What’s Included in a Security Assessment

We structure every assessment around four core pillars:

1. Asset Protection

You can’t protect what you don’t know you have.

We start by mapping the assets that keep your business running:

• Systems & infrastructure – Servers, workstations, laptops, network devices, Wi-Fi, and remote access.
• Cloud & SaaS – Microsoft 365, Google Workspace, industry apps, backup platforms, and any other hosted tools your teams rely on.
• Data & records – Customer information, employee data, financial records, intellectual property, and (where applicable) personal health information.
• Business services – Key processes like payroll, billing, production systems, and line-of-business applications.

From there, we:

• Classify data based on sensitivity and business impact (what would really hurt if it was stolen, changed, or unavailable).
• Review current protections—backups, encryption, access controls, MFA, device security, and physical safeguards.
• Identify single points of failure and high-value targets that attackers would likely focus on.

Deliverable: A clear asset register and protection profile, showing what you have, where it lives, who can access it, and how well it’s currently defended.

2. Risk Audits

Next, we examine where real-world threats intersect with your assets.

Using proven frameworks—such as the NIST Cybersecurity Framework, widely adopted by small and medium-sized businesses for managing cyber risk, and aligned best practices like CIS ControlsNIST+1—we:

• Identify likely threats: ransomware, phishing, business email compromise, insider misuse, data loss, and service outages.
• Assess vulnerabilities in your environment (configuration weaknesses, missing patches, poor password hygiene, insecure remote access, etc.).
• Evaluate the likelihood and impact of different attack scenarios based on how your business actually operates.
• Consider non-technical risks: third-party vendors, manual processes, lack of documentation, or over-reliance on key individuals.

Where appropriate, we reference Canadian SMB guidance, including the Canadian Centre for Cyber Security’s baseline controls for small and medium organizations, to keep recommendations realistic and proportional for Prairie businesses. Canadian Centre for Cyber Security

Deliverable: A risk register that clearly ranks your top risks (High / Medium / Low) with plain-language explanations and business impact—not just technical jargon.

3. Gap Analysis

A risk picture is useful—but the real value comes from knowing where you fall short of accepted best practices and what to do about it.

Our gap analysis compares your current security controls against:

• Common SMB-appropriate frameworks (NIST CSF, CIS Controls “essential hygiene”). NIST+1
• Baseline expectations from cyber insurers, auditors, and enterprise customers.
• Operational needs unique to your industry and the Prairie market.

We look at both:

• Technical gaps – Endpoint protection, email security, logging and monitoring, network segmentation, backup strategy, patching, identity and MFA, device hardening.
• Process & people gaps – Policies, procedures, incident response plans, onboarding/offboarding, vendor management, and staff awareness.
• 
  

Each gap is:

• Rated by risk (how much it exposes your business).
• Mapped to practical fixes (technical changes, simple process improvements, or training).
• Sequenced into a roadmap so you can tackle “quick wins” fast and plan for larger initiatives over time.

Deliverable: A Gap Analysis & Remediation Plan—a prioritized list of improvements with effort estimates, dependencies, and suggested timelines (e.g., 0–3 months, 3–12 months, 12+ months).

4. Compliance Reviews

Even if you’re not chasing a formal certification, your customers, regulators, and insurers increasingly expect you to manage data responsibly and prove it.

Our compliance reviews are designed for Canadian SMBs and can be tailored to your environment—for example:

• Privacy & data protection:
• Federal privacy law such as PIPEDA, which governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. Office of the Privacy Commissioner+1
• Sector-specific requirements like Manitoba’s Personal Health Information Act (PHIA) if you handle personal health information. Winnipeg Regional Health Authority+1
• Industry & contractual expectations:
• Payment card (PCI-DSS) considerations if you process credit cards.
• Security expectations baked into enterprise customer contracts or vendor due-diligence questionnaires.
• Cyber insurance questionnaires and minimum-control requirements.

We don’t just tell you whether you’re “compliant” or not—we:

• Identify gaps between your current practices and requirements. upguard.com
• Highlight documentation and policy needs (e.g., privacy policy, incident response procedures, access control standards).
• Provide practical recommendations to help you demonstrate due diligence to auditors, customers, and regulators.



Deliverable: A Compliance Readiness Report that summarizes where you stand today, what evidence you already have, and what you need to put in place to reduce legal and contractual risk.

How Our Security Assessment Process Works

We follow a simple, structured approach designed for busy Manitoba business leaders:

1. Free Discovery Call

• Understand your business, systems, regulatory environment, and goals.
• Agree on scope (locations, systems, cloud services, vendors) and level of depth.

1. On-Site & Remote Assessment

• Interviews with leadership, IT, and key staff.
• Review of configurations, logs, and existing security tools.
• Collection of relevant policies, procedures, and third-party documentation.

1. Analysis, Reporting & Walk-Through

• We consolidate findings into a clear, non-technical executive summary plus technical detail for IT.
• Present the results to your leadership team, answer questions, and align on priorities.

1. Roadmap & Optional Ongoing Support

• You receive a prioritized action plan you can execute internally—or we can help implement and monitor improvements through our Managed Protection and Incident Response services. prairiecybersecurity.com
• 
  

What You Walk Away With

Every Security Assessment engagement includes:

• Executive summary – A plain-language overview of your current posture, top risks, and recommended next steps.
• Asset & data map – Visibility into what you’re protecting and where it resides.
• Risk register & gap analysis – Ranked findings you can use for budgeting, planning, and communication with your board or owners.
• Compliance readiness snapshot – A clear view of how prepared you are for privacy laws, customers’ security questionnaires, and insurance requirements.
• Actionable roadmap – 30/60/90-day actions plus longer-term initiatives, sized for SMB realities (time, staff, and budget).

You’ll have what you need to move from “we think we’re okay” to “we know where we stand and what we’re doing about it.”

Who This Service Is For

Our Security Assessments are designed for:

• Owners, CEOs, and executive teams who need confidence they’re not one incident away from a major disruption.
• IT managers and internal teams who want an expert, third-party view and a roadmap aligned with best practices.
• Organizations under customer, regulator, or insurer pressure to demonstrate stronger cybersecurity.

Whether you have an internal IT team, an external MSP, or a mix of both, we work collaboratively—not competitively—to make your environment safer.

Start With a Security Assessment

If you’re not sure how exposed you are—or where to invest next—our Security Assessment is the best place to start.

Book a free Security Assessment consultation to scope your environment, discuss timelines and pricing, and take the first step toward a more secure, resilient business.