Readiness Process
Sprint Timeline
The engagement follows structured phases, each building on the outputs of the previous one.
1
Intake
2–6 days- NDA & stakeholder map
- Document request
- Scoping interviews
- System boundary draft
2
Assessment
9 days- TSC selection
- Type 1/Type 2 recommendation
- Control walkthroughs
- Evidence sampling
3
Outputs
9 days- Controls matrix & gap register
- Policy/document backlog
- Evidence calendar
- Executive readout & roadmap
4
Follow-on
Variable- Remediation implementation
- Type 2 observation period
Phase Details
1. Intake & Scoping Week 1
We start by understanding your data practices, existing safeguards, and service provider relationships.
- NY resident data inventory — identify all private information of New York residents your organization owns or licenses
- Current safeguards documentation — assess existing administrative, technical, and physical safeguards already in place
- Service provider mapping — catalog all vendors and service providers with access to private information
- Breach notification procedure review — evaluate existing incident response and breach notification capabilities
2. Assessment Week 2–3
We evaluate your current safeguards posture against SHIELD Act requirements.
- Administrative safeguards evaluation — review coordinator designation, risk identification, employee training, and service provider contracts
- Technical safeguards assessment — assess network/software risks, data processing protections, attack detection, and control testing
- Physical safeguards review — evaluate information storage risks, intrusion detection, unauthorized access protection, and data disposal
- Small business safe harbor determination — assess whether your organization qualifies for the scaled-down security program
3. Outputs Week 3–4
We deliver the artifacts that define your path to SHIELD Act compliance.
- Data security program documentation — comprehensive documentation of your administrative, technical, and physical safeguards
- Risk assessment report — documented assessment of internal and external risks to the security of private information
- Service provider contract requirements — template language and checklist for vendor agreements requiring appropriate safeguards
- Breach notification procedure templates — step-by-step procedures for breach detection, assessment, and AG/DFS/DOCS notification
4. Follow-on Ongoing
After the readiness sprint, maintaining compliance requires ongoing attention to your data security program.
- Annual program updates — adjust the data security program in light of business changes, new threats, and evolving circumstances
- Employee training program — regular training on data security practices and procedures for all employees
- Service provider monitoring — ongoing assessment of service provider safeguard compliance and contract adherence
Sprint Deliverables
Every readiness sprint produces these minimum deliverables:
Private information inventory
Risk assessment report
Data security program documentation
Administrative safeguards assessment
Technical safeguards assessment
Physical safeguards assessment
Breach notification procedures
Remediation roadmap
Start Your Readiness Sprint
Most companies complete the readiness sprint in 3–4 weeks. The result is a clear, actionable plan to achieve NY SHIELD Act compliance.
Get in Touch