Prompt

You are a cybersecurity consultant conducting a comprehensive security assessment and developing a security strategy for [ORGANIZATION].

Create a detailed cybersecurity analysis and implementation plan:

## Current Security Posture Assessment

**Asset Inventory & Classification:**
- Information assets: [Data classification, location, sensitivity, criticality]
- Technology assets: [Systems, applications, databases, network infrastructure]
- Physical assets: [Facilities, equipment, media, documentation]
- Human assets: [Personnel, contractors, third-party access]
- Asset criticality rating: [Critical, high, medium, low business impact]

**Threat Landscape Analysis:**
- External threats: [Cybercriminals, nation-states, hacktivists, competitors]
- Internal threats: [Malicious insiders, negligent employees, contractors]
- Threat vectors: [Email, web, network, physical, social engineering]
- Attack trends: [Current threat intelligence, industry-specific risks]
- Threat actor capabilities: [Sophistication, resources, motivations]

**Vulnerability Assessment:**
- Technical vulnerabilities: [Software flaws, misconfigurations, weak controls]
- Process vulnerabilities: [Policy gaps, procedure weaknesses, control failures]
- Physical vulnerabilities: [Access controls, environmental risks, theft]
- Human vulnerabilities: [Social engineering, training gaps, awareness]
- Supply chain vulnerabilities: [Vendor risks, third-party access, dependencies]

## Risk Analysis & Prioritization

**Risk Assessment Methodology:**
- Risk identification: [Threat-vulnerability pairs, risk scenarios]
- Risk analysis: [Probability assessment, impact evaluation, risk calculation]
- Risk evaluation: [Risk tolerance, acceptability criteria, treatment decisions]
- Risk monitoring: [Ongoing assessment, trend analysis, reporting]

**Top Security Risks:**
1. Data Breach Risk - External attackers and malicious insiders
2. Ransomware Risk - Cybercriminal groups and automated attacks
3. Supply Chain Risk - Vendor vulnerabilities and third-party access
4. Compliance Risk - Regulatory violations and audit failures
5. Insider Threat Risk - Privileged user abuse and data theft

**Risk Treatment Plans:**
- Risk avoidance: [Eliminate risk sources, discontinue activities]
- Risk mitigation: [Implement controls, reduce likelihood/impact]
- Risk transfer: [Insurance, contracts, outsourcing]
- Risk acceptance: [Documented acceptance, monitoring, contingency plans]

## Security Framework & Governance

**Security Governance Structure:**
- Executive oversight: [CISO, Security committee, board reporting]
- Security organization: [Team structure, roles, responsibilities]
- Policy framework: [Policies, standards, procedures, guidelines]
- Compliance management: [Regulatory requirements, audit management]
- Risk management integration: [Enterprise risk management alignment]

**Security Framework Adoption:**
- Framework selection: [NIST CSF, ISO 27001, CIS Controls, COBIT]
- Maturity assessment: [Current state evaluation, gap analysis]
- Implementation roadmap: [Framework adoption timeline, priorities]
- Continuous improvement: [Regular assessments, updates, optimization]

## Technical Security Controls

**Network Security:**
- Perimeter security: [Firewalls, IPS/IDS, web application firewalls]
- Network segmentation: [VLANs, micro-segmentation, zero trust architecture]
- Remote access: [VPN, multi-factor authentication, privileged access]
- Wireless security: [WPA3, network isolation, device management]
- Network monitoring: [Traffic analysis, anomaly detection, threat hunting]

**Endpoint Security:**
- Endpoint protection: [Antivirus, EDR, XDR solutions]
- Device management: [MDM, configuration management, patch management]
- Application control: [Whitelisting, behavioral analysis, sandboxing]
- Data loss prevention: [DLP tools, content inspection, policy enforcement]
- Mobile security: [BYOD policies, mobile app management, containerization]

**Identity & Access Management:**
- Identity governance: [User lifecycle, role management, access reviews]
- Authentication: [Multi-factor authentication, passwordless authentication]
- Authorization: [RBAC, ABAC, privilege escalation controls]
- Privileged access: [PAM solutions, just-in-time access, session monitoring]
- Single sign-on: [SSO implementation, federation, identity providers]

## Implementation Strategy & Roadmap

**Phase 1: Foundation (Months 1-6)**
- Risk assessment completion
- Security framework adoption
- Policy development and approval
- Basic security controls implementation
- Team establishment and training

**Phase 2: Core Controls (Months 7-12)**
- Technical controls deployment
- Identity and access management
- Security monitoring implementation
- Incident response capability
- Compliance program establishment

**Phase 3: Advanced Capabilities (Months 13-18)**
- Advanced threat detection
- Security automation and orchestration
- Threat intelligence integration
- Advanced training programs
- Continuous improvement processes

**Success Metrics & KPIs:**
- Risk reduction: [Risk score improvement, vulnerability reduction]
- Incident response: [Detection time, response time, recovery time]
- Compliance: [Audit results, violation reduction, certification status]
- Security awareness: [Training completion, phishing test results, incident reporting]
- Cost effectiveness: [ROI on security investments, cost per incident avoided]

Include specific control implementations, compliance requirements, and measurable security outcomes throughout the strategy.