Redacted example — actual reports include your industry, company size, and framework selection.
Multi-factor authentication not configured for your admin portal. Brute-force attacks are feasible. PCI DSS 4.0 explicitly requires MFA for all access to the cardholder data environment. Without it, you'd fail a QSA audit on sight.
Framework: PCI DSS
Effort: High
Est. Cost: $$$
Quarterly user access reviews with documented sign-off are not in place. This is one of the most common Type II findings in SOC 2 audits — it's the difference between passing and having to re-audit.
Framework: SOC 2
Effort: Medium
Est. Cost: $$
TLS 1.0 still active on your patient intake endpoint. HIPAA technical safeguards require encryption of ePHI in transit. TLS 1.0 has known vulnerabilities and won't pass a HIPAA audit.
Framework: HIPAA
Effort: Medium
Est. Cost: $$
Your marketing automation tool processes EU customer data but there's no signed DPA on file. GDPR requires DPAs with all processors of EU personal data. The absence is a GDPR Art. 28 violation.
Framework: GDPR
Effort: Low
Est. Cost: $
PCI DSS requires quarterly firewall rule reviews with documented approval. No evidence of a formal review process was found. Stale or overly permissive rules are a common point of compromise.
Framework: PCI DSS
Effort: Medium
Est. Cost: $$