The Deliverable

Four reports from one assessment.

Every engagement produces the same four documents, each written for a different reader: a board that has five minutes, the engineers who do the work, the people who answer to regulators, and the team that executes the plan. The samples below are drawn from a real assessment of a reference district — every district's own numbers will differ.

What You Receive

One assessment, four documents

The board read

Executive Summary

The risk picture, the posture score, the top critical findings, and the budget ask — in language a board understands.

For the board & superintendent
View sample
The working detail

Technical Detail

Every assessed area, control by control, scored on a 1–5 maturity scale — each finding with its assertion, the district's response, impact, and the fix.

For the IT & security team
View sample
The regulatory view

Compliance Crosswalk

A gap analysis mapping findings against FERPA, COPPA, CIPA, and state breach-notification law, with the evidence behind every status.

For counsel & compliance
View sample
The plan

Remediation Roadmap

A phased program that sequences every finding into prioritized stages, with maturity targets projected at each step.

For the team executing
View sample
Executive Summary

The board read, as written

How the executive summary reads — the risk, what it means, and the ask, with no jargon and no 40-page preamble.

Executive Summary · sampleCONFIDENTIAL · EXAMPLE
Bottom line

The district has essential protections in place but applies them unevenly — and the gaps that remain are the ones attackers actively look for. The summary names the critical exposures and where they concentrate, in plain terms a board can act on.

What it means

Left unaddressed, the critical tier translates into concrete exposure: operational disruption from ransomware or outage, student-data breach liability under FERPA and state law, incident and recovery costs, and erosion of community trust.

Recommended next steps

Approve the phased roadmap and fund the first (Foundations) phase, which closes the critical tier first. Assign an accountable owner for the program, then re-assess after the phase to confirm the exposure has been closed against the baseline.

Technical Detail

A finding, in full

This is the depth behind every line in the report. Each finding states the control as a standard, the district's measured response, the impact, and the fix — so the person doing the work doesn't need to ask a follow-up question.

IAM · Account Deprovisioning and Leaver ProcessEXAMPLE FINDING
The control (the standard)

Accounts and access are promptly revoked when employees, contractors, or vendors leave the organization — with automated or procedural controls ensuring no orphaned accounts remain active.

The district's response

The lack of an automated account deprovisioning process poses a significant risk, as former employees may retain access to sensitive systems and data. This gap can lead to unauthorized access, data breaches, and compliance issues.

Affected

All systems and applications with user accounts.

Recommended remediation

Implement an automated account deprovisioning process that integrates with HR systems to ensure timely removal of access for former employees.

Compliance Crosswalk

Mapped to the law that applies

Findings crosswalked against the student-data regulations K-12 districts answer to — FERPA, COPPA, CIPA, and state breach-notification law. Status is a gap analysis derived from the assessment, not a legal opinion.

RequirementCitationStatus
Annual notification of rightsFERPA · 34 CFR §99.7Gap
Right to inspect and review recordsFERPA · 34 CFR §99.10No gap found
Consent prior to disclosure of PIIFERPA · 34 CFR §99.30Gap
Legitimate educational interestFERPA · 34 CFR §99.31Gap
Recordkeeping of disclosuresFERPA · 34 CFR §99.32No gap found
Directory information & opt-outFERPA · 34 CFR §99.37Partial

A representative sample of rows. The full crosswalk maps every applicable requirement, with the linked finding evidence behind each status.

Remediation Roadmap

Every finding, sequenced

Findings don't land as a flat to-do list. They're sequenced into phases that build on each other — critical exposure first, then standardization, then optimization — with maturity targets projected along the way.

How the roadmap is structuredPHASED
Foundationsclose critical first
Standardizelift every area
Optimizemature & measure
PhaseFocus
FoundationsEstablish governance, incident response, and compliance foundations; close the critical findings before lower-severity work.
StandardizeStandardize controls across every assessed area and lift maturity toward a consistent floor.
OptimizeOptimize, measure, and mature the program to a defensible steady state.

The roadmap is delivered as a living document you can track against. Maturity projections are planning estimates, benchmarked against the national K-12 average — not a guarantee.

Get this set of reports for your district.

A few weeks from kickoff, you'll have four documents your engineers can act on, your counsel can rely on, and your board can fund — from one assessment.