Specifications include, but are not limited to: A. Provide a written Executive Summary report that: 1. Includes a high-level overview of the assessment objective and scope. 2. Identifies control weaknesses and gaps that may be rated high or moderate. 3. Identifies threats, internal and external vulnerabilities, and potential impacts and likelihoods of events that may take place due to the identified control weaknesses and gaps. 4. Include recommendations to mitigate or reduce the identified control weaknesses and gaps. 5. Risk rank the control weaknesses and gaps to allow HU to prioritize efforts to mitigate or reduce these weaknesses and gaps. B. Provide a detailed report that includes the: 1. Current and Target Profile for each subcategory of the NIST CSF and Privacy Framework. 2. Testing exceptions from the external and internal vulnerability scans. C. Include recommendations for a dashboard summary for board reporting specific to HU. D. Prepare and deliver an executive-level presentation of the assessment to the IT Steering Committee E. Provide the following as Information Sharing: 1. Sample PSPs or suggestions for improvement of PSPs where issues were noted. 2. Reviewing current data classifications and providing recommendations for improvement 3. Best practices for email encryption requirements and sample PSPs 4. Best practices for HU and vendor cybersecurity insurance requirements
