Executive Compliance Report

A board-ready snapshot of cybersecurity posture, risk concentration, and remediation roadmap.

Confidential — Internal Use

Cybersecurity & Compliance Posture Report

Prepared for CloudCart Retail · June 17, 2026

Score

/ 100

Company: CloudCart Retail
Industry: E-commerce / Retail
Employees: 75
Security Maturity: Developing
Compliance Goal: Achieve SOC 2 Type II readiness and align with NIST CSF 2.0
Security Owner: Jordan Reyes, Director of IT & Security
Data Types: Customer PII, payment card data (PCI), order history, employee HR records
Business Systems: Shopify Plus, AWS, Okta, Google Workspace, Slack, NetSuite, Stripe

Overall Score

38%

Total Risks

Critical + High

Missing Evidence

ID	Risk	NIST	Score	Rating	Owner
R-002	No periodic access reviews	Protect	16	Critical	Marcus Lee
R-007	No vendor risk management process	Govern	16	Critical	Marcus Lee
R-009	Logs not centrally reviewed	Detect	16	Critical	Sam Okafor
R-001	MFA not enforced on critical systems	Protect	15	High	Priya Shah
R-004	Backups not tested via restore	Recover	15	High	Sam Okafor

Critical
No periodic access reviews
Stale or excessive access leads to privilege creep and insider risk.
Critical
No vendor risk management process
Unvetted vendors may introduce supply chain and data exposure risk.
Critical
Logs not centrally reviewed
Without log review, malicious activity may go undetected for months. (Control state unverified.)
High
MFA not enforced on critical systems
Lack of MFA exposes accounts to credential-based attacks and account takeover.
High
Backups not tested via restore
Untested backups may fail during a real incident, prolonging downtime.

Govern25%

Identify33%

Protect64%

Detect0%

Respond0%

Recover0%

Evidence	Control Area	Owner	Status
Quarterly access review report	Access Management	Marcus Lee	Missing
Security awareness training completion report	Awareness & Training	Sam Okafor	Requested
Backup restore test results	Resilience	Jordan Reyes	Missing
Incident response plan	Incident Response	Jordan Reyes	Missing
Vendor assessment form	Third-Party Risk	Elena Volkov	Requested
SIEM detection coverage	Logging & Monitoring	Priya Shah	Missing

Priority	Action	Owner	Due
Critical	Implement quarterly access review process owned by IT with manager attestation.	Marcus Lee	2026-07-31
Critical	Establish vendor intake questionnaire and annual review cycle.	Marcus Lee	2026-09-04
Critical	Centralize logs in SIEM (Datadog/Splunk) with detection rules.	Sam Okafor	2026-09-18
High	Enforce MFA via Okta for all SaaS apps and AWS root/admin accounts.	Priya Shah	2026-07-24
High	Automate joiner/mover/leaver workflow between HRIS and Okta.	Elena Volkov	2026-08-07
High	Draft IR plan; run a tabletop exercise quarterly.	Jordan Reyes	2026-08-21
High	Deploy KnowBe4 training with quarterly phishing simulations.	Priya Shah	2026-08-28
High	Deploy Kandji + AWS Config aggregator; reconcile monthly.	Priya Shah	2026-10-02
Medium	Adopt SOC 2 policy pack; assign owners; review annually.	Jordan Reyes	2026-09-25

Address all 3 critical risk(s) within 30 days, starting with identity and access controls (MFA enforcement, privileged access review).
Formally accept, treat, or transfer the 8 high-rated risk(s) and document treatment plans with owners and target dates.
Close the audit evidence gap (6 missing/requested items) by assigning collection owners and weekly cadence reviews.
Prioritize maturity uplift in weak NIST functions: Govern, Identify, Detect, Respond, Recover. Adopt a roadmap with 30/60/90-day milestones.
Operationalize quarterly access reviews and annual incident response tabletop exercises to sustain compliance posture.
Implement a vendor risk management program with intake assessments and annual review cadence to address third-party exposure.
Centralize logging in a SIEM with documented detection rules and assign on-call ownership to satisfy NIST Detect requirements.