GRC Portfolio · Charlene LueQuee

Rainbow
Byte Bakery

Where every batch is a compliance opportunity.

7
GRC Projects
5
Frameworks
4
Departments
1
GRC Analyst
View All Projects ↓ GRC Program Overview ↓
Scroll
Who We Are
The Sweetest Tech Bakery
in the Business

Our Mission

To deliver joy-filled, artisan baked goods across Rainbow Land — from Color Castle to the Rainbowberry Fields and beyond — while upholding the highest standards of data privacy, vendor integrity, and operational security — because great compliance is the secret ingredient every growing company needs.

🍞
Production & Kitchen Ops
🛒
E-Commerce & Digital Sales
🚚
Supply Chain & Vendors
☁️
Cloud Infrastructure
🔐
GRC & Security
📊
Finance & Data Compliance

Our Story

Rainbow Byte Bakery started as a one-woman operation out of Rainbow Land — headquartered in Color Castle with a second facility in Rainbowberry Fields — Founder & CEO Delia Lightfoot baking rainbow-layered celebration cakes and selling them at local Color Market stalls. What started as a weekend side hustle in the meadows of Rainbow Land grew into a beloved regional brand with an e-commerce storefront, wholesale accounts with three grocery chains, and a 22-person team spread across two facilities.

Growth brought opportunity — and risk. Customer payment data now flows through cloud-hosted checkout systems. Flour and specialty ingredient vendors have access to procurement portals. A ransomware incident at a regional distributor in 2023 put the whole industry on edge. Suddenly, the bakery needed a real GRC program.

Enter Charlene, hired as Rainbow Byte Bakery's first Governance, Risk & Compliance Analyst, reporting to the CTO. Her mandate: build a compliance foundation from scratch, assess risk across the business, and make sure the bakery is as solid on the inside as the pastries look on the outside.

ISO 27001 NIST RMF SOC 2 ISO 31000 ISO 27035 NIST 800-53
Meet the GRC Analyst
Charlene's Role at
Rainbow Byte Bakery
👩🏾

Charlene LueQuee

GRC Analyst · Security & Compliance

As Rainbow Byte Bakery's first GRC hire, Charlene sits at the intersection of security, operations, and leadership. She works directly with the CTO, reports findings to the executive team, and collaborates across Kitchen Ops, E-Commerce, Supply Chain, and Cloud Infrastructure to identify risks before they become incidents. Her job is equal parts detective work, stakeholder communication, and policy writing — building a GRC program that scales with the business.

Reports To
CTO / Executive Team
Hire Type
First GRC Hire
Scope
7 Projects · 5 Frameworks

🏗️ Building from Zero

No compliance baseline existed. Charlene must establish a framework, assign control ownership, and measure gaps — all while the business keeps running.

🌐 Rapid Digital Growth

The e-commerce platform handles cardholder data with minimal security controls. A full risk register and cloud security review are overdue.

🤝 Vendor Sprawl

12 active vendors — from payment processors to flour suppliers — have various levels of system access with no formal assessment process in place.

👩‍💼 Cross-Team Buy-In

Leadership supports GRC in theory but hasn't seen the value in practice. Charlene must make compliance tangible, relatable, and non-disruptive for every team.

Frameworks Applied
NIST SP 800-53 NIST RMF ISO 27001 Annex A ISO 31000 ISO 27035 SOC 2 TSC CC1–CC9 NIST CSF 2.0
GRC Projects
Seven Real-World
Compliance Challenges

Each project below represents an actual challenge Charlene faced at Rainbow Byte Bakery — a growing company navigating compliance for the first time. Click any project to read the full analysis, resolution, and policy recommendations.

01
📋

Build a Mini Compliance Program

ISO 27001 / NIST 800-53

The bakery had no documented security controls. Charlene maps ISO 27001 Annex A controls to the business, identifies critical gaps in access management and data handling, assigns control owners, and produces a compliance summary for the executive team.

Framework Alignment Control Evaluation Documentation
ISO 27001 · NIST 800-53
02
⚠️

Create a Risk Register

ISO 31000 / NIST RMF

A breach at a competitor bakery triggers leadership concern. Charlene builds a full risk register with likelihood-impact scoring, a heat map, residual risk tracking, and a Risk Summary Report covering the top 3 business risks.

Risk Scoring Heat Map Reporting
ISO 31000 · NIST RMF
03
🤝

Third-Party Vendor Assessment

Vendor Risk Management

Rainbow Byte Bakery's payment processor — Sprinkle Pay — has never been formally assessed. Charlene designs a 25-question vendor questionnaire across 5 security domains and produces a scored Vendor Risk Scorecard.

Third-Party Risk Questionnaire Design Evidence Review
ISO 27001 A.15 · NIST SA-12
04
🚨

Incident Response Plan & Tabletop

ISO 27035 · IR Planning

A phishing email targets the bakery's Office Manager, nearly exposing payroll data. Charlene writes a complete IR plan and runs a tabletop simulation with the CTO and operations lead to test the response process.

IR Planning Tabletop Simulation Incident Report
ISO 27035 · NIST IR
05
☁️

SOC 2 Cloud Control Mapping

SOC 2 · AWS Free Tier

The bakery's e-commerce platform runs on AWS with MFA disabled and no audit logging. Charlene maps SOC 2 Trust Service Criteria CC1–CC9 to real cloud configurations and gathers mock audit evidence.

Control Mapping Cloud Security Audit Evidence
SOC 2 TSC · AWS
06
📊

Compliance Dashboard

Metrics & Reporting

Leadership asks "how are we doing on compliance?" and Charlene can't answer quickly. She builds an executive-facing compliance dashboard in Excel, tracking control coverage, risk status, and open remediation actions.

Data Visualization Metrics Tracking Excel · Notion
NIST CSF · GRC Reporting
07
🔍

Mock Internal Audit — Capstone

Audit Methodology

The capstone project: Charlene audits herself. She selects 10 controls from Projects 1–6, gathers supporting evidence, completes an Internal Audit Checklist, and writes a formal 2-page Audit Report identifying non-conformities and corrective actions.

Audit Methodology Evidence Review Corrective Actions
ISO 19011 · NIST CA
Why This Work Matters
GRC Program Overview

A high-level visual summary of the full GRC program built at Rainbow Byte Bakery — structured for executive and stakeholder presentation. This section answers: What was built? What risks were addressed? What value was delivered?

Executive Summary — Slide 1 of 4
Rainbow Byte Bakery GRC Program
NIST CSF 2.0 ISO 27001 SOC 2
7
GRC Projects
Compliance, Risk, Vendor, IR, Cloud, Dashboard, Audit
5
Frameworks
ISO 27001 · NIST RMF · ISO 31000 · SOC 2 · ISO 27035
25+
Deliverables
Policies, matrices, scorecards, reports, dashboards
0→1
Program Built
First GRC hire. No prior program. Built from scratch.
Framework Coverage — Slide 2 of 4
NIST CSF 2.0 Functions Addressed
🏛️
GOVERN
Policies, roles, risk appetite
P1, P6
🔍
IDENTIFY
Assets, risk register, vendors
P1, P2, P3
🛡️
PROTECT
Controls, MFA, encryption
P1, P5
👁️
DETECT
Monitoring, logging, alerts
P5, P7
🚨
RESPOND
IR plan, tabletop, comms
P4
🔄
RECOVER
Backup, DR, lessons learned
P4, P7

💡 Stakeholder note: A complete GRC program covers all six NIST CSF 2.0 functions. This portfolio addresses all six — demonstrating end-to-end security governance capability, not just point-in-time compliance.

Risk Posture Before & After — Slide 3 of 4
What Changed: Program Impact at a Glance
🔴 Before: GRC Program
No information security policy
No formal risk register
No vendor assessments (12 unvetted)
No incident response plan
MFA disabled on AWS accounts
No audit trail (CloudTrail off)
No compliance reporting to leadership
🟢 After: GRC Program
ISO 27001 control matrix + gap analysis
7-risk register with heat map + remediation
25-question vendor scorecard + tiering
Full IR plan + phishing tabletop exercise
MFA enabled + SOC 2 CC1–CC9 mapped
CloudTrail active in all regions
Executive dashboard with RAG status
ISO 27001 Control Implementation Progress
Access Control (A.9)75%
Cryptography (A.10)60%
Supplier Relations (A.15)40%
Incident Management (A.16)80%
Asset Management (A.8)25%
Security Policies (A.5)50%
Stakeholder Value Map — Slide 4 of 4
Leadership Priorities — And How This Program Delivers
🎯 What CISOs Look For
Can you build a control framework from nothing?
Do you understand risk scoring methodology?
Can you map controls to multiple frameworks?
Have you tested an IR plan under pressure?
This portfolio delivers: P1, P2, P4, P7
💼 What Compliance Teams Need
Evidence collection and audit readiness
Third-party risk management processes
Policy drafting and documentation skills
Ability to translate tech risk for business
This portfolio delivers: P1, P3, P5, P6
📋 What Program Sponsors Expect
Documented deliverables with measurable outcomes
Scenario-based thinking and applied problem solving
Clear communication across technical and business teams
Independent program development from zero
Demonstrated across: All 7 projects
Skills Demonstrated Across All 7 Projects
Risk Assessment & Scoring
Control Framework Mapping
Vendor Due Diligence
Incident Response Planning
Cloud Security (AWS/SOC 2)
Executive Reporting & Dashboards
Audit Methodology (ISO 19011)
Policy Documentation
Stakeholder Communication
Cross-Functional Collaboration

📌 This program was built independently, end-to-end, simulating real GRC analyst work — every deliverable produced by Charlene LueQuee as a demonstration of applied security governance capability.

For Other GRC Learners
Want to Build This Yourself?

This portfolio is based on a structured set of seven hands-on GRC projects originally outlined by Artem Polynko. If you're studying for a GRC analyst role or building your own portfolio, the original project framework is a fantastic starting point. Below you'll find the original project descriptions as a teaching resource — use them to guide your own work.

📚 Original Project Framework

The seven projects mirror the core responsibilities of a GRC Analyst role. Each produces a portfolio-ready deliverable: control matrices, risk registers, vendor scorecards, IR plans, cloud mappings, dashboards, and audit reports.

ISO 27001 NIST RMF SOC 2 ISO 31000 ISO 27035
💡 How Charlene Used It

Each project was adapted into a realistic business scenario set inside Rainbow Byte Bakery — a fictional growing company — so the deliverables feel like real GRC work rather than exercises.

The goal: demonstrate not just framework knowledge, but the ability to apply it to a real business context.

Jump to project: P1 P2 P3 P4 P5 P6 P7
← GRC Projects 01
📋

Build a Mini Compliance Program

Charlene's first mandate: map ISO 27001 Annex A controls to Rainbow Byte Bakery's operations, identify critical gaps, and produce a compliance summary the executive team can actually act on.

ISO 27001 NIST 800-53 Control Mapping Gap Analysis
1

High-Level Explanation

Rainbow Byte Bakery had no documented information security program. Customer payment data, employee records, and operational systems were operating without any formal controls, ownership, or oversight. Charlene's first task was to establish a compliance baseline using ISO 27001 Annex A as the primary framework, cross-referenced with NIST 800-53, to identify what controls existed (often informally), which were completely missing, and who should own each domain going forward. The output: a 1-page compliance summary suitable for leadership review and a foundation for every subsequent GRC project.

📄
📋 ISO 27001 Gap Analysis

Full control gap analysis with status, owners, coverage metrics, and a phased remediation roadmap across all Annex A domains assessed at Rainbow Byte Bakery.

Open Deliverable →

Program Scope Summary

This mini compliance program covers the systems, people, and processes that store, process, or transmit customer payment data, loyalty information, and key operational records for RainbowByte Bakery. The goal is to establish clear responsibilities, reduce security risk, and support future alignment with ISO 27001 and payment-industry expectations.

💻In Scope — Systems
AWS POS platform (EC2, RDS)
Loyalty app backend (Node.js, Lambda)
Sprinkle Pay payment integration
Google Workspace (email & Drive)
Employee devices (company-issued)
🏢In Scope — People & Physical
Color Castle HQ + Rainbowberry Fields
Bakery floor POS terminals
Store Manager, CTO, Office Manager
All staff handling orders or data
🚫Out of Scope
Marketing website (brochure only)
Social media accounts
Kitchen equipment (ovens, mixers)
CCTV (until linked to security ops)
📱BYOD Gap — Action Required
Device: Head Baker personal iPad
Not enrolled in MDM or device management
No company security controls applied
Risk: BYOD gap — decision required from COO
Options: Enroll in MDM or replace with company device
2

Control Mapping Breakdown

ISO 27001 Domain Control Status Owner Gap / Note
A.5 – PoliciesInformation Security PolicyMISSINGCTONo written policy exists
A.6 – OrganizationSegregation of DutiesPARTIALOffice MgrPayroll & admin access combined in one role
A.8 – Asset MgmtAsset InventoryMISSINGIT / CTONo hardware or data asset register
A.9 – Access ControlUser Access ManagementPARTIALCTOShared login credentials in use
A.10 – CryptographyEncryption PolicyMISSINGCTONo encryption standard defined
A.12 – OperationsBackup ProceduresPARTIALCTOBackups exist but untested
A.13 – CommunicationsNetwork SegmentationMISSINGCTOPOS and back-office on same network
A.15 – SupplierVendor Security ClausesMISSINGOperationsNo vendor contracts include security terms
A.16 – IncidentsIncident Reporting ProcessMISSINGGRC (Charlene)No formal process or escalation path
A.18 – ComplianceLegal & Regulatory ReviewIN PROGRESSGRC (Charlene)Initial review underway
3

NIST & GRC Linkage

This project establishes the GRC program foundation using two complementary frameworks:

ISO 27001 Annex A NIST 800-53 Rev 5 NIST CSF – Identify AC-1 Access Policy PL-1 Planning RA-1 Risk Assessment Policy

ISO 27001 provides the control library; NIST 800-53 provides the depth of implementation guidance. Together they ensure the compliance program is both internationally recognized and U.S. government-aligned — valuable when pursuing future customer contracts or certifications.

4

Steps Taken to Resolve

  • 1

    Stakeholder kick-off meeting — Charlene met with the CTO, Office Manager, and head of E-Commerce to explain the compliance initiative and assign domain ownership.

  • 2

    ISO 27001 Annex A walkthrough — All 114 controls reviewed and rated: Implemented, Partial, or Missing, based on interviews and system observation.

  • 3

    Gap analysis documented — Gaps prioritized by risk impact; high-priority gaps flagged for immediate remediation planning.

  • 4

    Control owners assigned — Each Annex A domain mapped to a named employee or role, establishing accountability.

  • 5

    1-page compliance summary produced — Executive-ready summary presented to leadership with a 90-day remediation roadmap.

5

Possible Flaws & How to Overcome Them

⚠️ Known Limitations

  • Self-assessed controls are subjective — Without an external auditor, gaps may be under-reported. Overcome by scheduling annual third-party reviews.
  • Control owners may resist ownership — Staff assigned controls may lack security training. Overcome with brief lunch-and-learn sessions and clear written responsibilities.
  • ISO 27001 is not the only relevant standard — Payment data may trigger PCI-DSS obligations not covered here. Charlene flagged this for Phase 2 scope.
  • Static snapshot problem — A one-time mapping becomes outdated. Overcome by scheduling quarterly control reviews and tying updates to change management.
6

Policies & Processes to Implement

📄 Information Security Policy

A top-level policy signed by the CEO defining the company's commitment to security, applicable to all employees and contractors.

🔑 Access Control Policy

Defines how access is provisioned, reviewed, and revoked. Eliminates shared credentials and enforces least-privilege principles.

📦 Asset Management Procedure

A living inventory of all hardware, software, and data assets with classification labels (Public, Internal, Confidential, Restricted).

📅 Annual Control Review Process

Formalizes the schedule for reassessing control status, updating owners, and reporting results to leadership quarterly.

📓 REFLECTION — PROJECT 01
Build a Mini Compliance Program
⏱️~12-18 hours

This was my foundation project — the one that forced me to think like a real GRC analyst before I had a framework to lean on. Getting the language right matters as much as getting the controls right. A compliance program is not a checklist; it is a communication tool between security and leadership.

🧠What I Learned
ISO 27001 Annex A is a starting framework, not a finish line — every control needs an owner and a why-it-matters-here statement
A gap analysis is most valuable when it surfaces business risk, not just technical deficiencies
Framing controls around real operations (POS, payment data, staff laptops) made stakeholder buy-in tangible
Scoping is a skill — deciding what's in vs. out requires understanding the business, not just the standard
Documentation discipline is the backbone of GRC — every decision needs to be traceable and explainable
💡Tips & Takeaways
TIPStart every compliance project by mapping your assets first — you can't protect what you haven't identified
TIPUse plain language in policy documents — if staff can't understand a control, they won't follow it
TIPA "partial" control is not a failure — it's an opportunity to show maturity growth over time
TIPGet one executive to champion each control domain — ownership makes follow-through real
🔁If I Did This Again / Next Steps
Formalize control owners and document acceptance of responsibility
Schedule the first quarterly review date before the program launches
Build a one-page executive summary translating technical gaps into business risk
Start the risk register (P2) immediately — the gap analysis feeds directly into it
Jump to project: P1 P2 P3 P4 P5 P6 P7
← GRC Projects 02
⚠️

Create a Risk Register for Rainbow Byte Bakery

After a competitor bakery's POS system was breached, leadership asked Charlene: "What are our biggest risks?" This project delivers a full risk register, heat map, and executive risk summary.

ISO 31000 NIST RMF Risk Scoring Heat Map
1

High-Level Explanation

A regional bakery chain experienced a point-of-sale breach that exposed 18,000 customer credit card numbers. Rainbow Byte Bakery's CTO forwarded the news article to Charlene with one question: "Could this happen to us?" The answer was: yes, possibly. Charlene was tasked with building the bakery's first formal risk register — identifying threats, scoring likelihood and impact, determining residual risk after existing controls, and presenting the top 3 risks to leadership in a concise Risk Summary Report.

📄
📊 Risk Register & Heat Map

Interactive 5x5 risk heat map with the full risk register — likelihood, impact, inherent scores, residual risk, and treatment recommendations for all identified risks.

Open Deliverable →

Risk Register Scope & Methodology

This risk register covers all information assets and business processes at RainbowByte Bakery that could expose the company to cybersecurity, financial, operational, or reputational harm. Using an ISO 31000-aligned likelihood-impact matrix, each risk is scored, treated, and tracked so leadership can prioritize remediation and demonstrate a proactive risk management posture.

🎯Risk Domains Covered
Cybersecurity & IT Systems
Payment & Financial Data
Third-Party / Vendor Risk
Physical & Operational Risk
Human Error & Insider Threat
📐Scoring Methodology
Likelihood scale: 1 (Rare) to 5 (Certain)
Impact scale: 1 (Minimal) to 5 (Critical)
Inherent score = Likelihood x Impact
Residual risk scored after existing controls
Critical 16+ / High 10-15 / Medium 5-9 / Low 1-4
🗺️Risk Heat Map Key
🔴 Critical (16-25) — Immediate action required
🟠 High (10-15) — Remediation plan required
🟡 Medium (5-9) — Monitor and schedule action
🟢 Low (1-4) — Accept and periodically review
🔧Risk Treatment Options
Mitigate — Implement controls to reduce exposure
Transfer — Insurance, contracts, or SLAs
Accept — Document, monitor, review regularly
Avoid — Discontinue the risk-creating activity
2

Risk Register Breakdown

Risk ID Risk Description Likelihood (1–5) Impact (1–5) Inherent Score Controls in Place Residual Risk
RR-001POS system compromise via unpatched software4520 – CriticalBasic firewall onlyHIGH
RR-002Phishing attack on staff email accounts5420 – CriticalNo MFA, no trainingHIGH
RR-003Ransomware via third-party vendor access3515 – HighNo vendor controlsHIGH
RR-004Accidental data disclosure by employee4312 – MediumInformal verbal policyMEDIUM
RR-005Cloud misconfiguration exposing customer data3412 – MediumDefault AWS settingsMEDIUM
RR-006Loss of backup data (untested backups)248 – MediumBackups exist, untestedMEDIUM
RR-007Physical theft of POS terminal or laptop236 – LowLock on front doorLOW
3

NIST & GRC Linkage

ISO 31000 Risk Mgmt NIST RMF Step 2 – Categorize NIST RMF Step 3 – Select RA-3 Risk Assessment PM-9 Risk Management Strategy

ISO 31000 provides the process-oriented risk management methodology (context → identification → analysis → evaluation → treatment). NIST RMF provides the federal-aligned categorization framework. Together they ensure the risk register is both business-friendly and auditor-ready.

4

Steps Taken to Resolve

  • 1

    Risk identification workshop — 90-minute session with CTO, Office Manager, and E-Commerce lead to brainstorm threats across each operational area.

  • 2

    5×5 likelihood-impact matrix applied — Each risk scored independently by Charlene and one department head; scores averaged for objectivity.

  • 3

    Existing controls documented — What was already in place (even informally) was captured to calculate residual risk.

  • 4

    Heat map visualized — Color-coded 5×5 matrix shared at the next leadership meeting, making risk immediately understandable to non-technical stakeholders.

  • 5

    Top 3 Risk Summary Report — RR-001, RR-002, and RR-003 written up with recommended treatment options: mitigate, transfer, accept, or avoid.

5

Possible Flaws & How to Overcome Them

⚠️ Known Limitations

  • Scoring is inherently subjective — Different people score the same risk differently. Overcome by using a consistent scoring rubric and involving two scorers per risk.
  • Risk register is a point-in-time document — New risks emerge constantly. Overcome by scheduling quarterly reviews and assigning a register owner.
  • Residual risk may be overestimated — Untested controls (like backups) shouldn't be credited at full value. Controls must be tested to count.
  • Leadership may focus only on "Critical" risks — Medium risks, if ignored, compound over time. Overcome with a tiered remediation timeline covering all risk levels.
6

Policies & Processes to Implement

📋 Risk Management Policy

Formal policy establishing the risk management framework, scoring methodology, risk appetite statement, and treatment options approved by leadership.

🔄 Quarterly Risk Review Process

Documented procedure for reviewing the risk register every 90 days, reassessing scores, and updating treatment status.

📣 Risk Escalation Procedure

Clear escalation path: who gets notified when a new critical risk is identified, and how fast a response decision must be made.

📊 Risk Reporting Template

Standardized 1-page Risk Summary Report template for leadership, updated each quarter and shared at board-level review meetings.

📓 REFLECTION — PROJECT 02
Create a Risk Register
⏱️~10-15 hours

Risk registers feel overwhelming until you build one — then they feel indispensable. The hardest part was scoring consistently and deciding what residual risk actually meant with immature controls. This project taught me that a risk register is a living argument you make to leadership about where to spend limited resources.

🧠What I Learned
Likelihood and impact scores mean nothing without a defined scale — agreeing on definitions before scoring is non-negotiable
Residual risk must account for how mature controls actually are, not how mature you wish they were
Risk heat maps are communication tools — a well-designed map makes a 30-second executive case better than a 10-page report
Risks cluster around people and access control — human error dominated the critical tier
ISO 31000's treatment options give a vocabulary for conversations that used to get stuck
💡Tips & Takeaways
TIPScore inherent risk first (before controls) so you can demonstrate the value controls actually provide
TIPAssign a risk owner, not just a risk — accountability is what separates a register from a parking lot
TIPRe-score every risk after a control change — a risk register that doesn't change is not being used
TIPWhen in doubt, rate higher — it's easier to justify downgrading a risk than explaining why you missed a critical one
🔁If I Did This Again / Next Steps
Set up a recurring review cadence — monthly for critical, quarterly for others
Integrate the risk register into the compliance dashboard (P6) as a live feed
Map each high/critical risk back to a specific ISO 27001 control for remediation tracking
Interview the CTO and Operations lead to surface risks I may have missed
Jump to project: P1 P2 P3 P4 P5 P6 P7
← GRC Projects 03
🤝

Third-Party Vendor Assessment

Rainbow Byte Bakery's payment processor "Sprinkle Pay" has full access to checkout transaction data. No one has ever asked them a single security question. Charlene changes that.

Vendor Risk Mgmt ISO 27001 A.15 NIST SA-12 Scorecard
1

High-Level Explanation

Rainbow Byte Bakery relies on 12 external vendors — from Sprinkle Pay (payment processing) and CloudDough (e-commerce hosting) to FrostFlour Co. (ingredient supplier with procurement portal access). None had ever been formally assessed for security practices. Charlene designed a 25-question Vendor Security Questionnaire spanning five risk domains and piloted it on Sprinkle Pay, the highest-risk vendor due to their direct access to payment data. The result: a scored Vendor Risk Scorecard and a formal vendor risk tiering system for ongoing management.

📋
Use the Live Vendor Security Questionnaire

The full 25-question Vendor Security Questionnaire used in this project is available as a standalone, interactive tool. Complete it for any vendor, see your score auto-calculate across all five NIST-aligned domains, and export a Vendor Risk Scorecard.

Open Vendor Assessment Tool →

Vendor Assessment Scope & Methodology

This vendor assessment covers all 12 active third-party vendors who have access to RainbowByte Bakery systems, data, or physical locations. Using a 25-question, five-domain questionnaire scored out of 100, each vendor is risk-tiered and tracked against ISO 27001 supplier controls and NIST supply chain guidance.

🏢Vendors Assessed
🔴 Sprinkle Pay — Tier 1 Critical (payment data)
🟠 CloudDough — Tier 1 High (e-commerce hosting)
🟡 FrostFlour Co. — Tier 2 Medium (procurement portal)
⬜ 9 additional vendors — Pending assessment
📋5 Assessment Domains
1. Governance & Policy (20 pts)
2. Access Control (20 pts)
3. Data Protection (20 pts)
4. Incident Response (20 pts)
5. Compliance & Legal (20 pts)
🏆Response Scoring
Yes — Control fully in place: 4 pts
Partial — In progress or incomplete: 2 pts
No — Control absent: 0 pts
N/A — Not applicable: Excluded from score
📊Risk Tier Thresholds
🟢 85-100 — Low Risk: Proceed with standard terms
🟡 65-84 — Medium Risk: Enhanced contract protections
🔴 40-64 — High Risk: Remediation plan required
⚫ 0-39 — Critical Risk: Escalate to leadership
2

Vendor Assessment Scorecard — Sprinkle Pay

Domain Max Score Score Received Rating Key Gaps Found
Governance & Policy2016GOODNo annual policy review documented
Access Control2012FAIRMFA not enforced for admin access
Data Protection2014FAIREncryption at rest not confirmed for all data stores
Incident Response2010POORNo documented notification SLA to customers
Compliance2018GOODPCI-DSS certified; SOC 2 report available on request
TOTAL10070MEDIUM RISKIR notification gap is highest priority concern
3

NIST & GRC Linkage

ISO 27001 A.15 – Supplier Relations NIST SA-12 Supply Chain Protection NIST SA-9 External Systems C-SCRM Framework

Third-party risk is one of the most underestimated areas in small business security. ISO 27001 Clause A.15 mandates that supplier agreements include security requirements. NIST SP 800-161 (C-SCRM) provides a supply chain risk management framework that scales to bakery-size organizations as much as enterprise ones.

4

Steps Taken to Resolve

  • 1

    Vendor inventory compiled — All 12 vendors catalogued with their access type, data touched, and initial risk tier (Critical, High, Medium, Low).

  • 2

    25-question questionnaire designed — Five domains, five questions each. Questions ranged from "Do you enforce MFA on privileged accounts?" to "What is your breach notification timeline?"

  • 3

    Questionnaire sent to Sprinkle Pay — Responses received within 10 business days; supplemented with review of their publicly available SOC 2 summary.

  • 4

    Scorecard calculated and reviewed — Scores entered into a weighted scoring matrix; findings reviewed with the CTO and Operations Director.

  • 5

    Remediation request issued — Charlene sent Sprinkle Pay a formal written request for their incident notification SLA and MFA enforcement timeline.

5

Possible Flaws & How to Overcome Them

⚠️ Known Limitations

  • Self-reported responses may be inaccurate — Vendors answer what they want to answer. Overcome by requesting supporting evidence (SOC 2 reports, pentest summaries, policy excerpts) alongside questionnaire responses.
  • Small vendors may not have formal security programs — A low score doesn't always mean a bad vendor. Overcome by weighting scores based on vendor access level and data sensitivity.
  • Assessments expire — A clean scorecard today doesn't guarantee clean practices next year. Overcome by establishing annual reassessment cycles for all Tier 1 vendors.
  • Contract leverage is limited for small buyers — Large vendors may refuse to add security clauses. Overcome by escalating to contract addenda at renewal, or identifying alternative vendors.
6

Policies & Processes to Implement

📝 Vendor Risk Management Policy

Requires all new vendors with system access to complete a security questionnaire before onboarding. Tier 1 vendors re-assessed annually.

📋 Vendor Contract Security Addendum

Standard security clauses to add to all vendor contracts: breach notification within 72 hours, right to audit, data deletion on contract end.

🗂️ Vendor Tier Classification System

Classifies vendors as Critical, High, Medium, or Low risk based on data access, system integration depth, and geographic location of data processing.

🔁 Annual Vendor Review Calendar

Scheduled review process ensuring all Tier 1 vendors are re-assessed annually and all others bi-annually, with results reported to the CTO.

📓 REFLECTION — PROJECT 03
Vendor Risk Assessment
⏱️~15-20 hours

Vendor risk is where most small businesses have their biggest blind spots. Sprinkle Pay handles actual cardholder data with no formal assessment ever having been done. Building a structured, repeatable questionnaire framework showed me that third-party risk management is fundamentally about trust — and trust needs to be earned with evidence, not assumed.

🧠What I Learned
Vendor risk is not just about security questionnaires — contract clauses, SLAs, and right-to-audit provisions are equally important
Tiering vendors by risk level lets you focus limited GRC resources where they matter most
A vendor's SOC 2 report doesn't mean they're secure for your use case — verify the controls that apply to your data
Most small vendors will cooperate with assessments if you frame it as a partnership, not an audit
Procurement and legal need to be involved in vendor risk — GRC cannot own this alone
💡Tips & Takeaways
TIPBuild the assessment questionnaire before you start — winging it produces inconsistent, incomparable results
TIPWeight your scoring domains by what matters most for your business
TIPRequest evidence, not just answers — a "yes" with no supporting document is a yellow flag
TIPStart with your highest-risk vendors first and work down
🔁If I Did This Again / Next Steps
Complete assessments for remaining 9 vendors using the same framework
Add vendor assessment renewal dates to a calendar — annual for Tier 1, biennial for Tier 2+
Negotiate right-to-audit clauses into new vendor contracts
Present vendor risk summary to the CTO alongside the risk register findings
Jump to project: P1 P2 P3 P4 P5 P6 P7
← GRC Projects 04
🚨

Incident Response Plan & Tabletop Exercise

A phishing email nearly gave an attacker access to Rainbow Byte Bakery's payroll system. The near-miss — originating from the Rainbowberry Fields location — revealed the bakery had no incident response plan whatsoever. Charlene fixes that — fast.

ISO 27035 NIST IR Controls Tabletop Exercise Phishing Scenario
1

High-Level Explanation

The bakery's Office Manager, Tamika, received a convincing phishing email purportedly from the payroll platform ButterBucks HR at the Color Castle headquarters. She clicked the link before realizing it was fake — fortunately catching herself before entering credentials. The CTO was shaken. Charlene recognized this wasn't just a close call; it was evidence that the bakery had no formal procedure for detecting, containing, or recovering from a cyberincident. She wrote a complete Incident Response Plan aligned to ISO 27035 and NIST guidelines, then ran a tabletop simulation with the CTO, Office Manager, and E-Commerce lead to test the plan before a real incident forced the issue.

📄
🚨 IR Tabletop Exercise Report

Complete incident timeline, gap findings, and corrective action plan from the phishing scenario tabletop exercise conducted with the Rainbow Byte Bakery leadership team.

Open Deliverable →

IR Plan Scope & Tabletop Scenario

This Incident Response Plan defines how RainbowByte Bakery will detect, contain, and recover from cybersecurity incidents — from a phishing attack on staff email to ransomware on the POS system. Structured across six ISO 27035-aligned phases with clearly assigned roles, the plan was stress-tested through a 90-minute tabletop exercise that revealed three critical process gaps now being addressed.

📄IR Plan Structure (ISO 27035)
1. Purpose & Scope
2. Roles & Responsibilities
3. Detection & Classification
4. Containment
5. Eradication & Recovery
6. Lessons Learned
🎭Tabletop Scenario
Attack type: Phishing via spoofed HR email
Entry: Staff entered credentials on fake portal
Target: Payroll system (ButterBucks HR)
Duration: 90-minute structured exercise
Result: 3 major process gaps identified
🚨Incident Severity Levels
🔴 P1 Critical — Active breach or ransomware
🟠 P2 High — Confirmed phishing or exposure
🟡 P3 Medium — Suspected incident or anomaly
🟢 P4 Low — Security alert or false positive
👥Key Response Roles
🔐 Charlene — IR Lead, GRC Analyst
💻 CTO — Technical Containment Lead
📋 Office Manager — Staff Communications
🏢 CEO / COO — Business and Legal Decisions
📍 Incident Response Plan Scope
IR Plan Structure
  • 1. Purpose & Scope
  • 2. Roles & Responsibilities
  • 3. Detection & Classification
  • 4. Containment
  • 5. Eradication & Recovery
  • 6. Lessons Learned
Tabletop Scenario
  • → Attack type: Phishing
  • → Entry: Staff click on fake HR email
  • → Target: Payroll system credentials
  • → Duration: 90-minute tabletop exercise
  • → 3 gaps identified in real-time
Incident Severity Levels
P1 Critical — Active breach/ransomware P2 High — Confirmed phishing/exposure P3 Medium — Suspected incident P4 Low — Security anomaly / alert
Key Contacts (Fictional)
  • 🔐 Charlene — IR Lead (GRC)
  • 💻 CTO — Technical Containment
  • 📋 Office Mgr — Communications
  • 🏢 CEO/COO — Business Decision
2

IR Plan Structure Breakdown

IR Phase Key Activities Responsible Party Timeframe
1. PreparationSecurity awareness training, IR toolkit setup, contact listsGRC (Charlene) + CTOOngoing
2. Detection & IdentificationAlert triage, initial classification, severity assessmentCTO + any staff memberWithin 1 hour
3. ContainmentIsolate affected system, disable accounts, block IPsCTOWithin 2 hours
4. EradicationRemove malware, patch vulnerability, re-image if neededCTO + external IT vendorWithin 24 hours
5. RecoveryRestore from backup, verify integrity, monitor for recurrenceCTOWithin 48 hours
6. Lessons LearnedPost-incident report, control updates, staff briefingGRC (Charlene)Within 7 days
3

NIST & GRC Linkage

ISO 27035 – IR Management NIST SP 800-61 Rev 2 IR-1 Incident Response Policy IR-4 Incident Handling IR-8 Incident Response Plan NIST CSF – Respond

ISO 27035 provides a five-stage incident management process that maps cleanly onto the bakery's operational capacity. NIST SP 800-61 Rev 2 provides detailed technical guidance for each phase and forms the basis of the IR Plan document template used.

4

Steps Taken to Resolve

  • 1

    Near-miss documented — Tamika's phishing encounter formally documented as a security incident (even without a breach) to establish incident recording precedent.

  • 2

    IR Plan drafted — 8-page plan written covering Purpose, Scope, Roles & Responsibilities, all six phases, escalation contacts, and communication templates.

  • 3

    Tabletop scenario designed — Phishing → credential theft → payroll access scenario built with decision points, inject cards, and timed phases.

  • 4

    Tabletop exercise run — 90-minute session with CTO, Office Manager, and E-Commerce lead. Three major process gaps identified in real time.

  • 5

    Formal Incident Report Template produced — Standardized report form for any future incidents: timeline, severity, systems affected, containment actions, root cause, and lessons learned.

5

Possible Flaws & How to Overcome Them

⚠️ Known Limitations

  • Tabletop findings don't guarantee real-world performance — Stress, confusion, and system unavailability in a real incident change behavior. Overcome with annual tabletop exercises and bi-annual phishing simulations.
  • Small team means role overlap — The CTO currently handles detection, containment, AND eradication. This creates a single point of failure. Overcome by cross-training one additional staff member as an IR backup.
  • Legal notification obligations not fully mapped — Depending on data type, breach notification to customers or state regulators may be required within 72 hours. A legal review of NC breach notification law is needed.
  • IR plan can become outdated quickly — Staff changes, new vendors, and new systems invalidate sections. Overcome with an annual IR plan review tied to the risk register refresh.
6

Policies & Processes to Implement

📄 Incident Response Policy

Formally defines what constitutes a security incident, mandatory reporting timelines for all staff, and the GRC team's authority to invoke the IR plan.

📞 Incident Escalation Matrix

One-page quick reference listing who to call, in what order, at each severity level — pinned in the office and distributed to all staff.

🎓 Annual Security Awareness Training

Mandatory phishing awareness training for all staff, with simulated phishing tests run quarterly to measure and improve detection rates.

📅 Annual IR Plan Review

IR plan reviewed and updated every 12 months or after any significant incident, system change, or staff transition affecting IR roles.

📓 REFLECTION — PROJECT 04
Incident Response Plan & Tabletop
⏱️~20-25 hours

Writing an IR plan is useful. Running a tabletop exercise against it is humbling. The 90-minute phishing scenario exposed three gaps that looked fine on paper — no escalation contact list, no criteria for when to involve law enforcement, and a communication chain that went silent after the first notification. The plan got rewritten after the exercise.

🧠What I Learned
An untested IR plan provides false confidence — the exercise is the most valuable part of this project
Role clarity breaks down under simulated pressure — people default to their day job, not their IR role
Notification timelines must be pre-defined, not decided in the moment
Evidence preservation is consistently overlooked — you need logs before you start containment
ISO 27035's five phases provide excellent structure, but real incidents don't follow phases neatly
💡Tips & Takeaways
TIPRun the tabletop before you finalize the plan, not after — you will always find gaps
TIPWrite the IR plan for the person who has never seen it before — assume they are reading it at 2am under stress
TIPKeep contact lists and decision trees as laminated one-pagers, not buried in a 40-page document
TIPInclude external contacts (legal counsel, cyber insurance, FBI IC3) in your IR toolkit from day one
🔁If I Did This Again / Next Steps
Schedule annual tabletop exercises and document findings each time
Distribute simplified IR quick-reference cards to all staff
Integrate the IR plan with vendor contracts — Tier 1 vendors should have contractual IR notification requirements
Test backup restoration (a step that was never done) as a separate exercise
Jump to project: P1 P2 P3 P4 P5 P6 P7
← GRC Projects 05
☁️

SOC 2 Controls Mapped to the Cloud Environment

The bakery's AWS environment had no MFA, no audit trails, and an S3 bucket with loose permissions. Charlene maps SOC 2 Trust Service Criteria to the real configuration — and collects evidence.

SOC 2 TSC AWS Free Tier CC1–CC9 Audit Evidence
1

High-Level Explanation

Rainbow Byte Bakery's e-commerce platform — built on AWS — processes customer orders, stores email addresses, and handles payment redirects through Sprinkle Pay. A prospective wholesale grocery partner requested a copy of the bakery's SOC 2 report before signing a supply agreement. The bakery had none. Charlene used the AWS Free Tier environment to map SOC 2 Trust Service Criteria CC1 through CC9 to the actual cloud configuration, identifying what was compliant, what was not, and gathering screenshots as mock audit evidence to lay the groundwork for a future formal SOC 2 audit engagement.

📄
☁️ SOC 2 Evidence Register

CC1–CC9 evidence register showing AWS controls, evidence collected, and readiness status for each Trust Service Criterion assessed in the cloud environment review.

Open Deliverable →

SOC 2 Assessment Scope

This SOC 2 cloud readiness assessment evaluates RainbowByte Bakery's AWS environment against all nine Trust Service Criteria Common Controls (CC1-CC9). By mapping each criterion to a specific AWS service, collecting evidence, and identifying critical gaps, Charlene built the foundation for a future SOC 2 audit engagement positioning the bakery to demonstrate trustworthiness to enterprise customers and partners.

☁️In-Scope AWS Services
IAM — Identity and access management
CloudTrail — Audit logging (all regions)
CloudWatch — Monitoring and alerting
S3 — Storage with encryption enforcement
RDS — Database and backup configuration
AWS Config — Change management tracking
📋SOC 2 Criteria Mapped (CC1-CC9)
CC1 Control Environment / CC2 Communication
CC3 Risk Assessment / CC4 Monitoring
CC5 Control Activities / CC6 Logical Access
CC7 System Operations / CC8 Change Mgmt
CC9 Risk Mitigation — Vendors
📁Evidence Collected
IAM MFA enforcement screenshot
CloudTrail log export (2 of 3 regions)
S3 bucket encryption policy export
Security Group rule configuration export
Sprinkle Pay SOC 2 Type I summary
🚫Critical Gaps Found
MFA disabled on all IAM accounts at start
CloudTrail off in 1 of 3 active regions
No CloudWatch alarms configured
No formal change management process
📍 SOC 2 Cloud Assessment Scope
In-Scope AWS Services
  • → IAM (identity & access)
  • → CloudTrail (audit logging)
  • → CloudWatch (monitoring)
  • → S3 (storage encryption)
  • → RDS (database)
  • → AWS Config (change mgmt)
SOC 2 Criteria Mapped
  • CC1 — Control Environment
  • CC2 — Communication
  • CC3 — Risk Assessment
  • CC4 — Monitoring Activities
  • CC5 — Control Activities
  • CC6 — Logical Access
  • CC7 — System Operations
  • CC8 — Change Management
  • CC9 — Risk Mitigation
Evidence Types Collected
  • → IAM MFA enforcement screenshot
  • → CloudTrail log export
  • → S3 bucket encryption policy
  • → Security Group rule export
  • → AWS Config rule dashboard
⚠️ Critical Gaps Found
  • ✗ MFA disabled on all IAM accounts
  • ✗ CloudTrail off in 1 of 3 regions
  • ✗ No CloudWatch alarms configured
  • ✗ No formal change management
2

SOC 2 Control Mapping Breakdown

SOC 2 Criteria Description AWS Control Status Evidence Collected
CC1 – Control EnvironmentPolicies & org structureIAM roles, org policiesPARTIALIAM policy screenshot
CC2 – CommunicationSecurity info communicatedSecurity Hub alertsMISSINGSecurity Hub not enabled
CC3 – Risk AssessmentRisk ID and analysisAWS Config rulesPARTIALConfig dashboard screenshot
CC4 – MonitoringOngoing monitoring activitiesCloudWatch alarmsMISSINGNo alarms configured
CC5 – Control ActivitiesControls to mitigate risksS3 bucket policies, SGsPARTIALS3 ACL + SG rule export
CC6 – Logical AccessAccess restrictionsIAM MFA, least privilegeFAILINGMFA disabled — screenshot
CC7 – System OpsSystem monitoring & backupCloudTrail + RDS backupsPARTIALCloudTrail enabled; RDS backup unconfirmed
CC8 – Change MgmtChange management controlsCodePipeline, CloudFormationMISSINGNo formal change process
CC9 – Risk MitigationRisk mitigation by vendorsSprinkle Pay SOC 2 reportGOODSprinkle Pay SOC 2 summary on file
3

NIST & GRC Linkage

SOC 2 Trust Service Criteria NIST 800-53 AC, AU, CM NIST CSF – Protect / Detect AWS Well-Architected Security Pillar AU-2 Audit Events

SOC 2 is the most common compliance certification requested by B2B SaaS and e-commerce companies. It aligns closely with NIST 800-53 access control and audit families. This mapping positions Rainbow Byte Bakery to engage a formal SOC 2 auditor within 12–18 months once remediations are complete.

4

Steps Taken to Resolve

  • 1

    AWS environment reviewed — Charlene walked through IAM, S3, CloudTrail, CloudWatch, and Config using the AWS Console to document the current state.

  • 2

    SOC 2 criteria mapped — Each of CC1–CC9 mapped to the specific AWS service or feature that satisfies it, and rated against actual configuration.

  • 3

    MFA enabled on all IAM accounts — Charlene enabled MFA for root and all admin IAM accounts immediately upon identifying this critical gap.

  • 4

    CloudTrail logging enabled — Audit trail logging activated across all regions; logs directed to a dedicated S3 bucket with restricted access.

  • 5

    Evidence package assembled — Screenshots, exported policies, and configuration outputs organized into a mock evidence binder by CC criterion.

5

Possible Flaws & How to Overcome Them

⚠️ Known Limitations

  • Screenshots are not audit-grade evidence — A real SOC 2 audit requires time-stamped, independently collected evidence. Overcome by using AWS Audit Manager to automate continuous evidence collection.
  • Free Tier environment may not reflect production — Configs in a sandbox may differ from the live environment. Overcome by running the same assessment against the production AWS account before any audit engagement.
  • CC8 (Change Management) requires process, not just tools — Enabling CodePipeline doesn't satisfy CC8 without a documented change management procedure. Overcome by writing a Change Management Policy.
  • SOC 2 requires 6–12 months of evidence collection — This mapping is a readiness assessment, not a certification path. Overcome by establishing an evidence collection calendar and engaging a certified auditor 12 months before any target certification date.
6

Policies & Processes to Implement

☁️ Cloud Security Configuration Standard

Documents the required security baseline for all AWS resources: MFA required, no public S3 buckets, CloudTrail always on, least-privilege IAM roles.

🔄 Change Management Policy

Defines how changes to cloud infrastructure are proposed, reviewed, approved, and documented — satisfying SOC 2 CC8 requirements.

📊 Continuous Monitoring Procedure

Uses AWS Security Hub + CloudWatch alarms to generate alerts for anomalous activity; reviewed weekly by the CTO.

📁 Evidence Collection Calendar

Monthly schedule of evidence collection activities across all CC criteria, building the 12-month evidence set required for a Type II SOC 2 audit.

📓 REFLECTION — PROJECT 05
SOC 2 Cloud Security Mapping
⏱️~18-25 hours

SOC 2 readiness is often described as a multi-year engagement, but this project showed that foundational work — identifying gaps, collecting evidence, and mapping controls to criteria — can be started quickly and independently. The discovery that MFA was disabled on all IAM accounts reinforced why this work matters.

🧠What I Learned
SOC 2 is a business enablement tool, not just a compliance checkbox — it opens doors with enterprise customers
The CC1-CC9 Common Criteria mirror how you would build a security program from scratch
AWS native tools (CloudTrail, Config, GuardDuty) do most of the heavy lifting — the work is configuration and documentation
Evidence collection is a discipline — a screenshot without a date and account ID is not audit-quality evidence
Gaps in cloud security are often configuration omissions — fast to find and fast to fix
💡Tips & Takeaways
TIPRun AWS Trusted Advisor and Security Hub before you start — they surface gaps faster than manual review
TIPOrganize evidence by criterion number from day one — re-organizing 200 screenshots after the fact is painful
TIPDocument your evidence collection methodology — auditors need to trust the process, not just the output
TIPMFA on IAM is non-negotiable — enable it before anything else and enforce it with an SCP
🔁If I Did This Again / Next Steps
Engage a SOC 2 readiness consultant to validate the self-assessment before a formal audit
Enable all CloudTrail regions and set up centralized log archiving immediately
Build CloudWatch alarms for the top 10 security events (root login, failed auth, policy changes)
Use this mapping as the basis for a continuous compliance tool like Drata or Vanta
Jump to project: P1 P2 P3 P4 P5 P6 P7
← GRC Projects 06
📊

Build a Compliance Dashboard

Leadership asks Charlene "how are we doing on compliance?" at every quarterly meeting. The answer was always a verbal summary. Now it's a live dashboard — and leadership can finally see the full picture.

GRC Reporting Excel Metrics Tracking NIST CSF
1

High-Level Explanation

After completing five projects, Charlene had a risk register, a vendor scorecard, a control matrix, and an IR plan — but no unified view that leadership could review at a glance. The bakery's quarterly board meeting was three weeks away and the CEO wanted a simple, visual answer to the question: "Are we secure and compliant?" Charlene built a compliance dashboard in Excel translating all prior project data into visual metrics: control implementation rates, open risk count by severity, remediation progress, and vendor risk status. The dashboard became the standing GRC report format for all future leadership reviews.

📊
📊 Live GRC Compliance Dashboard

An interactive, real-world GRC Command Center dashboard — control coverage charts, risk heat map, vendor scorecard, KPI/KRI monitoring, and remediation tracker. Styled after enterprise GRC reporting suites. Printable for board presentations.

Open Compliance Dashboard →

Dashboard Scope & Data Sources

The GRC Compliance Dashboard consolidates metrics from all five prior projects into a single executive view, enabling RainbowByte Bakery's leadership to track risk posture, control coverage, and vendor health at a glance. Built in Excel with color-coded KPIs and trend indicators, the dashboard transforms GRC work into a monthly reporting tool the CTO and board can act on.

📥Data Sources (Projects 1-5)
P1 — ISO 27001 control implementation %
P2 — Risk register open count by severity
P3 — Vendor risk scores (Tier 1 vendors)
P4 — IR plan status and open actions
P5 — SOC 2 criteria met vs. gaps
📊Key Metrics Tracked
Control coverage % (target: 80% by Q4)
Open Critical risks (target: 0)
Overdue remediation actions
Vendor risk scores vs. threshold
Security training completion rate
🖥️Dashboard Components
Control coverage donut/bar chart
Risk heat map summary (RAG status)
Open remediation action tracker
Vendor scorecard side-by-side view
30-day risk trend indicator
📅Audience & Reporting Cadence
CTO — monthly metrics update
Board / CEO — quarterly summary
GRC team — weekly tracking view
Annual comprehensive program report
2

Dashboard Metrics Breakdown

Metric Current Value Target Trend Source Project
ISO 27001 Controls Implemented38 / 114 (33%)80% by Q4📈 ImprovingProject 1
Open Critical Risks30⚠️ UnchangedProject 2
Open Medium Risks4≤2📈 DecreasingProject 2
Vendor Risk Score — Tier 170 / 100 (Sprinkle Pay)85+⚠️ Awaiting responseProject 3
IR Plan in Place✅ YesTested annually📈 CompleteProject 4
MFA Enabled (AWS)✅ Enabled100% accounts📈 ResolvedProject 5
SOC 2 Readiness Score4 / 9 CC criteria met9/9 before audit📈 ProgressingProject 5
Remediation Actions Open110⚠️ In progressAll
Security Awareness Training0% completed100% staff by Q3🔴 Not startedProject 4
3

NIST & GRC Linkage

NIST CSF – All Functions PM-6 Information Security Measures CA-7 Continuous Monitoring GRC Reporting Best Practice

NIST 800-53 PM-6 requires organizations to develop, monitor, and report on information security measures of performance. The compliance dashboard directly satisfies this control while also supporting the NIST CSF's continuous monitoring expectation across all five functions: Identify, Protect, Detect, Respond, and Recover.

4

Steps Taken to Resolve

  • 1

    Metrics inventory — All data outputs from Projects 1–5 catalogued to identify what could be tracked over time.

  • 2

    KPI framework defined — Each metric given a name, data source, target value, and owner — reviewed and approved by the CTO before dashboard build.

  • 3

    Excel dashboard built — Color-coded tables, conditional formatting, and simple bar/donut charts created for non-technical leadership consumption.

  • 4

    Presented to board — Dashboard shared at quarterly meeting; CTO approved it as the standing GRC report format going forward.

  • 5

    Update cadence established — Monthly data refresh process documented and assigned to Charlene; quarterly narrative summary added for board distribution.

5

Possible Flaws & How to Overcome Them

⚠️ Known Limitations

  • Manual Excel updates introduce error risk — A missed update or formula error can misrepresent compliance status to leadership. Overcome by migrating to a GRC tool (e.g., Drata, Vanta, or Notion) with automated integrations when budget allows.
  • Metrics can be gamed — Closing a risk as "accepted" rather than mitigated looks good on a dashboard but may mask real exposure. Overcome by requiring CTO sign-off on any "accept" disposition and tracking accepted risks separately.
  • Leading vs lagging indicators not separated — Many metrics (like "controls implemented") are lagging. Overcome by adding leading indicators such as "training completion rate" and "days since last phishing test."
  • Dashboard doesn't replace a GRC tool — As the company grows past 50 employees, Excel will become unmanageable. A GRC platform procurement plan should be included in the next-year budget proposal.
6

Policies & Processes to Implement

📊 GRC Reporting Policy

Formalizes the cadence, format, and distribution of compliance reports: monthly metrics update to CTO, quarterly summary to board, annual comprehensive report.

🎯 KPI Definition & Review Standard

Documents how GRC KPIs are defined, how targets are set, and the process for retiring outdated metrics and adding new ones as the program matures.

📋 Remediation Tracking Procedure

Every open risk or control gap has a documented remediation item with owner, due date, and status — reviewed monthly and escalated if past due.

🔧 GRC Tool Procurement Roadmap

Documented recommendation for migrating from Excel to a purpose-built GRC platform when headcount exceeds 30 or when a formal SOC 2 audit is initiated.

📓 REFLECTION — PROJECT 06
GRC Compliance Dashboard
⏱️~10-14 hours

The dashboard was the moment the GRC program became visible to leadership. Before it, five projects existed in five separate documents. After it, there was a single view showing control coverage, open risks, and vendor health side by side. The most important lesson: a GRC dashboard is only as good as the data feeding it.

🧠What I Learned
Dashboards for executives need fewer metrics, not more — three well-chosen KPIs beat fifteen cluttered ones
Color-coded RAG status is universally understood and reduces time to insight
A dashboard creates accountability — once leadership can see a metric, they start asking about it
Building the dashboard surfaced data quality issues in the underlying projects — a useful side effect
Trend lines matter more than point-in-time snapshots — show direction, not just current state
💡Tips & Takeaways
TIPDesign for your busiest stakeholder — if the CTO has 5 minutes, the dashboard needs to tell the story in 5 minutes
TIPLock in your data sources and update cadence before you build — stale data is worse than no dashboard
TIPInclude a "next action" on every metric — visibility without accountability is just reporting
TIPBuild in conditional formatting from day one — manually formatting Excel every month is not sustainable
🔁If I Did This Again / Next Steps
Automate data pulls from the risk register and control matrix where possible
Migrate from Excel to a purpose-built GRC tool (ServiceNow, LogicGate, or Drata) as the program matures
Present the first dashboard to the executive team and document their questions — those become future metrics
Add a compliance calendar view showing upcoming review dates, vendor renewals, and audit windows
Jump to project: P1 P2 P3 P4 P5 P6 P7
← GRC Projects 07
🔍

Conduct a Mock Internal Audit — Capstone

The final test: Charlene audits the GRC program she built. 10 controls selected, evidence gathered, non-conformities identified, and a formal 2-page Audit Report delivered to leadership.

ISO 19011 NIST CA-2 Audit Methodology Corrective Actions
1

High-Level Explanation

After completing six individual GRC projects, Charlene's final challenge was to step back and evaluate the entire program she'd built. The Mock Internal Audit is a structured self-assessment using ISO 19011 audit methodology — selecting 10 key controls from across Projects 1–6, gathering supporting evidence, completing a formal Internal Audit Checklist, and producing a 2-page Audit Report. The report identifies non-conformities (areas where stated controls don't match actual practice), presents corrective actions, and provides leadership with an honest assessment of where Rainbow Byte Bakery's GRC program stands today vs. where it needs to be.

📄
🔍 Internal Audit Report

Complete audit checklist for 10 selected controls — evidence reviewed, findings classified as conforming or non-conforming, and a prioritized corrective action plan.

Open Deliverable →

Internal Audit Scope & Methodology

This internal audit closes the loop on RainbowByte Bakery's first year of GRC work by independently testing 10 high-priority controls drawn from all six prior projects. Using ISO 19011 audit methodology, Charlene evaluated evidence, classified findings, and produced a corrective action plan — demonstrating the ability to identify gaps in her own program with the same rigor she would apply to an external audit.

🔍Audit Scope
10 controls selected from Projects 1-6
All in-scope systems and personnel
Period: Q1-Q3 GRC program activity
Methodology: ISO 19011 audit guidelines
Auditor: Charlene LueQuee (self-assessment)
📋Finding Classifications
Conforming — evidence matches control
Minor NC — gap with limited impact
Major NC — significant gap, escalate
📊Audit Results Summary
🟢 3 controls: Conforming
🟡 4 controls: Minor Non-Conformity
🔴 3 controls: Major Non-Conformity
Total corrective actions required: 7
🚨Top 3 Major Non-Conformities
Vendor assessments: only 1 of 12 complete
Security training: 0% completion rate
Backup restores: never tested
📍 Internal Audit Scope & Methodology
Audit Scope
  • → 10 controls from Projects 1–6
  • → All in-scope systems & people
  • → Period: Q1–Q3 GRC program
  • → ISO 19011 audit methodology
Finding Classifications
✓ Conforming — evidence matches ⚠ Minor NC — gap, low impact ✗ Major NC — significant gap
Audit Summary Results
  • 🟢 3 controls: Conforming
  • 🟡 4 controls: Minor NC
  • 🔴 3 controls: Major NC
  • → Total NCs requiring action: 7
Top 3 Major NCs
  • ✗ Vendor assessments incomplete (11/12)
  • ✗ Security awareness training 0%
  • ✗ Backup restores never tested
2

Audit Checklist — 10 Selected Controls

Control Framework Ref Evidence Gathered Finding Conformity
Information Security Policy exists and is signedISO 27001 A.5Policy document, CEO signaturePolicy drafted; not yet signed by CEOMINOR NC
MFA enabled for all privileged accountsISO 27001 A.9 / CC6AWS IAM MFA screenshotMFA enabled for admin accountsCONFORMING
Asset inventory maintained and currentISO 27001 A.8Asset register documentInventory exists but missing 3 vendor-managed devicesMINOR NC
Risk register reviewed in last 90 daysISO 31000 / PM-9Risk register with last-modified dateLast reviewed 94 days ago — 4 days overdueMINOR NC
Vendor assessment completed for Tier 1 vendorsISO 27001 A.15Sprinkle Pay scorecardSprinkle Pay assessed; 11 remaining vendors not yet assessedMAJOR NC
Incident Response Plan exists and has been testedISO 27035 / IR-8IR Plan doc, tabletop notesPlan exists; tabletop completed onceCONFORMING
CloudTrail logging enabled in all regionsSOC 2 CC7 / AU-2CloudTrail console screenshotCloudTrail enabled in 2 of 3 active regionsMINOR NC
Security awareness training completed by all staffISO 27001 A.7 / AT-2Training completion recordsTraining not yet initiated for any staff memberMAJOR NC
Backup testing completed in last 12 monthsISO 27001 A.12 / CP-9Backup test logsBackups exist; no test restore has ever been performedMAJOR NC
Compliance dashboard updated within 30 daysPM-6 / NIST CSFDashboard with last-updated dateDashboard last updated 18 days agoCONFORMING
3

NIST & GRC Linkage

ISO 19011 – Audit Guidelines NIST CA-2 Control Assessments NIST CA-5 Plan of Action NIST CA-7 Continuous Monitoring NIST CSF – Identify / Improve

ISO 19011 is the international standard for auditing management systems — it defines the principles of auditing, managing an audit program, and conducting and reporting audits. NIST CA-2 requires periodic control assessments to validate whether controls are effectively implemented. This project satisfies both, producing a formal audit record and a corrective action plan (analogous to a NIST Plan of Action and Milestones — POA&M).

4

Steps Taken to Resolve

  • 1

    Audit scope defined — 10 controls selected to span all six prior projects, prioritizing the highest-risk areas identified in the risk register.

  • 2

    Evidence gathered — Each control's evidence collected: screenshots, documents, timestamps, and system exports where applicable.

  • 3

    Audit checklist completed — Each control rated: Conforming, Minor Non-Conformity, or Major Non-Conformity, with objective evidence documented for each finding.

  • 4

    Non-conformities analyzed — 3 Major NCs (vendor assessments, security training, backup testing) and 4 Minor NCs identified with root cause analysis for each.

  • 5

    Audit Report written and submitted — Formal 2-page report presented to the CTO and CEO, including a prioritized corrective action plan with owners and due dates.

5

Possible Flaws & How to Overcome Them

⚠️ Known Limitations

  • Self-audits lack independence — Auditing your own work introduces bias. The same person who built the controls is also assessing them. Overcome by engaging an external assessor for the first formal audit cycle, even if only for 2–3 controls.
  • Sample of 10 controls is not comprehensive — With 114 ISO 27001 controls in scope, 10 is a starting point. Overcome by building an annual audit calendar that rotates through all controls over a 3-year audit cycle.
  • Corrective action follow-through is not guaranteed — An audit report is only as valuable as the action it drives. Overcome by assigning every corrective action a named owner, a due date, and a follow-up review date on the compliance calendar.
  • Major NCs in training and backups represent real risk — These aren't paperwork gaps — an untested backup or untrained staff member is a real exposure. Both should be escalated to the CTO as urgent remediation items regardless of audit formality.
6

Policies & Processes to Implement

📋 Internal Audit Policy

Establishes the annual internal audit program: scope selection criteria, independence requirements, evidence standards, report format, and corrective action follow-up timelines.

📌 Plan of Action & Milestones (POA&M)

Formal POA&M document tracking every open non-conformity with owner, root cause, remediation plan, target date, and current status — reviewed monthly.

💾 Backup Testing Procedure

Quarterly backup test restore procedure: defines which systems, who performs the test, what constitutes a successful restore, and where results are documented.

🎓 Security Awareness Training Program

Mandatory annual training for all staff covering phishing, data handling, access management, and incident reporting — with completion tracked in the compliance dashboard.

Jump to project: P1 P2 P3 P4 P5 P6 P7
Rainbow Byte Bakery · GRC Toolkit · Project 3

Vendor Security
Assessment Template

A 25-question, NIST-aligned vendor security questionnaire across five risk domains. Complete it for any vendor, auto-calculate your risk score, and generate a Vendor Risk Scorecard. Built for real-world use by GRC practitioners.

Made by Charlene
© 2026 Charlene LueQuee
All rights reserved
NIST SP 800-53 NIST SA-12 NIST SA-9 ISO 27001 A.15 C-SCRM 800-161 SOC 2 CC9

Scoring: Yes = 4 pts · Partial = 2 pts · No = 0 pts · N/A = excluded. Max 100 pts. Each domain worth 20 pts (5 questions × 4 pts).

🏢 Vendor Information

🏛️
Domain 1 — Governance & Policy
NIST SA-12 · ISO 27001 A.5 · A.6 · C-SCRM GV.OC
0
/ 20 pts
1
Does the vendor have a documented Information Security Policy that is reviewed and updated at least annually?
NIST SA-12(1) · ISO 27001 A.5.1 · GV.PO-01
Ask for the policy document or date of last review. Look for CEO/CISO signature and version control.
Evidence / Notes for Q1
2
Has the vendor assigned a named individual (e.g., CISO, Security Officer) responsible for information security governance?
NIST SA-12 · ISO 27001 A.6.1.1 · GV.RR-02
A named role or individual with documented security accountability. Ask for the title and reporting structure.
Evidence / Notes for Q2
3
Does the vendor conduct annual security risk assessments of their own systems and services?
NIST RA-3 · ISO 27001 Clause 6.1.2 · GV.RM-03
Request a summary of the most recent risk assessment or attestation. Formal methodology preferred (e.g., ISO 31000, NIST RMF).
Evidence / Notes for Q3
4
Does the vendor provide customers with a current SOC 2 Type II or ISO 27001 certification, or equivalent third-party attestation?
NIST SA-9(3) · SOC 2 CC9.2 · C-SCRM SR.03
Request the most recent audit report or certificate. Note expiration dates. A Type I report is partial credit; no report is a gap.
Evidence / Notes for Q4
5
Does the vendor have a formal employee security awareness training program that all staff complete at least annually?
NIST AT-2 · ISO 27001 A.7.2.2 · PR.AT-01
Ask about training topics (phishing, data handling), frequency, and whether completion is tracked and documented.
Evidence / Notes for Q5
🔑
Domain 2 — Access Control
NIST AC-2 · AC-3 · AC-17 · ISO 27001 A.9 · PR.AC
0
/ 20 pts
6
Does the vendor enforce Multi-Factor Authentication (MFA) for all privileged and administrative accounts?
NIST AC-17(2) · ISO 27001 A.9.4.2 · PR.AC-07
Privileged accounts include cloud console access, admin portals, and any account that can modify configurations or access customer data.
Evidence / Notes for Q6
7
Does the vendor follow a least-privilege access model, ensuring employees only have access to systems necessary for their role?
NIST AC-6 · ISO 27001 A.9.2.3 · PR.AC-04
Ask about access provisioning and de-provisioning processes. Role-based access control (RBAC) is a good indicator of maturity.
Evidence / Notes for Q7
8
Does the vendor conduct quarterly (or more frequent) access reviews and promptly revoke access for terminated employees?
NIST AC-2(3) · ISO 27001 A.9.2.6 · PR.AC-01
Orphaned accounts (former employees with active access) are a top-10 risk. Ask for the average time to revoke access after termination.
Evidence / Notes for Q8
9
Does the vendor restrict remote access to production systems through a VPN or Zero Trust network architecture?
NIST AC-17 · ISO 27001 A.9.4.2 · PR.AC-05
Direct internet-facing admin access without a VPN or Zero Trust gateway is a significant risk indicator, especially for cloud environments.
Evidence / Notes for Q9
10
Does the vendor maintain an audit log of privileged access and review logs for anomalous activity at least monthly?
NIST AU-2 · AU-6 · ISO 27001 A.12.4 · DE.AE-03
Ask whether logs are retained for at least 12 months (90 days minimum) and reviewed by a human or automated alerting system.
Evidence / Notes for Q10
🛡️
Domain 3 — Data Protection
NIST SC-28 · SC-8 · ISO 27001 A.10 · A.18 · PR.DS
0
/ 20 pts
11
Does the vendor encrypt all customer data at rest using industry-standard encryption (AES-256 or equivalent)?
NIST SC-28 · ISO 27001 A.10.1.1 · PR.DS-01
Request the encryption standard in use for databases, storage buckets, and backup files. KMS-managed keys are a strong indicator.
Evidence / Notes for Q11
12
Does the vendor encrypt all data in transit using TLS 1.2 or higher for all API endpoints and customer-facing connections?
NIST SC-8 · ISO 27001 A.10.1.1 · PR.DS-02
Older TLS versions (1.0, 1.1) are deprecated. Ask for a scan confirmation or SSL Labs report showing TLS 1.2+ enforcement.
Evidence / Notes for Q12
13
Does the vendor have a documented data retention and deletion policy, and can they confirm secure deletion of customer data upon contract termination?
NIST MP-6 · ISO 27001 A.8.3.2 · PR.DS-03
Ask for the specific retention periods per data type and whether secure deletion (e.g., DoD 5220.22-M or cryptographic erasure) is used.
Evidence / Notes for Q13
14
Does the vendor conduct regular vulnerability assessments and/or penetration testing of their systems (at least annually)?
NIST RA-5 · CA-8 · ISO 27001 A.12.6.1 · ID.RA-01
Request the date and scope of the most recent penetration test. An executive summary or attestation letter from the testing firm is acceptable.
Evidence / Notes for Q14
15
Does the vendor limit sub-processor access to customer data and maintain a list of approved sub-processors available on request?
NIST SA-12 · ISO 27001 A.15.1 · C-SCRM SR.05
Fourth-party risk: sub-processors can introduce vulnerabilities your direct vendor controls don't cover. GDPR and many contracts require this disclosure.
Evidence / Notes for Q15
🚨
Domain 4 — Incident Response
NIST IR-4 · IR-6 · IR-8 · ISO 27035 · RS.CO · RC.CO
0
/ 20 pts
16
Does the vendor have a documented Incident Response Plan that has been tested (e.g., tabletop exercise) within the last 12 months?
NIST IR-8 · CP-4 · ISO 27035-1 · RS.RP-01
An untested IR plan is essentially no IR plan. Ask for the test date, type (tabletop vs. simulation), and whether findings were documented.
Evidence / Notes for Q16
17
Does the vendor commit to notifying customers of a security incident or breach within 72 hours of discovery (or per contractual SLA)?
NIST IR-6 · ISO 27035 · RS.CO-03
72 hours is the GDPR standard; many organizations use this as a baseline. Ask for the contractual SLA and escalation contact. Verbal commitments don't count.
Evidence / Notes for Q17
18
Does the vendor have a Business Continuity / Disaster Recovery plan, and is the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) documented?
NIST CP-2 · CP-7 · ISO 27001 A.17 · RC.RP-01
For critical vendors (payment, hosting), ask for the specific RTO/RPO commitments and when the DR plan was last tested with a successful recovery.
Evidence / Notes for Q18
19
Has the vendor experienced a reportable data breach in the last three years, and if so, can they describe the incident and corrective actions taken?
NIST IR-4(1) · ISO 27035 · RS.AN-05
A past breach is not automatically disqualifying. What matters is the response: were customers notified promptly? Were root causes addressed? Was the fix verified?
Evidence / Notes for Q19
20
Does the vendor have a named Security Operations or monitoring function that provides 24/7 alerting for security events affecting customer data?
NIST IR-4 · SI-4 · ISO 27001 A.12.4 · DE.CM-01
This can be an internal SOC, a managed SOC provider, or a documented after-hours escalation procedure. "We check logs when we think of it" is a gap.
Evidence / Notes for Q20
📜
Domain 5 — Compliance & Legal
NIST CA-2 · PL-4 · ISO 27001 A.18 · GV.PO · GV.RM
0
/ 20 pts
21
Does the vendor comply with all applicable data privacy regulations (e.g., GDPR, CCPA, HIPAA) relevant to the data they process on your behalf?
NIST PM-20 · PT-1 · ISO 27001 A.18.1 · GV.PO-02
Ask for a Data Processing Agreement (DPA) for EU data subjects or a CCPA addendum for California residents. The absence of these documents for applicable vendors is a gap.
Evidence / Notes for Q21
22
Does the vendor's contract include security obligations (e.g., breach notification, data handling, audit rights, indemnification for security failures)?
NIST SA-12(7) · ISO 27001 A.15.1.2 · GV.SC-06
Without contractual security terms, you have limited recourse if the vendor causes a breach. A right-to-audit clause is especially important for critical vendors.
Evidence / Notes for Q22
23
Does the vendor have a documented process for managing and disclosing vulnerabilities (a Vulnerability Disclosure Policy or Bug Bounty program)?
NIST RA-5(11) · ISO 27001 A.12.6 · ID.RA-01
A VDP or bug bounty program demonstrates security maturity and a willingness to accept external scrutiny. Check for a security.txt file or a public VDP page.
Evidence / Notes for Q23
24
Does the vendor perform background screening on employees who will access your data or systems?
NIST PS-3 · ISO 27001 A.7.1.1 · PR.AT-02
Ask whether background checks are conducted pre-hire and/or periodically, what they cover (criminal, financial, reference), and whether contractors are included.
Evidence / Notes for Q24
25
Is the vendor willing to complete annual security questionnaires and provide updated compliance evidence as your organization's risk program requires?
NIST SA-9(5) · ISO 27001 A.15.2 · GV.SC-09
A vendor that refuses to participate in your ongoing risk management program is a red flag. Document this response and escalate to legal if needed for critical vendors.
Evidence / Notes for Q25
0
/ 100 pts total
Risk Tier
0
Gov
0
Access
0
Data
0
IR
0
Comply
Rainbow Byte Bakery
GRC Vendor Assessment Template
Made by Charlene LueQuee · © 2026 All rights reserved
← Back to GRC Portfolio
⚠️ Disclaimer

This template was created by Charlene LueQuee for GRC portfolio and educational purposes. The Rainbow Byte Bakery scenario is entirely fictional. This questionnaire is a demonstration tool and is not a substitute for professional legal, security, or compliance advice. All NIST and ISO framework references are for educational illustration only. Adapt for real-world use with qualified professional guidance.

Jump to project: P1 P2 P3 P4 P5 P6 P7
Jump to: P1 · Compliance P2 · Risk Register P3 · Vendors P4 · IR Plan P5 · SOC 2 Cloud P6 · Dashboard P7 · Audit 📋 Gap Analysis
📋

ISO 27001 Gap Analysis

Rainbow Byte Bakery · Annex A Control Assessment · Prepared by Charlene LueQuee, GRC Analyst

ISO 27001 Annex A NIST 800-53 Control Evaluation
8
Missing
4
Partial
0
Implemented
0%
Coverage
Overall Control Coverage 0% implemented
🔴 Critical gaps require immediate action 🟠 Partial controls need completion 🟢 Implemented controls confirmed
ISO 27001 Annex A — Full Gap Analysis
RefDomainControlStatusOwnerGap / FindingPriority
A.5Security PoliciesInformation Security PolicyMISSINGCTONo written policy existsCRITICAL
A.6Org of InfoSecSegregation of DutiesPARTIALOffice MgrPayroll and admin access combined in one roleHIGH
A.8Asset ManagementAsset InventoryMISSINGIT / CTONo hardware or data asset registerCRITICAL
A.9Access ControlUser Access ManagementPARTIALCTOShared login credentials in use across staffHIGH
A.9Access ControlMFA on Cloud AccountsMISSINGCTOMFA not enabled on AWS or Google WorkspaceCRITICAL
A.10CryptographyEncryption PolicyMISSINGCTONo encryption standard definedCRITICAL
A.12OperationsBackup ProceduresPARTIALCTOBackups exist but never testedHIGH
A.12OperationsPatch ManagementPARTIALCTONo formal patch schedule in placeMEDIUM
A.13CommunicationsNetwork SegmentationMISSINGCTOPOS and back-office on same flat networkCRITICAL
A.15SupplierVendor Security ClausesMISSINGOperationsNo vendor contracts include security termsCRITICAL
A.16IncidentsIncident Reporting ProcessMISSINGGRCNo formal process or escalation path definedCRITICAL
A.7HR SecuritySecurity Awareness TrainingMISSINGHR / GRCNo training program — staff unaware of phishing riskCRITICAL
A.18ComplianceLegal and Regulatory ReviewIN PROGRESSGRCReview underway — PCI-DSS obligations to be mappedMEDIUM
Remediation Roadmap
Phase 1 · 0–30 Days
  • → Draft Information Security Policy
  • → Enable MFA on all cloud accounts
  • → Create asset inventory register
  • → Define encryption standards
Phase 2 · 30–90 Days
  • → Add vendor security contract clauses
  • → Implement network segmentation
  • → Write incident response procedure
  • → Conduct quarterly access reviews
Phase 3 · 90+ Days
  • → Test and validate backup procedures
  • → Complete legal and regulatory review
  • → Schedule annual control review cycle
  • → Pursue ISO 27001 certification path
Rainbow Byte Bakery · ISO 27001 Gap Analysis · © 2026 Charlene LueQuee
Jump to project: P1 P2 P3 P4 P5 P6 P7
Jump to: P1 · Compliance P2 · Risk Register P3 · Vendors P4 · IR Plan P5 · SOC 2 Cloud P6 · Dashboard P7 · Audit 📊 Risk Heat Map
📊

Risk Register & Heat Map

Rainbow Byte Bakery · ISO 31000 / NIST RMF Risk Assessment · Prepared by Charlene LueQuee, GRC Analyst

ISO 31000 NIST RMF Risk Scoring
5×5 Likelihood / Impact Heat Map
← LIKELIHOOD · IMPACT →
1
Minimal
2
Minor
3
Moderate
4
Significant
5
Critical
5 · Certain
5
10
15
20
25
4 · Likely
4
8
12
16
20
3 · Possible
3
6
9
12
15
2 · Unlikely
2
4
6
8
10
1 · Rare
1
2
3
4
5
🔴 Critical ≥16🟠 High 10–15🟡 Medium 5–9🟢 Low 1–4■ Outlined cells = active risks
Risk Register
IDRiskLIScoreControls in PlaceResidualTreatment
RR-001POS compromise via unpatched software4520Basic firewall onlyHIGHMitigate
RR-002Phishing attack on staff email accounts5420No MFA, no trainingHIGHMitigate
RR-003Ransomware via third-party vendor access3515No vendor controlsHIGHMitigate + Transfer
RR-004Accidental data disclosure by employee4312Informal verbal policyMEDMitigate
RR-005Cloud misconfiguration exposing customer data3412Default AWS settingsMEDMitigate
RR-006Loss of backup data (untested backups)248Backups exist; untestedMEDMitigate
RR-007Physical theft of POS terminal or laptop236Lock on front doorLOWAccept + Monitor
Rainbow Byte Bakery · Risk Register and Heat Map · © 2026 Charlene LueQuee
Jump to project: P1 P2 P3 P4 P5 P6 P7
Jump to: P1 · Compliance P2 · Risk Register P3 · Vendors P4 · IR Plan P5 · SOC 2 Cloud P6 · Dashboard P7 · Audit 🚨 IR Tabletop
🚨

Incident Response Tabletop Report

Scenario: Phishing to Credential Theft to Payroll Access Attempt · Rainbow Byte Bakery · Prepared by Charlene LueQuee, GRC Analyst

ISO 27035 NIST SP 800-61 Rev 2 Severity: P2 HIGH
Q2 #1
Exercise Date
Phishing
Incident Type
3 Major
Gaps Found
Incident Timeline
07:00
Phishing Email Received
Office Manager Tamika receives an email appearing to be from ButterBucks HR requesting credential re-verification. Subject line: 'Urgent: Payroll portal security update required.'
07:14
Link Clicked
Tamika clicks the embedded link and is directed to a convincing fake login page. She enters her Google Workspace credentials before noticing the URL is incorrect.
07:19
Self-Reported to GRC
Tamika immediately messages Charlene via Slack: 'I think I just fell for a phishing email — I entered my password.'
07:22
Detection Confirmed — P2 Classified
Charlene confirms phishing. Google Workspace admin shows no active attacker session yet. Incident classified P2 High.
07:25
Containment — Password Reset + Session Revoked
CTO resets Tamika's password and revokes all active sessions. MFA enforcement initiated on the account immediately.
07:35
Scope Investigation — No Exfiltration Found
Charlene reviews Google Workspace audit logs for data access or mail forwarding rules. No evidence of exfiltration confirmed.
08:00
Leadership Notified — Near Miss Contained
CTO and COO briefed via Slack. Incident classified near miss — contained. Store opening proceeds as planned.
GAP #1
No Escalation Path Documented
Charlene had to improvise all communications with no defined notification chain. Finding: IR Plan must define exact escalation path within 15 minutes of detection.
GAP #2
MFA Was Not Proactively Enforced
Containment required emergency account reset. Finding: MFA must be enforced before an incident occurs, not as a reactive response.
GAP #3
No Vendor Security Contacts on File
Charlene could not confirm whether the attacker accessed payroll. Finding: All Tier 1 vendors need a documented 24-hr security contact.
Close
Lessons Learned Session Completed
90-minute debrief with CTO, Tamika, and Charlene. Three major and two minor corrective actions assigned with owners and due dates.
Corrective Action Plan
FindingSeverityCorrective ActionOwnerDue
No escalation path definedMAJORWrite and publish IR escalation matrix to all staffCharlene7 days
MFA not enforced proactivelyMAJOREnable MFA across all Google Workspace and AWS accountsCTO48 hours
No vendor security contacts on fileMAJORCollect security contacts for all Tier 1 vendorsCharlene14 days
No phishing awareness trainingMINORSchedule quarterly phishing training for all staffCharlene + HR30 days
Audit log alerts not configuredMINOREnable Google Workspace alerts for suspicious loginsCTO7 days
Rainbow Byte Bakery · IR Tabletop Report · © 2026 Charlene LueQuee
Jump to project: P1 P2 P3 P4 P5 P6 P7
Jump to: P1 · Compliance P2 · Risk Register P3 · Vendors P4 · IR Plan P5 · SOC 2 Cloud P6 · Dashboard P7 · Audit ☁️ SOC 2 Evidence
☁️

SOC 2 Evidence Register

Rainbow Byte Bakery · Trust Service Criteria CC1–CC9 · AWS Environment · Prepared by Charlene LueQuee, GRC Analyst

SOC 2 TSC AWS CC1–CC9
4
CC Criteria Met
3
Partial
2
Gap / Missing
SOC 2 CC1–CC9 Evidence Register
CriterionDescriptionAWS ControlEvidence CollectedStatus
CC1Control EnvironmentIAM roles, org policiesIAM policy screenshot; org chartPARTIAL
CC2Communication and InformationSecurity Hub, alertingNot enabled — Security Hub absentMISSING
CC3Risk AssessmentAWS Config rulesConfig dashboard screenshotPARTIAL
CC4Monitoring ActivitiesCloudWatch alarmsNo alarms configuredMISSING
CC5Control ActivitiesS3 bucket policies, Security GroupsS3 ACL and SG rule export on fileMET
CC6Logical Access ControlsIAM MFA enforcementMFA enabled on all admin accountsMET
CC7System OperationsCloudTrail + RDS backupsCloudTrail log export; RDS backup confirmedMET
CC8Change ManagementCodePipeline, CloudFormationNo formal change management processPARTIAL
CC9Risk Mitigation — VendorsVendor SOC 2 reportsSprinkle Pay SOC 2 summary on fileMET
Rainbow Byte Bakery · SOC 2 Evidence Register · © 2026 Charlene LueQuee
Jump to project: P1 P2 P3 P4 P5 P6 P7
🌈 Rainbow Byte Bakery — GRC Command Center
GRC REPORTING DASHBOARD · CHARLENE LUEQUEE, GRC ANALYST · © 2026
ISO 27001 NIST CSF 2.0 SOC 2
Business UnitAll FrameworkAll Risk CategoryAll Vendor TierAll Last Updated: Q3 2026 · Next Review: Q4 2026
① Overall GRC Score
72
IMPROVING
Risk Level: Medium
Open Issues: 11
Control Health: 68%
GRC Score Trend
② Compliance Status
Control Status by Framework
ISO 27001
55%
NIST CSF
60%
SOC 2
44%
ISO 31000
70%
● Compliant 55% ● Partial 25% ● Gap 20%
③ Enterprise Risk
Top Risk Events
POS Ransomware High
Phishing Risk High
Cloud Miscfg Med
Vendor Access Med
3
High
4
Medium
0
Low
④ Control Performance
Control Domain Coverage
Access Control
75%
Incident Mgmt
80%
Cryptography
60%
Asset Mgmt
25%
Supplier Rels
40%
⑤ Issues & Incidents
3
Open Critical
4
In Progress
2
Overdue
5
Closed
Incident aging
0–7 days30%
8–30 days40%
31–60 days30%
⑥ KPI / KRI Monitoring
MetricTypeStatusTrend
MFA AdoptionKPIOn Track
Training CompleteKPIBreached
Vendor Score AvgKRIBelow Target
Backup Test RateKRIBreached
Patch ComplianceKPIPartial
2
Breached
2
Below Target
1
On Track
⑦ Vendor Risk Scorecard
Tier 1 Vendor Scores (out of 100)
Sprinkle Pay
70
CloudDough
58
FrostFlour Co.
N/A
⚠ 10 vendors not yet assessed
Remediation: Complete all Tier 1 assessments within 60 days
85+ Low 65–84 Med <65 High
⑧ Audit & NC Tracker
3
Conform
4
Minor NC
3
Major NC
Top Major NCs
Vendor assessments incomplete
Security training: 0% complete
Backup restores never tested
Next Audit: Q4 2026 · Auditor: Charlene
⑨ Remediation Tracker
11 Open Actions
ActionOwnerDueStatus
Enable MFA all accountsCTOOverdueCritical
Vendor assessments (×11)Charlene60dIn Progress
Security awareness trainingHR+GRC30dNot Started
Test backup restoreCTO14dScheduled
IR escalation matrixCharleneDoneComplete
CloudTrail all regionsCTODoneComplete
⑩ Risk Trend Analysis
Risk Exposure Trend (Residual)
Jan Feb Mar Apr May Jun Jul
— High — Medium — Low
Overall Trend Summary
4
Improving
2
Stable
1
Worsening
⑪ SOC 2 Readiness
40%
4 of 9 CC Met
CC5 · CC6 · CC7 · CC9
fully implemented
Gap areas
CC2 — Security Hub missing
CC4 — No CloudWatch alarms
CC8 — Change mgmt partial
Target: SOC 2 Type I ready Q2 2027
Rainbow Byte Bakery GRC Command Center · Prepared by Charlene LueQuee · © 2026 · For internal and stakeholder use
Jump to project: P1 P2 P3 P4 P5 P6 P7 · Audit
← Back to Project 7
🔍

Rainbow Byte Bakery — Internal Audit Report

GRC Program Self-Assessment · Capstone Audit · ISO 19011 Methodology · Prepared by Charlene LueQuee, GRC Analyst · Q3 2026

ISO 19011 NIST CA-2 NIST CA-5 POA&M 3 Major NC Found
PAGE 1

Audit Overview & Scope

Audit Type
Internal Self-Audit
Audit Period
Q1–Q3 2026
Auditor
Charlene LueQuee
Standard
ISO 19011 · NIST CA-2
3
Conforming
4
Minor NC
3
Major NC
10
Controls Audited
Audit Scope Statement

This internal audit covers the Rainbow Byte Bakery GRC program as built across Projects 1–6. Ten (10) controls were selected based on risk priority and coverage of all five NIST CSF functions (Govern, Identify, Protect, Detect, Respond). Evidence was gathered through system screenshots, document review, and staff interviews. Findings are classified per ISO 19011 as Conforming, Minor Non-Conformity, or Major Non-Conformity. All Major NCs require a corrective action with a named owner and due date. This report serves as the capstone deliverable for the Rainbow Byte Bakery GRC Portfolio.

Internal Audit Checklist — 10 Selected Controls
Ref Control Framework Evidence Required Evidence Found Finding Severity
C-01 Information Security Policy — signed by CEO ISO 27001 A.5.1 Signed policy doc with CEO signature and date Policy drafted and reviewed — CEO signature pending Policy exists but lacks formal executive endorsement MINOR NC
C-02 MFA enabled on all privileged cloud accounts ISO 27001 A.9 · SOC 2 CC6 AWS IAM MFA status screenshot; Google Admin report MFA confirmed active on all 6 admin accounts in both platforms Control fully implemented and verified CONFORMING
C-03 Asset inventory maintained and current ISO 27001 A.8.1 Asset register with last-modified date; all devices listed Register exists — 3 vendor-managed devices missing from inventory Partial coverage — vendor device gap creates blind spot MINOR NC
C-04 Risk register reviewed within 90 days ISO 31000 · NIST PM-9 Risk register with date stamp; review record or sign-off Register exists — last formal review was 94 days ago (4 days overdue) Minor procedural lapse — review cycle not consistently maintained MINOR NC
C-05 Vendor assessments complete for all Tier 1 vendors ISO 27001 A.15 · NIST SA-12 Completed vendor scorecards for all 12 vendors Only Sprinkle Pay assessed — 11 of 12 vendors have no formal assessment Significant third-party risk exposure — most vendors unvetted MAJOR NC
C-06 IR Plan exists and has been tabletop-tested within 12 months ISO 27035 · NIST IR-8 IR Plan document; tabletop exercise record with date IR Plan v1.0 in place; tabletop completed Q2 2026 with documented findings Control fully implemented — corrective actions from tabletop being tracked CONFORMING
C-07 CloudTrail audit logging active in all active AWS regions SOC 2 CC7 · NIST AU-2 CloudTrail console status showing all regions active CloudTrail active in us-east-1 and us-west-2; missing in ap-southeast-1 Partial — audit gap in APAC region creates log blind spot MINOR NC
C-08 Security awareness training completed by all staff ISO 27001 A.7.2.2 · NIST AT-2 Training completion records showing all 22 staff certified No training program initiated — 0 of 22 staff have received any security training Critical gap — entire workforce lacks baseline security awareness MAJOR NC
C-09 Backup restore test completed within last 12 months ISO 27001 A.12.3 · NIST CP-9 Test restore log showing successful recovery exercise with date Automated backups confirmed active — no restore test has ever been performed Untested backups cannot be relied upon for recovery — unverified control MAJOR NC
C-10 Compliance dashboard updated within last 30 days NIST PM-6 · CSF Improve Dashboard export with last-updated timestamp GRC Command Center dashboard updated 18 days ago — within the 30-day window Control fully operational and within required cadence CONFORMING
PAGE 2

Findings Report & Corrective Action Plan (POA&M)

Major Non-Conformities — Requiring Immediate Action
MAJOR NC — C-05 Vendor Assessments Incomplete
Root CauseThe vendor assessment process was built for this portfolio but only Sprinkle Pay was assessed before the audit period. 11 additional vendors with system access remain unvetted.
Business ImpactUnassessed vendors represent unknown risk vectors. A breach via any unvetted vendor cannot be detected or contained using current controls.
Corrective ActionComplete the 25-question vendor security questionnaire for all 11 remaining vendors. Tier 1 vendors within 30 days; Tier 2 within 60 days.
Owner & Due DateCharlene LueQuee · 60 days from audit date
MAJOR NC — C-08 Security Awareness Training: 0% Completion
Root CauseNo security training program has been initiated since Charlene joined. The phishing near-miss in Q2 demonstrated the gap but no formal program was launched.
Business ImpactAll 22 staff members are vulnerable to social engineering attacks. The Tamika phishing incident would likely have succeeded without her self-awareness.
Corrective ActionLaunch mandatory security awareness training for all staff within 30 days. Include phishing recognition, data handling, password hygiene, and incident reporting.
Owner & Due DateCharlene LueQuee + HR · 30 days from audit date
MAJOR NC — C-09 Backup Restore Testing: Never Performed
Root CauseAutomated backups were configured but treated as "done." No one tested whether backups could actually be restored. Documentation quality issue: backup control was marked Implemented without validation.
Business ImpactIn a ransomware event, the bakery could lose all POS and customer data despite believing they had backups. This is a documented NIST CP-9 control failure.
Corrective ActionPerform a full test restore of the RDS POS database and loyalty app data within 14 days. Document results and schedule quarterly restore tests going forward.
Owner & Due DateCTO · 14 days from audit date
Minor Non-Conformities — Action Required
C-01 · Policy Signature Pending
Information Security Policy exists but CEO has not formally signed. Action: Obtain signature within 7 days. Owner: Charlene. Due: 7 days.
C-03 · Asset Inventory Gap
Three vendor-managed devices not in the asset register. Action: Contact vendors to obtain device identifiers; update register. Owner: IT/CTO. Due: 21 days.
C-04 · Risk Register Review Overdue
94 days since last review — 4 days past the 90-day requirement. Action: Review immediately and set calendar reminders for quarterly cadence. Owner: Charlene. Due: Immediate.
C-07 · CloudTrail Region Gap
CloudTrail not enabled in ap-southeast-1. Action: Enable CloudTrail in all active regions via AWS Console. Owner: CTO. Due: 48 hours.
Audit Conclusion

Rainbow Byte Bakery's GRC program, built across seven structured projects, demonstrates meaningful progress from a zero-baseline. Three critical controls — MFA enforcement, CloudTrail logging, and incident response — are operating as documented. However, three Major Non-Conformities represent real business risk that must be remediated within the specified timeframes.

The GRC program is assessed as DEVELOPING — foundational controls are in place but the program requires systematic vendor assessment, a formal training program, and verified backup procedures before it can be classified as OPERATIONAL. A follow-up review is recommended within 90 days to verify corrective action completion.

Rainbow Byte Bakery · Internal Audit Report · ISO 19011 · © 2026 Charlene LueQuee · GRC Analyst
📓 REFLECTION — PROJECT 07
Internal Audit & Capstone Report
⏱️~20-30 hours

Auditing your own program is one of the most professionally honest things a GRC analyst can do. Three major non-conformities in a program you designed is not a failure — it is evidence of intellectual integrity and a mature audit mindset. This capstone forced me to see my work as an external auditor would see it.

🧠What I Learned
Internal audit is not about finding blame — it is about finding systemic gaps before an external auditor or a breach does
ISO 19011 provides a rigorous, globally recognized audit methodology that makes findings defensible and comparable
Writing corrective action plans requires specificity about root cause, not just symptoms
Auditing your own work requires active effort to suppress confirmation bias — the temptation to rationalize is real
The capstone report demonstrated I can produce the same type of deliverable a Big 4 consultant would produce
💡Tips & Takeaways
TIPAudit against the documented control, not what you know the intention was — if it isn't written down, it doesn't count
TIPGrade yourself harder than you think an external auditor would — if you're unsure, it's a minor NC at minimum
TIPNumber your findings consistently — a Finding ID makes corrective actions trackable across reviews
TIPAlways close the loop — every corrective action needs an owner, a due date, and a verification method
🔁If I Did This Again / Next Steps
Present the audit report to leadership and get formal sign-off on the corrective action plan
Schedule follow-up verification for all 7 corrective actions within 90 days
Use this report as the basis for Year 2 GRC program planning — let the findings set the roadmap
Share this portfolio with hiring managers as evidence of real applied GRC capability across the full lifecycle