Readiness Process
Sprint Timeline
The engagement follows structured phases, each building on the outputs of the previous one.
1
Intake
2–6 days- NDA & stakeholder map
- Document request
- Scoping interviews
- System boundary draft
2
Assessment
9 days- TSC selection
- Type 1/Type 2 recommendation
- Control walkthroughs
- Evidence sampling
3
Outputs
9 days- Controls matrix & gap register
- Policy/document backlog
- Evidence calendar
- Executive readout & roadmap
4
Follow-on
Variable- Remediation implementation
- Type 2 observation period
Phase Details
1. Intake & Scoping Week 1
We start by understanding your institution, systems, and current security posture.
- FTC jurisdiction confirmation — verify that your institution falls under the Safeguards Rule’s scope
- Current security program review — assess existing policies, procedures, and technical controls
- Qualified individual identification — evaluate current designation or identify candidates for the qualified individual role
- Customer information inventory — catalog all systems, applications, and processes that handle customer information
2. Assessment Week 2–3
We evaluate your current security posture against the amended Safeguards Rule requirements.
- Risk assessment methodology review — evaluate whether your risk assessment meets the rule’s written assessment requirements
- Technical controls evaluation — assess encryption, secure development, change management, and monitoring capabilities
- Access control and MFA audit — review authentication mechanisms and access controls for customer information systems
- Incident response plan review — evaluate response procedures, roles, and communication protocols against rule requirements
3. Outputs Week 3–4
We deliver the artifacts that define your path to Safeguards Rule compliance.
- Written information security program — comprehensive WISP document meeting all rule requirements
- Risk assessment documentation — written risk assessment with identified threats, evaluation criteria, and mitigation plans
- Technical controls gap register — every control gap ranked by risk with owners and remediation timelines
- Board reporting framework — template and process for the qualified individual’s annual report to the board
4. Follow-on Ongoing
After the readiness sprint, continued support ensures sustained compliance.
- Annual risk assessment updates — periodic reassessment as threats, systems, and business operations evolve
- Penetration testing program — design and oversight of annual penetration testing or continuous monitoring with vulnerability assessments
- Continuous monitoring implementation — ongoing security program monitoring and board reporting support
Sprint Deliverables
Every readiness sprint produces these minimum deliverables:
Written information security program (WISP)
Risk assessment documentation
Technical controls gap register
Access control and MFA assessment
Incident response plan
Vendor management program design
Board reporting framework
Remediation roadmap
Start Your Readiness Sprint
Most institutions complete the readiness sprint in 3–4 weeks. The result is a clear, actionable plan to achieve Safeguards Rule compliance.
Get in Touch