Jose Felix Cruz
US Navy Veteran transitioning to cybersecurity. Background in digital marketing with 16+ years of experience, now applying my strategic and analytical skills to cloud security challenges.
US Navy Veteran transitioning to cybersecurity. Background in digital marketing with 16+ years of experience, now applying my strategic and analytical skills to cloud security challenges.
Business: Small IT services company with 25 employees
Services: Managed IT services and custom software development
Revenue: $2.5 million annually
Infrastructure: Cloud-based systems, on-premise file server, employee laptops, VPN, public website
| Category | Risk Count | Highest Rating |
|---|---|---|
| Data Protection | 2 | Extreme |
| Endpoint Security | 1 | High |
| Access Control | 2 | Medium |
| Business Continuity | 1 | High |
| Third-Party Risk | 1 | High |
| Status | Count |
|---|---|
| Not Started | 2 |
| Planning Phase | 3 |
| In Progress | 2 |
| Completed | 0 |
Unauthorized access to client data stored on company servers or cloud systems
Assets Affected: File server, cloud storage, employee devices with client data
Likelihood: Possible (clients' sensitive data makes the company a target)
Severity: Intolerable (could result in major reputational damage and legal liability)
Basic firewall, standard antivirus, password policy
Effectiveness: Partially Effective
Risk Owner: IT Director
Action Owner: Security Administrator
Implementation Date: Within 60 days
Review Date: Quarterly
Status: Planning Phase
Systems encrypted by ransomware resulting in business disruption and potential data loss
Assets Affected: File server, employee workstations, business systems
Likelihood: Probable (small IT companies are common targets)
Severity: Undesirable (could cause significant downtime)
Basic antivirus, inconsistent backups
Effectiveness: Ineffective
Risk Owner: IT Director
Action Owner: Systems Administrator
Implementation Date: Within 30 days
Review Date: Monthly
Status: Not Started
Unauthorized access to company systems via compromised remote access solutions
Assets Affected: VPN, remote desktop services, cloud applications
Likelihood: Possible
Severity: Tolerable
Basic VPN with password authentication
Effectiveness: Partially Effective
Risk Owner: IT Manager
Action Owner: Network Administrator
Implementation Date: Within 45 days
Review Date: Quarterly
Status: Planning Phase
Data breach or service disruption due to security incident at a third-party vendor
Assets Affected: Cloud services, vendor-hosted applications, shared data
Likelihood: Possible
Severity: Undesirable
Basic vendor contracts with minimal security requirements
Effectiveness: Ineffective
Risk Owner: Operations Director
Action Owner: Procurement Manager
Implementation Date: Within 90 days
Review Date: Bi-annually
Status: Not Started
| LOW (0) | MEDIUM (1) | HIGH (2) | EXTREME (3) |
|---|---|---|---|
| ACCEPTABLE OK TO PROCEED |
ALARP TAKE MITIGATION EFFORTS |
GENERALLY UNACCEPTABLE SEEK SUPPORT |
INTOLERABLE PLACE EVENT ON HOLD |
| LIKELIHOOD vs SEVERITY | ||||
|---|---|---|---|---|
| ACCEPTABLE | TOLERABLE | UNDESIRABLE | INTOLERABLE | |
| IMPROBABLE (Risk is unlikely to occur) |
LOW (1) | LOW (4) | MEDIUM (6) | HIGH (10) |
| POSSIBLE (Risk will likely occur) |
LOW (2) | MEDIUM (5) CS-003 |
HIGH (8) CS-004 |
EXTREME (11) CS-001 |
| PROBABLE (Risk will occur) |
MEDIUM (3) | HIGH (7) | HIGH (9) CS-002 |
EXTREME (12) |
The company's risks are distributed across the matrix as shown above. The following risks require immediate attention:
| Priority | Action Item | Risk ID | Owner | Due Date | Status |
|---|---|---|---|---|---|
| 1 | Implement comprehensive backup solution with offline copies | CS-002 | Systems Administrator | May 11, 2025 | Not Started |
| 2 | Deploy advanced endpoint protection on all devices | CS-002 | Systems Administrator | May 11, 2025 | Not Started |
| 3 | Implement encryption for all client data at rest and in transit | CS-001 | Security Administrator | June 10, 2025 | Planning |
| 4 | Establish strict access controls with least privilege principle | CS-001 | Security Administrator | June 10, 2025 | Planning |
| 5 | Implement multi-factor authentication for all remote access | CS-003 | Network Administrator | May 26, 2025 | Planning |
| 6 | Conduct phishing awareness training for all staff | CS-002 | Security Administrator | May 11, 2025 | Not Started |
| 7 | Develop vendor security assessment process | CS-004 | Procurement Manager | July 10, 2025 | Not Started |
| Resource | Cost Estimate | Timeline | Risk Addressed |
|---|---|---|---|
| Backup solution | $5,000 | 2 weeks to implement | CS-002 |
| Advanced Endpoint Protection | $4,000 annually | 1 week to deploy | CS-002 |
| Encryption solution | $7,500 | 3 weeks to implement | CS-001 |
| Multi-factor authentication | $2,500 annually | 1 week to configure | CS-003 |
| Security awareness training | $1,500 annually | 1 day per quarter | CS-002 |
| Staff time for implementation | 160 hours (approximate) | Spread over 90 days | All risks |
| Timeframe | Actions |
|---|---|
| Immediate (1-2 weeks) |
Begin backup solution implementation
Start endpoint protection deployment
|
| Short-term (30 days) |
Complete ransomware protection measures
Conduct initial phishing awareness training
Start MFA implementation
|
| Medium-term (60 days) |
Complete encryption implementation
Finish access control improvements
Complete MFA rollout
|
| Long-term (90 days) |
Implement vendor security assessment process
Update vendor contracts
Begin ongoing security reviews
|