Gotlib
Engagement Lead
debra.gotlib@securanceconsulting.com
ML
Michelle LeWay
Consultant
michelle.leway@securanceconsulting.com
Send a message
Subject
Message
Views
Multi-year plan
Risk by score
Risk by category
Participants
Excluded items
Engagement
City of Glendale
IT Risk Assessment
Final · April 30, 2026
Risk summary
High (35–44)8
Medium (31–34)16
Low (23–30)15
39 total technologies
Multi-year IT audit plan
City of Glendale · 39 auditable technologies · 5-year rolling plan · April 30, 2026
Total technologies
39
High risk
8
score 35–44
Medium risk
16
score 31–34
Low risk
15
score 23–30
Year 1 recommendation: Motorola PremierOne (44), Firewall/Router/Switch (41), ISE/SolarWinds/Panorama (41), and MUNIS (37) are the highest-priority Year 1 audits.
Multi-year audit schedule
1Y1 2Y2 3Y3 4Y4 5Y5
#CategoryTechnology / ProcessScoreY1Y2Y3Y4Y5
1Enterprise AppMotorola PremierOne44
1
2Infra AppFirewall, Router, Switch41
2
3Infra AppISE, SolarWinds, Panorama41
2
4Enterprise AppMUNIS37
3
5Enterprise AppNorthStar36
1
6Enterprise AppPaymentus35
2
7IT ProcessVendor Management35
3
8Infra AppActive Directory / Entra ID35
1
9Enterprise AppCustomer Connect 634
2
10IT ProcessUser Provisioning34
1
Showing 10 of 39
IT risk by score
City of Glendale · 39 technologies ranked by composite risk score
#CategoryTechnology / ProcessDepartmentScoreRisk level
1Enterprise AppMotorola PremierOnePublic Safety44High
2Infra AppFirewall, Router, SwitchIT41High
3Infra AppISE, SolarWinds, PanoramaIT41High
4Enterprise AppMUNISFinance / HR37High
5Enterprise AppNorthStarWater Services36High
6Enterprise AppPaymentusBudget & Finance35High
7IT ProcessVendor ManagementIT35High
8Infra AppActive Directory / Entra IDIT35High
9Enterprise AppCustomer Connect 6Budget & Finance34Medium
10Enterprise AppiNovahBudget & Finance34Medium
Showing 10 of 39 · View all 39 →
IT risk by category
City of Glendale · 39 technologies grouped by type
Enterprise apps 11 items
Motorola PremierOne44
MUNIS37
NorthStar36
Paymentus35
Customer Connect 634
iNovah34
SmartGov34
UKG33
Allkiosk31
TeleStaff31
IT processes 17 items
Vendor Management35
User Provisioning34
Incident Management33
IT Governance33
Patch Management33
IT Asset Management32
Software Licensing32
Change Management31
Disaster Recovery31
Security Incident Mgmt31
Infra apps 11 items
Firewall, Router, Switch41
ISE, SolarWinds, Panorama41
Active Directory / Entra ID35
VMware Clusters33
VoIP33
File Server30
Database Security29
Email Server (Cloud)29
OS Security27
Zerto23
Risk assessment participants
City of Glendale · 22 stakeholders interviewed · April 2026
NameTitleDepartment
Steve MartinChief Information OfficerInformation Technology
Jake DevrosEnterprise Cybersecurity ManagerInformation Technology
Arlene ChemelloDeputy Chief Information OfficerInformation Technology
Brad GreshamDeputy Chief Information OfficerInformation Technology
Levi GibsonBudget and Finance DirectorBudget and Finance
Anne SullivanHR SupervisorHuman Resources
Loretta HadlockPolice Communications ManagerPublic Safety
Michaelanne AcreePolice Technical Services AdministratorPublic Safety
Showing 8 of 22 · View all →
Excluded from scope
Items considered but excluded from this assessment cycle with documented rationale
Technology Vendor INI — Third-Party Staff Access
INI vendor presence reduced to a single staff member following discontinuation of the modern data platform initiative under the new CIO. Third-party access risk has substantially diminished and is no longer suitable for inclusion in the current cycle.
Unsanctioned IT Tool and Web Application Development
New CIO has halted all unsanctioned development and adopted a formal “buy versus build” philosophy. The risk of ungoverned development no longer exists in its prior form.
City Has Outgrown MUNIS
Represents a valid strategic technology risk but does not present a discrete, assessable control gap for the current cycle. An ERP replacement review is better suited as a future audit topic once a formal initiative is initiated.
Clariti Permitting Software Implementation
City terminated its contract with Clariti following material misrepresentation of the solution’s capabilities. Affected departments have reverted to previously used technologies. Immediate risk has been resolved.
Monitors
Overview
Credential leakage 51
Malicious IPs & domains 34
Domain squatting 7
Alerts & notifications 3
Monitoring
City of Durham
durhamnc.gov
Active since Jan 2025
● Monitoring active
Scan status
Last scan
Jun 1, 2026 · 02:14 AM
Frequency
Continuous
⚠ New exposure
3 accounts · Jun 1, 2026
Dark web monitoring
City of Durham · durhamnc.gov · Last scan: Jun 1, 2026
Credential exposures
51
new this month
Malicious IPs
34
flagged / blocked
Domain squats
7
detected
Mentions cleared
98
past 30 days
New credential leak detected: j.daniel@durhamnc.gov, j.holder@durhamnc.gov, l.williams@durhamnc.gov found in a breach dataset posted June 1, 2026. LummaC2 infostealer artifacts identified. Immediate password reset recommended.
Credential leakage
12 exposed accounts found
j.daniel@durhamnc.gov
Jun 1 · LummaC2
New
j.holder@durhamnc.gov
Jun 1 · RedLine
New
l.williams@durhamnc.gov
Jun 1 · Rhadamanthys
New
svu@durhamnc.gov
May 14 · Password hash
Reviewing
e.brusher@durhamnc.gov
Apr 28 · Reset confirmed
Cleared
View all 12 →
Malicious IPs & domains
34 flagged sources this month
opentableministry.org
14 phishing attempts
High
185.234.219.14
C2 beacon · Blocked
Critical
45.155.205.233
Ransomware C2 infra
High
91.108.56.130
Tor exit node · Flagged
Medium
concretestructureau.com
9 phishing attempts
High
View all 34 →
Domain squatting
7 lookalike domains detected
durham-nc.org
Active phishing clone
Urgent
durhamnc-portal.com
Data collection page
Action
durhamnc-gov.com
Registered May 30 · Parked
Monitor
cityofdurhamnc.com
Redirect
Review
durhamnc.net
Expired
Cleared
View all 7 →
Credential leakage
City of Durham · durhamnc.gov · 12 exposed accounts detected
Active infostealer activity detected. LummaC2, RedLine, and Rhadamanthys malware families identified with exfiltration timestamps as recent as February 24, 2026. Immediate password resets recommended for all flagged accounts.
Email addressSystems exposedMalware familyDetectedStatus
j.daniel@durhamnc.govsvu@durhamnc.gov, records.fcgov.comLummaC2Jun 1, 2026New
j.holder@durhamnc.govengage.fcgov.com, self-service-portalRedLineJun 1, 2026New
l.williams@durhamnc.govsalestax.fcgov.com, accela-acaRhadamanthysJun 1, 2026New
svu@durhamnc.govsecure.fcgov.com — password hashLummaC2May 14, 2026Reviewing
e.brusher@durhamnc.govamos.fcgov.comRedLineApr 28, 2026Reset confirmed
Showing 5 of 12 exposures · View all 12 →
Malicious IPs & domains
City of Durham · 34 flagged sources · Barracuda integration active
Top fraud-sending domains
opentableministry.org
14 phishing attempts · Top sender this month
High
concretestructureau.com
9 phishing attempts · 2nd highest volume
High
mailnotify-durhamnc.com
4 attempts · Domain impersonation
Critical
secure-durham-login.net
2 attempts · Credential phishing
Critical
noreply-city-durham.org
1 attempt · BEC impersonation
Medium
Flagged IP addresses
185.234.219.14
C2 beacon attempt · Blocked · Jun 1
Critical
45.155.205.233
Known ransomware C2 infrastructure
High
194.26.192.180
Credential harvesting · Blocked
High
91.108.56.130
Tor exit node · Flagged
Medium
37.120.247.39
Brute force · 47 attempts vs. Portal
Medium
Top impersonated senders — June 2026
L. Williams
×7 impersonated
High risk
L. Smith
×3 impersonated
Medium
E. Vinella-Brusher
×1 impersonated
Low
Domain squatting
City of Durham · 7 lookalike domains detected · Continuous monitoring active
DomainDescriptionRegisteredContentRiskAction
durham-nc.orgLogin page clone of durhamnc.gov — active phishingApr 8, 2026PhishingUrgent
durhamnc-portal.comEmployee portal mimick — data collection form activeMay 15, 2026ActiveUrgent
durhamnc-gov.comRegistered May 30 · No content yet · ParkedMay 30, 2026ParkedMedium
cityofdurhamnc.comRegistered Apr 12 · Redirects to commercial siteApr 12, 2026RedirectMedium
durhamnc-it.netIT dept lookalike · No content · Recently registeredMay 22, 2026No contentMedium
durhamnc.netOld registration · Domain expiredExpiredExpiredCleared
city-durham-nc.orgTyposquat · Registrar contacted · InvestigatingJun 1, 2026InvestigatingMedium
Alerts & notifications
City of Durham · 3 active alerts requiring attention
Critical · Credential exposure
New breach dataset — 3 durhamnc.gov accounts
NewJun 1, 2026
j.daniel@durhamnc.gov, j.holder@durhamnc.gov, and l.williams@durhamnc.gov found in a breach dataset posted to a dark web forum. LummaC2 infostealer artifacts identified. Exfiltration likely occurred within the past 72 hours. Immediate password resets and session termination recommended.
Critical · Domain squatting
Active phishing site: durham-nc.org
NewMay 31, 2026
durham-nc.org is serving a login page clone of durhamnc.gov and actively collecting credentials. Registered April 8. Takedown request should be filed immediately with the registrar (GoDaddy) and optionally with CISA and FBI IC3.
High · C2 traffic blocked
C2 beacon blocked — 185.234.219.14
Under reviewJun 1, 2026
Command-and-control beacon from 185.234.219.14 blocked at the perimeter firewall. IP is associated with known ransomware infrastructure. No lateral movement detected. Recommend reviewing endpoint logs on the originating workstation to confirm no prior compromise.
Views
Executive brief
Annual schedule
Projects & deliverables 9
Security tool metrics
Monthly briefs
Engagement
City of Fort Collins
Paul Ashe, vCISO
CISSP · CISA · CPA
Jan 2026 – Dec 2026
● Active engagement
vCISO executive brief — April 2026
City of Fort Collins · Prepared for Richard Barbee (Director TS) & Dewayne Kendal (CTO)
Strong April: 3,085 healthy endpoints, 0 infected, 699 phishing attempts blocked, 0 high alerts outstanding, 415 of 444 tickets closed, network downtime 0%.
Healthy endpoints
3,085
0 infected · 0 unmitigated
Phishing blocked
699
Barracuda · this month
High alerts open
0
all 233 remediated
Project progress — 2026
Ext. network & firewall
IRP review & playbooks
Dark web report
DMARC memo
FortiGate & AI policy
BEAD grant program
75%
Endpoint security review
40%
NIST CSF gap analysis
H2
CJIS assessment
H2
Recent activity
Kali365 phishing kit advisory issued
May 28, 2026
IRP Playbooks v1.1 — updated & delivered
May 27, 2026
DMARC memo v1.0 — delivered to IT mgmt
May 13, 2026
BEAD Connexion cybersecurity plan v1.0
May 13, 2026
FortiGate & AI policy memo — delivered
May 3, 2026
Endpoint security review — in progress
May 3, 2026 · Client assistance request sent
Annual project schedule — 2026
City of Fort Collins vCISO program · January through December 2026
Completed In progress Planned Ongoing Click any item to update its status
Project
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Bi-weekly status call
Incident support
vCISO onboarding
✓ Done
External network pen test
✓ Done
Firewall configuration review
✓ Done
IRP review, RACI, playbooks
✓ Done
Endpoint security review
Active
IT policy & procedures review
Planned
NIST CSF gap analysis
Planned
CJIS assessment
Planned
Tabletop exercise
Planned
NERC CIP assessment
Planned
Projects & deliverables
City of Fort Collins · 9 project types · Download any deliverable directly
Assessment · Completed Mar 2026
External network & firewall assessment
CompletedCheckPoint firewall · 2 routers · Pen test
External network vulnerability assessment and penetration test of the City’s internet-facing environment, combined with a CheckPoint firewall configuration and ruleset review. Fieldwork covered CSCOSCWEB1, two internet routers (inetrtr1, inetrtr2), and the CheckPoint firewall object base. Used network footprinting, automated scanning, and manual enumeration.
2026 Ft Collins vCISO Report_v1.pdf
3.6 MB · Final report
_CheckPoint_Firewall_Analysis.xlsx
117 KB · Firewall analysis workbook
Threat Intel · Completed Mar 2026
Dark web exposure & ransomware precursor assessment
Completedfcgov.com · CyberTIQ TSRS
CyberTIQ identified significant credential exposure tied to fcgov.com systems, including confirmed infostealer malware artifacts (LummaC2, RedLine, Rhadamanthys) with exfiltration timestamps as recent as February 24, 2026. 44 internal users exposed across Accela, AMOS, Engage, Records, and SalesTax portals. Classified as elevated, time-sensitive risk.
DarkwebReport.docx
20 KB · Exposure report
CyberTIQ Threat Sensing Risk Score.docx
27 KB · TSRS summary
Policy & Procedures · Completed May 2026
Incident response plan review, RACI & playbooks
CompletedIT-02.03-PROC · CJIS addendum · 6 playbooks
Reviewed IT-02.03-PROC IRP (last revised Dec 2022). Plan is structurally sound but overdue, missing Colorado PDPA and CIRCIA notification timelines, no ransomware payment decision guidance. Updated IRP with tracked changes, CJIS addendum, and v1.1 playbooks covering ransomware, malware, compromised credential, malicious email, DDoS, and data breach.
2026 Fort Collins IRP Review Memo_v1.0.pdf
83 KB · Review memo
City of Fort Collins IRP Playbooks_vsc1.1.pdf
4.0 MB · Updated playbooks
Advisory Memo · Completed May 2026
FortiGate capabilities & AI threat mitigation strategy
CompletedFortiGate NGFW · AI governance · DLP
Evaluated FortiGate NGFW as the network enforcement layer for an AI governance strategy. Covered application control for ChatGPT, Copilot, Gemini, Claude, Perplexity; SSL/TLS deep inspection; DLP for data leakage prevention. Addressed shadow AI, prompt-driven exfiltration, and inbound AI-generated threats.
2026 Fort Collins Fortigate and AI_v1.0.pdf
93 KB · FortiGate memo
vCISO AI Policy Review.pdf
80 KB · AI policy review
Advisory Memo · Completed May 2026
DKIM & DMARC policy recommendations
Completedp=none → p=quarantine · Cisco Email Security
Assessed the City’s proposed change from DMARC p=none to p=quarantine enforcement. Confirmed as the correct next step. Provided staged rollout guidance using the pct= tag (25% → 100% over 4–8 weeks), Cisco Email Security quarantine digest configuration, and IT approval-before-release design to prevent BEC self-release.
2026 Fort Collins DMARC Memo_v1.0.docx
55 KB · DMARC memo
Grant Compliance · In progress
BEAD grant program — Connexion cybersecurity compliance
In progressCISA CPG · Cybersecurity plan · SCRM plan
Supporting Connexion (City broadband utility) with BEAD program cybersecurity compliance deliverables. Completed CISA CPG gap assessment, cybersecurity plan v1.0, and SCRM plan aligned to NIST SP 800-161 and BEAD NOFO requirements. High-level RMF overview presented to IT leadership.
2026_Connexion_Cybersecurity_Plan_v1_0.docx
515 KB · Cybersecurity plan
Assessment · In progress
Endpoint security review
In progress1 week · Client assistance request pending
Review of the City’s endpoint security posture across all managed devices. Client assistance request issued May 3, 2026 to gather endpoint inventory, EDR configuration details, patching cadence data, and agent health statistics. Awaiting client response before fieldwork can proceed.
2026 Endpoint Client Assistance Request.xlsx
11 KB · Information request
Incident Advisory · Completed May 2026
Kali365 phishing kit — advisory response
CompletedThreat advisory · Mitigation guidance
Advisory regarding the Kali365 phishing kit targeting Microsoft 365. Documented session cookie hijacking and MFA bypass via adversary-in-the-middle proxy. Recommended detection and response actions for the City’s email security stack and identity protection controls.
Kali365 Phishing Kit Email Response.pdf
97 KB · Advisory
Assessment · Planned H2 2026
NIST CSF 2.0 gap analysis
Planned4 weeks · Jul–Aug 2026
Full NIST CSF 2.0 gap assessment covering Govern, Identify, Protect, Detect, Respond, and Recover. Will produce a gap assessment report with scored findings, priority remediation recommendations, and input for the cybersecurity program and roadmap deliverable.
Documents will appear here when the project begins
Security tool metrics
City of Fort Collins · April 2026 · Updated monthly
April summary: 3,085 healthy endpoints, 0 infections, 233 SIEM alerts all remediated, 699 phishing attempts blocked, network downtime 0%.
Abacode (SIEM / MDR)
24/7/365 network monitoring and response
High alerts1 → Remediated
Medium alerts3 → Remediated
Low alerts229 → All cleared
Total remediated233 / 233
Pending0
SentinelOne (EDR)
Endpoint detection and response
Total endpoints3,085
Healthy3,085
Infected0
Threats found33
Unmitigated0
Barracuda (Email Security)
Phishing protection and SPAM filtering
Phishing blocked699
Top fraud domainopentableministry.org
Top targetJ. Daniel (SVU)
Top impersonatedL. Williams (×7)
Malwarebytes
Threat and malware protection
Quarantined282
Affected endpoints34
Detections cleaned283
Remaining threats0
PortalGuard (SSPR)
Self-service password reset
Successful logins231
Failed logins330
Password changes330
Self-service usage50
Service Desk (Cyber tickets)
Internal cybersecurity ticket tracking
Total tickets444
Closed415
Pending29
Network downtime0%
ProofPoint security awareness training
No data to report for April 2026. Cybersecurity training LMS is transitioning to Open Sesame. Metrics will resume once migration is complete.
Monthly executive briefs
City of Fort Collins · Prepared monthly for IT Director and CTO
May 2026
IRP playbooks v1.1, DMARC memo, FortiGate AI memo, BEAD Connexion plan, Kali365 advisory delivered
In progress
April 2026
Prepared for R. Barbee & D. Kendal · 3,085 healthy endpoints, 699 phishing blocked, 0 high alerts, 444 tickets
Delivered
March 2026
External network assessment and firewall review completed · Pen test report and CheckPoint findings delivered
Delivered
February 2026
Dark web report delivered · CyberTIQ TSRS assessment · 44 internal user credentials exposed
Delivered
January 2026
vCISO onboarding completed · Annual project schedule established · Bi-weekly status calls initiated
Delivered
Views
All documents
Upload document
Box.com
Oakland University
/Karen's Clients/Oakland University
● Synced 2h ago
Documents uploaded to your Box folder appear here automatically. You can also upload directly to the portal.
Documents
All documents — Box.com folder sync active · Last synced 2 hours ago
Box.com folder is connected and syncing. Documents you upload to your Box folder appear here automatically. You can also upload directly from this page.
File nameTypeSizeDateSource
2026_Oakland_HIPAA_Risk_Assessment_v1.0.pdf
PDF3.6 MBJun 1, 2026Box.com
AI_Governance_Policy_Draft_v2.docx
DOCX145 KBMay 28, 2026Box.com
Vendor_Questionnaire_Completed_Blackbaud.xlsx
XLSX87 KBMay 15, 2026Box.com
Network_Diagram_Current_State.pdf
PDF1.2 MBApr 30, 2026Uploaded here
Showing 4 of 11 documents
Upload document
Files uploaded here are synced back to your Box.com folder automatically
Upload files
Drag files here or click to browse
Any format accepted · Max 100MB per file · Files sync to Box.com automatically
Optional note
Client management
New client setup
All clients
Framework library
Loaded frameworks
Control crosswalk
Upload framework
Platform
Settings
Audit log
⚠ Admin only
This section is not visible to any client user.
New client setup
Provision a new InsightTrack-GRC client account · Securance admin only
Completing this form provisions the client account, creates their Box.com folder, and sends a welcome email with login instructions to all provisioned contacts.
Organization information
Example: Set up "State of Colorado" as State-Level Org. Then set up "Colorado Broadband Office" as a Direct Client linked to it. The state user sees an aggregate read-only view; each agency manages their portal independently.
portal.securanceconsulting.com/cscpbc
Link to a State-Level Org for aggregate read-only reporting to state users
Portal contacts Up to 6 users · each gets their own login
Primary
2 of 6 contacts added
Securance engagement team
All consultants assigned here have equal access to this engagement. No designated lead.
Module access & configuration
Remediation
Finding tracking, evidence, framework mapping
Framework assignment *
Securance selects — populated from Framework Library. Client cannot change. Select one Primary (the assessment framework) and any Supporting frameworks for crosswalk alignment.
Primary framework * The framework the assessment was conducted against
Supporting frameworks For crosswalk alignment — select all that apply
NIST CSF 2.0 CIS v8.1 + expand categories below to add more
🛡 Cybersecurity (9 frameworks)
🟥 Healthcare (6 frameworks)
💲 Finance / Payment (11 frameworks)
⚒ Defense / Government (6 frameworks)
⚙ OT / ICS (5 frameworks)
🔒 Privacy (5 frameworks)
☁ Cloud / General IT / Governance (9 frameworks)
51 frameworks available · sourced from Framework Library · expand categories to browse. Selected frameworks appear as tags above.
Access period
months from report delivery
vCISO
Schedule, deliverables, briefs, questionnaires
Start date
End date
Monthly brief distribution list
Auto-emailed when brief is published. Defaults to all client admins.
IT Audit Plan
Multi-year risk assessment & audit schedule
Dark Web
Credential leakage, IPs, domains, alerts
Box.com integration
If blank, a new folder is created under the Securance shared drive
Internal notes (not visible to client)
All clients
9 active client accounts
Client Modules Lead Users Status
CSCPBC
Children's Services Council of PBC
RemvCISOD. Gotlib3 usersActive
City of Fort Collins
Fort Collins, CO
vCISOP. Ashe4 usersActive
City of Durham
Durham, NC
RemDWJ. Bruggeman2 usersActive
City of Glendale
Glendale, AZ
IT AuditJ. Bruggeman5 usersActive
Oakland University
Rochester, MI
RemC. Bunn2 usersExpiring 90d
Framework library
Loaded frameworks available for client engagement assignment
Frameworks loaded
51
Total controls
447
Cross-mappings
636
Active client frameworks
6
Framework Version Controls Categories Status
HIPAA Security Rule
45 CFR Part 164 Subpart C
202454AdministrativePhysicalTechnicalActive
HIPAA Privacy Rule
45 CFR Part 164 Subpart E
202418Privacy practicesDisclosureActive
NIST CSF 2.0
Cybersecurity Framework
2.0106GovernIdentifyProtectDetectRespondRecoverActive
CIS Controls v8
Center for Internet Security
v8153IG1 BasicIG2 FoundationalIG3 OrganizationalActive
HITRUST CSF
Common Security Framework v11.2
v11.2156Information protectionRisk managementActive
GLBA Safeguards Rule
16 CFR Part 314
202321AdministrativeTechnicalActive
PCI DSS v4.0
PCI Security Standards Council
4.051Access ControlAudit LoggingActive
CMMC Level 2
U.S. Department of Defense
2.015Access ControlConfiguration MgmtActive
NY DFS Part 500
NY Dept of Financial Services
202311GovernanceIncident ResponseActive
NERC CIP
North American Electric Reliability Corp.
Current13OT / ICSPhysical SecurityActive
AWIA 2018
EPA / DHS — Water infrastructure
201811OT / ICSBusiness ContinuityActive
NIST SP 800-171 Rev 3
NIST — CUI protection / CMMC basis
Rev 313Access ControlEncryptionActive
FedRAMP
GSA — Federal cloud authorization
Rev 510CloudFederalActive
Showing 13 of 51 frameworks  ·  Filter or search to narrow results
Control crosswalk
Shows how controls across different frameworks map to the same underlying requirement — authored by Securance consultants
The crosswalk is AI-generated and consultant-reviewed. When a new framework is imported: (1) export all controls from the portal, (2) upload to your AI platform with the crosswalk prompt, (3) paste the AI output into the Crosswalk Import sheet of the import template, (4) have a Securance consultant review Medium/Low confidence rows, (5) upload the reviewed sheet here. Manual mappings can also be added individually using Add mapping.
Topic filter:
Primary — NIST CSF 2.0
RS.MA-01
Incident response plan is established, communicated, and maintained.
Mapped equivalents in other frameworks
HIPAA Security§164.308(a)(6)Security incident procedures — required implementation specEquivalent
HITRUST CSF09.abReporting information security events and weaknessesEquivalent
CIS Controls v817.1Designate personnel to manage incident handlingPartial
GLBA§314.4(h)Develop and implement incident response planEquivalent
Coverage
4/8
frameworks
Primary — NIST CSF 2.0
RS.CO-02
Incidents are reported to appropriate authorities and stakeholders.
Mapped equivalents in other frameworks
HIPAA Breach§164.404–408Breach notification to individuals, HHS, and mediaEquivalent
HITECH§13402Notification in case of breach of unsecured PHIEquivalent
CIS Controls v817.6Contain and isolate incidents; notify stakeholdersPartial
Coverage
3/8
frameworks
Upload / import framework
Add a new compliance framework to the library
How it works: Upload the InsightTrack-GRC Framework Import Template (.xlsx) for the new framework. The system creates one control record per row from the Framework Controls sheet. After import, follow the 5-step AI crosswalk process shown to the right to generate and upload mappings.
1 — Upload file
Drop file here or click to browse
Accepts: .xlsx  ·  .csv  ·  .json (OSCAL)
Required columns (XLSX / CSV): Control ID, Title, Control Text, Category
Optional columns: Subcategory, Baseline, Implementation Guidance
↓ Download import template (.xlsx)
2 — Framework metadata
Max 12 chars — used in control pills
Example of how controls are cited in reports
3 — After import: generate and upload the crosswalk
Once the framework is imported, generate AI-assisted crosswalk mappings to all other loaded frameworks, review them, and upload. Then publish.
1
Export all controls from the portal (JSON/CSV) via Control crosswalk → Export crosswalk XLSX
2
Upload to AI platform (Claude, GPT-4, etc.) with the crosswalk prompt: “For each new control, find equivalent, partial, or related controls in all other frameworks. Return source framework, source control ID, target framework, target control ID, mapping type, confidence, and rationale.”
3
Paste AI output into the Crosswalk Import sheet of the import template. A Securance consultant reviews all Medium/Low confidence rows before upload.
4
Upload the reviewed Crosswalk Import sheet using the Upload crosswalk XLSX button on the Control crosswalk tab. Mappings are stored with Equivalent Partial Related type badges.
5
Publish the framework — it becomes available for client setup and finding assignment.
Validation rules
Control ID column must be present and non-empty for every row
No duplicate Control IDs within the same framework
Title and Control Text columns required
Maximum 10MB file size
Imported framework saved as Draft until manually published
Unrecognized columns are ignored (no error)
Platform settings
Global InsightTrack-GRC configuration
Platform settings — coming soon.
Audit log
All platform actions — INSERT-only, 7-year retention
Audit log viewer — coming soon.