Executive Summary
The risk picture, the posture score, the top critical findings, and the budget ask — in language a board understands.
Every engagement produces the same four documents, each written for a different reader: a board that has five minutes, the engineers who do the work, the people who answer to regulators, and the team that executes the plan. The samples below are drawn from a real assessment of a reference district — every district's own numbers will differ.
The risk picture, the posture score, the top critical findings, and the budget ask — in language a board understands.
Every assessed area, control by control, scored on a 1–5 maturity scale — each finding with its assertion, the district's response, impact, and the fix.
A gap analysis mapping findings against FERPA, COPPA, CIPA, and state breach-notification law, with the evidence behind every status.
A phased program that sequences every finding into prioritized stages, with maturity targets projected at each step.
How the executive summary reads — the risk, what it means, and the ask, with no jargon and no 40-page preamble.
The district has essential protections in place but applies them unevenly — and the gaps that remain are the ones attackers actively look for. The summary names the critical exposures and where they concentrate, in plain terms a board can act on.
Left unaddressed, the critical tier translates into concrete exposure: operational disruption from ransomware or outage, student-data breach liability under FERPA and state law, incident and recovery costs, and erosion of community trust.
Approve the phased roadmap and fund the first (Foundations) phase, which closes the critical tier first. Assign an accountable owner for the program, then re-assess after the phase to confirm the exposure has been closed against the baseline.
This is the depth behind every line in the report. Each finding states the control as a standard, the district's measured response, the impact, and the fix — so the person doing the work doesn't need to ask a follow-up question.
Accounts and access are promptly revoked when employees, contractors, or vendors leave the organization — with automated or procedural controls ensuring no orphaned accounts remain active.
The lack of an automated account deprovisioning process poses a significant risk, as former employees may retain access to sensitive systems and data. This gap can lead to unauthorized access, data breaches, and compliance issues.
All systems and applications with user accounts.
Implement an automated account deprovisioning process that integrates with HR systems to ensure timely removal of access for former employees.
Findings crosswalked against the student-data regulations K-12 districts answer to — FERPA, COPPA, CIPA, and state breach-notification law. Status is a gap analysis derived from the assessment, not a legal opinion.
| Requirement | Citation | Status |
|---|---|---|
| Annual notification of rights | FERPA · 34 CFR §99.7 | Gap |
| Right to inspect and review records | FERPA · 34 CFR §99.10 | No gap found |
| Consent prior to disclosure of PII | FERPA · 34 CFR §99.30 | Gap |
| Legitimate educational interest | FERPA · 34 CFR §99.31 | Gap |
| Recordkeeping of disclosures | FERPA · 34 CFR §99.32 | No gap found |
| Directory information & opt-out | FERPA · 34 CFR §99.37 | Partial |
A representative sample of rows. The full crosswalk maps every applicable requirement, with the linked finding evidence behind each status.
Findings don't land as a flat to-do list. They're sequenced into phases that build on each other — critical exposure first, then standardization, then optimization — with maturity targets projected along the way.
| Phase | Focus |
|---|---|
| Foundations | Establish governance, incident response, and compliance foundations; close the critical findings before lower-severity work. |
| Standardize | Standardize controls across every assessed area and lift maturity toward a consistent floor. |
| Optimize | Optimize, measure, and mature the program to a defensible steady state. |
The roadmap is delivered as a living document you can track against. Maturity projections are planning estimates, benchmarked against the national K-12 average — not a guarantee.
A few weeks from kickoff, you'll have four documents your engineers can act on, your counsel can rely on, and your board can fund — from one assessment.