Company Products
VoltronMessenger
Primary revenue source: secure electronic messaging for hospitals and clinics. Handles PHI messages routed between customers and providers.
VoltronPay
Web portal for payments & billing; interacts with credit card processors and handles payment flows in production.
VoltronConnect
Directory of doctors/clinics: personal info, addresses, certifications, and services. Providers update profiles.
Assets
- Hardware — Production servers, laptops, mobile devices
- Software — Messaging service, payment portal, directory app
- Information — PHI, billing data, provider records
Threats & Vulnerabilities
Top Threats (ranked)
- Internet threats (external attacks) — Score: 100
- Loss of customers or sensitive info — Score: 80
- Insider threats — Score: 64
- Loss of data — Score: 50
- Regulatory changes — Score: 10
Vulnerabilities by product
- VoltronMessenger: plaintext/weak encryption, missing patches, weak access controls
- VoltronPay: no IDS, missing AV, weak patching, weak authentication
- VoltronConnect: directory traversal, weak auth, insufficient access control
- Cross-cutting: weak authentication/authorization is the highest common vulnerability
Information Sources
Document reviews, interviews, system logs, SWOT analysis, vendor dependencies, prior assessments.
Compliance & Regulations
- Written policies & standards
- Designate compliance officers & committees
- Employee education & training
- Anonymous reporting channels & whistleblower protection
- Corrective actions & monitoring
- Internal audits & continuous monitoring
- Incident response & corrective actions
Risk Mitigation & Action Plan
Loss of company data (physical)
Secure server rooms with badge/biometric access. Action within 1 month. Controls: physical & technical.
Lost/stolen assets
Backups, full-disk encryption, strong auth, biometric options. Action: immediate. Controls: technical.
Production outages / DR
Multi-site redundancy across three DCs, regular DR testing. Action: within 1 week for DR prioritization.
Internet threats / patching
Robust patch management, IDS/IPS, vulnerability scanning via Tenable/Nessus. Action: immediate.
Insider threats
Least privilege, monitoring, DLP, alerts (Snort/IDS), sanctions. Action: within 1 week.
Regulatory changes
Governance committee to review and update policies. Action: within 6 months for policy-level changes.
Cost-Benefit (Qualitative)
Backups, biometrics, redundancy and monitoring reduce operational risk and increase detection — qualitative benefits justify the controls even when precise ROI is not calculated.
Business Impact Analysis & BCP
Critical Systems
- Production servers — most critical
- HTTPS websites & apps — critical
- Corporate laptops & devices — least critical
Impact Categories
Severe (> $1M) — production servers; Moderate (~ $550k) — web apps; Minimal (~ $75k) — laptops/devices
Recovery Objectives & Table
| System Resource |
MTD |
RTO |
RPO |
| Production servers |
15 hours |
24 hours |
12 hours |
| HTTPS websites & applications |
30 hours |
35 hours |
12 hours |
| Corporate laptops & mobile devices |
50 hours |
90 hours |
12 hours |
Recovery Priority
- Production servers — RTO 24h
- HTTPS websites & apps — RTO 35h
- Corporate laptops & devices — RTO 90h