Skip to content
Methodology · Valentra Program Lifecycle

Six continuous stages. One defensible operating rhythm.

The Valentra Program Lifecycle turns asset discovery into board-ready Decision Packets so compliance committees lead with evidence — not assumptions.

The complete program lifecycle

Each stage feeds the next — assets inform risk, risk drives controls, controls produce evidence, evidence generates work, and work culminates in Decision Packets.

AssetsRisksControlsEvidenceWorkpendingDecisionsstaleGenerated by Valentra Nexus · v1.0

Assets

Inventory every server, database, application, and business process…

  • 487 endpoints catalogued across 3 network segments
  • Crown-jewel tagging applied to ePHI stores
  • Shadow IT surface scan — 12 unsanctioned SaaS detected
#a3f8e1b2 · NIST CSF 2.0 ID.AM

Risks

Quantify exposure across the asset surface and prioritize by business impact.

  • 14 critical findings from Q1 risk assessment
  • Residual risk scored against revenue-at-risk model
#b7c4d9e0fa · HIPAA §164.308(a)(1)(ii)(A)

Controls

Map mitigating controls to each risk and track implementation status.

  • 93 controls mapped — 78 operating, 11 planned, 4 compensating
  • Cross-walk generated for 3 frameworks in 4.2 seconds
#c9d0e2f1a3 · HITRUST CSF v11.3 09.01.a

Evidence

Collect validation artifacts that prove controls are operating as designed.

  • 217 evidence artifacts collected this cycle
  • Automated screenshot capture for 48 technical controls
  • Attestation gap: 3 controls awaiting vendor SOC 2 refresh
405(d) HICP §3.4

Workpending

Route remediation tasks, audit actions, and compliance work to the right teams.

  • 6 remediation tickets open — 2 past SLA
  • Patch cycle #38 awaiting change-advisory-board sign-off
  • Penetration test follow-up scheduled 2026-06-02

Decisionsstale

Generate Decision Packets that give executives the signal to act with confidence.

  • Next board packet due 2026-06-15
  • Prior packet pkt_2026-04-17_a3f8e1 accepted with 1 override
Download diagram (PNG, 2000 px)
Valentra Program Lifecycle — 2026-05-14T14:23:07Z

Asset Discovery and Inventory

Assets stage

Every cybersecurity program begins with knowing what you have. The Asset stage continuously discovers, classifies, and tags every server, endpoint, application, database, SaaS subscription, and business process across the organization. Crown-jewel tagging surfaces the systems that hold ePHI or PII so risk analysis starts from the highest-impact surfaces. Without a living, auditable asset inventory, risk assessments operate on stale assumptions and control mappings miss shadow IT entirely. This stage feeds the Risk stage by producing the scoped asset surface that exposure analysis evaluates.

NIST CSF 2.0 · ID.AM — Asset ManagementHIPAA · §164.310(d)(1) — Device and Media ControlsHITRUST CSF v11.x · 07.01.a — Inventory of Assets

Risk Identification and Assessment

Risks stage

The Risk stage quantifies exposure across the scoped asset surface and prioritizes findings by business impact, not just technical severity. Each risk inherits the asset context from the previous stage — which crown-jewel systems are affected, what data classifications are at stake, and where compensating controls already exist. Residual risk is scored against a revenue-at-risk model so that compliance committees can compare remediation cost against exposure cost in the same terms the board uses. This stage feeds the Control stage by producing prioritized findings that demand mitigating controls.

NIST CSF 2.0 · ID.RA — Risk AssessmentHIPAA · §164.308(a)(1)(ii)(A) — Risk AnalysisHITRUST CSF v11.x · 03.01.a — Risk Management Program

Control Implementation and Monitoring

Controls stage

The Control stage maps mitigating controls to each prioritized risk and tracks their implementation status across the organization. Controls are cross-walked against multiple frameworks simultaneously — a single access-control policy can satisfy NIST CSF PR.AC, HIPAA addressable specifications, and HITRUST CSF requirements without duplicating assessment effort. Implementation status is tracked as operating, planned, or compensating so that gap reports reflect reality rather than policy intent. This stage feeds the Evidence stage by identifying which controls need validation artifacts to prove they operate as designed.

NIST CSF 2.0 · PR — Protect (all subcategories)HIPAA · §164.312 — Technical SafeguardsHITRUST CSF v11.x · 09.01.a — Documented Operating Procedures

Evidence Collection and Attestation

Evidence stage

The Evidence stage collects validation artifacts that prove each mapped control is operating as designed — not merely documented. Automated screenshot capture, configuration exports, and log samples build an evidence library that auditors can review without scheduling walk-throughs. Attestation gaps surface where vendor SOC 2 reports are pending or manual attestation cycles have lapsed. Evidence freshness is tracked per control so that stale artifacts trigger re-collection before the next audit window. This stage feeds the Work stage by surfacing gaps that require remediation action.

NIST CSF 2.0 · DE.CM — Continuous MonitoringHIPAA · §164.312(b) — Audit Controls405(d) HICP · §3.4 — Audit Logs and Monitoring

Remediation Work and Tracking

Work stage

The Work stage routes remediation tasks, audit actions, and compliance work to the responsible teams with deadlines and SLA tracking. Each work item traces back through evidence gaps, control deficiencies, and the originating risk finding — maintaining the full audit chain from board directive to operational task. Past-SLA items surface in executive reporting so that compliance committees see which remediation commitments are at risk before the next attestation cycle. This stage feeds the Decision stage by producing the operational status data that Decision Packets synthesize.

NIST CSF 2.0 · RS.MI — MitigationHIPAA · §164.308(a)(1)(ii)(B) — Risk ManagementHHS HPH CPGs · Goal 4 — Cybersecurity Governance

Board-Ready Decision Packet Generation

Decisions stage

The Decision stage generates Decision Packets — structured executive summaries that give boards and compliance committees the signal to act with confidence. Each packet synthesizes the full lifecycle: which assets are in scope, what residual risks remain, how controls perform, where evidence gaps exist, and which remediation work is in progress or overdue. Decision Packets are versioned artifacts with acceptance records so that governance teams maintain a defensible audit trail of oversight activity. This stage completes the cycle by informing the next iteration of asset discovery and risk reassessment.

NIST CSF 2.0 · GV.OC — Organizational ContextHIPAA · §164.308(a)(8) — EvaluationHITRUST CSF v11.x · 05.01.a — Management Direction for Information Security

The Valentra Program Lifecycle is a six-stage continuous methodology — asset discovery, risk, controls, evidence, work, and board-ready Decision Packets — giving compliance committees a defensible, evidence-driven operating rhythm.

as of NIST CSF 2.0