Six continuous stages. One defensible operating rhythm.
The Valentra Program Lifecycle turns asset discovery into board-ready Decision Packets so compliance committees lead with evidence — not assumptions.
The complete program lifecycle
Each stage feeds the next — assets inform risk, risk drives controls, controls produce evidence, evidence generates work, and work culminates in Decision Packets.
Assets
Inventory every server, database, application, and business process…
- 487 endpoints catalogued across 3 network segments
- Crown-jewel tagging applied to ePHI stores
- Shadow IT surface scan — 12 unsanctioned SaaS detected
Risks
Quantify exposure across the asset surface and prioritize by business impact.
- 14 critical findings from Q1 risk assessment
- Residual risk scored against revenue-at-risk model
- —
Controls
Map mitigating controls to each risk and track implementation status.
- 93 controls mapped — 78 operating, 11 planned, 4 compensating
- Cross-walk generated for 3 frameworks in 4.2 seconds
Evidence
Collect validation artifacts that prove controls are operating as designed.
- 217 evidence artifacts collected this cycle
- Automated screenshot capture for 48 technical controls
- Attestation gap: 3 controls awaiting vendor SOC 2 refresh
Workpending
Route remediation tasks, audit actions, and compliance work to the right teams.
- 6 remediation tickets open — 2 past SLA
- Patch cycle #38 awaiting change-advisory-board sign-off
- Penetration test follow-up scheduled 2026-06-02
Decisionsstale
Generate Decision Packets that give executives the signal to act with confidence.
- Next board packet due 2026-06-15
- Prior packet pkt_2026-04-17_a3f8e1 accepted with 1 override
Asset Discovery and Inventory
Assets stage
Every cybersecurity program begins with knowing what you have. The Asset stage continuously discovers, classifies, and tags every server, endpoint, application, database, SaaS subscription, and business process across the organization. Crown-jewel tagging surfaces the systems that hold ePHI or PII so risk analysis starts from the highest-impact surfaces. Without a living, auditable asset inventory, risk assessments operate on stale assumptions and control mappings miss shadow IT entirely. This stage feeds the Risk stage by producing the scoped asset surface that exposure analysis evaluates.
Risk Identification and Assessment
Risks stage
The Risk stage quantifies exposure across the scoped asset surface and prioritizes findings by business impact, not just technical severity. Each risk inherits the asset context from the previous stage — which crown-jewel systems are affected, what data classifications are at stake, and where compensating controls already exist. Residual risk is scored against a revenue-at-risk model so that compliance committees can compare remediation cost against exposure cost in the same terms the board uses. This stage feeds the Control stage by producing prioritized findings that demand mitigating controls.
Control Implementation and Monitoring
Controls stage
The Control stage maps mitigating controls to each prioritized risk and tracks their implementation status across the organization. Controls are cross-walked against multiple frameworks simultaneously — a single access-control policy can satisfy NIST CSF PR.AC, HIPAA addressable specifications, and HITRUST CSF requirements without duplicating assessment effort. Implementation status is tracked as operating, planned, or compensating so that gap reports reflect reality rather than policy intent. This stage feeds the Evidence stage by identifying which controls need validation artifacts to prove they operate as designed.
Evidence Collection and Attestation
Evidence stage
The Evidence stage collects validation artifacts that prove each mapped control is operating as designed — not merely documented. Automated screenshot capture, configuration exports, and log samples build an evidence library that auditors can review without scheduling walk-throughs. Attestation gaps surface where vendor SOC 2 reports are pending or manual attestation cycles have lapsed. Evidence freshness is tracked per control so that stale artifacts trigger re-collection before the next audit window. This stage feeds the Work stage by surfacing gaps that require remediation action.
Remediation Work and Tracking
Work stage
The Work stage routes remediation tasks, audit actions, and compliance work to the responsible teams with deadlines and SLA tracking. Each work item traces back through evidence gaps, control deficiencies, and the originating risk finding — maintaining the full audit chain from board directive to operational task. Past-SLA items surface in executive reporting so that compliance committees see which remediation commitments are at risk before the next attestation cycle. This stage feeds the Decision stage by producing the operational status data that Decision Packets synthesize.
Board-Ready Decision Packet Generation
Decisions stage
The Decision stage generates Decision Packets — structured executive summaries that give boards and compliance committees the signal to act with confidence. Each packet synthesizes the full lifecycle: which assets are in scope, what residual risks remain, how controls perform, where evidence gaps exist, and which remediation work is in progress or overdue. Decision Packets are versioned artifacts with acceptance records so that governance teams maintain a defensible audit trail of oversight activity. This stage completes the cycle by informing the next iteration of asset discovery and risk reassessment.