Valentra Labs is shaping Valentra Nexus with a founding cohort of design partners. Here is where that program stands today.
EnrollingDesign partners onboarding now
Updated
One continuous system. Six stages of program operation.
Each stage feeds the next — assets inform risk, risk drives controls, controls produce evidence, evidence generates work, and work culminates in Decision Packets.
Asset
Inventory every server, database, application, and business process your program protects.
Decision Packet
Decision Packet · v1.0
Q2 2026 — Crown-Jewel Risk Disposition
pkt_2026-04-17_a3f8e1·
Situation
Q2 program review covers the crown-jewel ePHI store and its supporting control envelope. 487 endpoints catalogued across three network segments; 12 unsanctioned SaaS surfaces detected by the shadow-IT scan. Continuous monitoring posture is operating; the residual question is risk acceptance for two compensating-control gaps surfaced this cycle.
Risk & Impact
14 critical findings scored against the revenue-at-risk model. Two compensating gaps (vendor-SOC-2 attestation lapse + patch-cycle #38 awaiting CAB sign-off) carry residual risk of $1.4M in unmitigated regulatory exposure if a HITRUST audit lands before remediation closes. Patient-data confidentiality remains the load-bearing impact dimension.
Options
Accept residual risk through Q3, with quarterly board re-review.
Accelerate remediation by re-prioritizing the patch cycle ahead of the planned Q3 platform migration (cost: 2 engineer-weeks).
Transfer risk via expanded cyber-insurance rider (cost: $48K/yr premium delta; coverage gap on ePHI exfiltration remains).
Recommendation
Pursue Option 2 — accelerate remediation. The 2 engineer-weeks of effort cost is recoverable in Q3; the residual exposure is asymmetric (regulatory floor of $1.4M vs. ~$120K labor delta). Document the patch-cycle re-prioritization as a logged decision with the program owner; close the SOC-2 attestation gap via vendor outreach in the same window. Insurance rider deferred to Q4 review.
Evidence
Twelve evidence artifacts back the recommendation — asset inventory, control mapping, vendor SOC-2 status, residual-risk model, patch-cycle telemetry, and the prior packet's audit trail. One control attestation is overridden with a documented compensating-control narrative; two vendor attestations are pending the Q2 refresh window.
Overridden per compensating-control narrative — see attached
Penetration test report — Q1 follow-up
#a5b6c7d8
stale
—
Prior packet audit trail — pkt_2026-01-09_b8c4e2
#b6c7d8e9
verified
—
Approval Chain
CIO and CISO have signed. The CCO signature is pending receipt of the vendor-SOC-2 refresh; the program owner has logged the override and the compensating-control narrative.
Chief Information OfficerM. AlvarezSigned 2026-04-17T14:08:11Z
Chief Information Security OfficerJ. ParkSigned 2026-04-17T14:18:42Z
ID.RARisk Assessment — the organization understands cybersecurity risk to operations, assets, and individuals.
Essential — Vuln MgmtPartialMitigate Known Vulnerabilities — reduce the likelihood of threat actors exploiting known weaknesses by scoping, scoring, and prioritizing exposure across the asset surface before it reaches the board…
Practice 7PartialVulnerability Management — identify, evaluate, and remediate technical vulnerabilities across the environment.
§164.308(a)(1)(ii)(A)Risk Analysis — accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
03.01.aStaleRisk Management Program — a formal program operated to manage information security risk to an acceptable level.
Valentra Nexus is the operating layer for cybersecurity programs: it continuously operates six stages from asset discovery to board-ready Decision Packets so compliance committees lead with evidence, not assumptions.