Skip to content
Platform · Valentra Nexus

Valentra Nexus turns asset discovery into board-ready Decision Packets.

Valentra Nexus continuously operates six program stages so compliance committees lead with evidence — not assumptions.

Design partners

Valentra Labs is shaping Valentra Nexus with a founding cohort of design partners. Here is where that program stands today.

Enrolling Design partners onboarding now

Updated

One continuous system. Six stages of program operation.

Each stage feeds the next — assets inform risk, risk drives controls, controls produce evidence, evidence generates work, and work culminates in Decision Packets.

Asset

Inventory every server, database, application, and business process your program protects.

Decision Packet

Decision Packet · v1.0

Q2 2026 — Crown-Jewel Risk Disposition

pkt_2026-04-17_a3f8e1

Situation

Q2 program review covers the crown-jewel ePHI store and its supporting control envelope. 487 endpoints catalogued across three network segments; 12 unsanctioned SaaS surfaces detected by the shadow-IT scan. Continuous monitoring posture is operating; the residual question is risk acceptance for two compensating-control gaps surfaced this cycle.

Risk & Impact

14 critical findings scored against the revenue-at-risk model. Two compensating gaps (vendor-SOC-2 attestation lapse + patch-cycle #38 awaiting CAB sign-off) carry residual risk of $1.4M in unmitigated regulatory exposure if a HITRUST audit lands before remediation closes. Patient-data confidentiality remains the load-bearing impact dimension.

Options

  1. Accept residual risk through Q3, with quarterly board re-review.
  2. Accelerate remediation by re-prioritizing the patch cycle ahead of the planned Q3 platform migration (cost: 2 engineer-weeks).
  3. Transfer risk via expanded cyber-insurance rider (cost: $48K/yr premium delta; coverage gap on ePHI exfiltration remains).

Recommendation

Pursue Option 2 — accelerate remediation. The 2 engineer-weeks of effort cost is recoverable in Q3; the residual exposure is asymmetric (regulatory floor of $1.4M vs. ~$120K labor delta). Document the patch-cycle re-prioritization as a logged decision with the program owner; close the SOC-2 attestation gap via vendor outreach in the same window. Insurance rider deferred to Q4 review.

Evidence

Twelve evidence artifacts back the recommendation — asset inventory, control mapping, vendor SOC-2 status, residual-risk model, patch-cycle telemetry, and the prior packet's audit trail. One control attestation is overridden with a documented compensating-control narrative; two vendor attestations are pending the Q2 refresh window.
ArtifactHashStatusDetailCaptured
Asset inventory snapshot — 487 endpoints#a3f8e1b2verified
Control mapping cross-walk — 93 controls#b7c4d9e0verified
Vendor SOC-2 attestation — current#c9d0e2f1pendingRefresh window opens 2026-05-12; vendor confirmed window…
Vendor SOC-2 attestation — secondary processor#d2e3f4a5pending
Residual-risk model — revenue-at-risk#e1f2a3b4verified
Patch cycle #38 — CAB queue position#f3a4b5c6overridden
Overridden per compensating-control narrative — see attached
Penetration test report — Q1 follow-up#a5b6c7d8stale
Prior packet audit trail — pkt_2026-01-09_b8c4e2#b6c7d8e9verified

Approval Chain

CIO and CISO have signed. The CCO signature is pending receipt of the vendor-SOC-2 refresh; the program owner has logged the override and the compensating-control narrative.
  1. Chief Information OfficerM. AlvarezSigned 2026-04-17T14:08:11Z
  2. Chief Information Security OfficerJ. ParkSigned 2026-04-17T14:18:42Z
  3. Chief Compliance OfficerPending signatureAwaiting vendor SOC-2 refresh — window opens 2026-05-12
Generated by Valentra Nexuspkt_2026-04-17_a3f8e1

Framework Alignment

Framework alignment matrix — Valentra Nexus lifecycle stages crossed with NIST CSF 2.0, HHS HPH CPGs, 405(d) HICP, HIPAA Security Rule, and HITRUST CSF v11.x. Each cell shows the relevant control reference.
Lifecycle stageNIST CSF 2.0HHS HPH CPGs405(d) HICPHIPAA Security RuleHITRUST CSF v11.x
AssetID.AMAsset Management — physical devices, systems, software platforms, and data flows inventoried and prioritized by criticality.N/AHHS HPH CPGs address inventory only under broader governance goals; no stage-level Asset control maps directly.Practice 5IT Asset Management — maintain an accurate inventory of endpoints, servers, and medical devices across the enterprise.§164.310(d)(1)Device and Media Controls — policies governing receipt and removal of hardware and electronic media that contain ePHI.07.01.aInventory of Assets — all assets clearly identified and an inventory of all important assets drawn up and maintained.
RiskID.RARisk Assessment — the organization understands cybersecurity risk to operations, assets, and individuals.Essential — Vuln MgmtPartialMitigate Known Vulnerabilities — reduce the likelihood of threat actors exploiting known weaknesses by scoping, scoring, and prioritizing exposure across the asset surface before it reaches the board…Practice 7PartialVulnerability Management — identify, evaluate, and remediate technical vulnerabilities across the environment.§164.308(a)(1)(ii)(A)Risk Analysis — accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.03.01.aStaleRisk Management Program — a formal program operated to manage information security risk to an acceptable level.
ControlPR.AA / PR.PSProtect — identity management, authentication, access control, and platform security safeguards are deployed and managed.Essential — MFAMultifactor Authentication — strong MFA deployed across the organization to reduce credential-based compromise.Practice 3Access Management — provision, review, and revoke access to systems and ePHI based on least privilege.§164.312Technical Safeguards — access control, audit controls, integrity, authentication, and transmission security for ePHI.09.01.aDocumented Operating Procedures — operating procedures documented, maintained, and made available to all users who need them.
EvidenceDE.CMContinuous Monitoring — assets are monitored to find anomalies, indicators of compromise, and other adverse events.N/AHHS HPH CPGs are stated as outcome goals, not attestation controls; no stage-level Evidence control maps directly.§3.4Audit Logs and Monitoring — collect, protect, and review audit logs that demonstrate controls are operating as designed.§164.312(b)Audit Controls — hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI.09.10.aAudit Logging — audit logs recording user activities, exceptions, and information security events produced and retained.
WorkRS.MIMitigation — activities performed to prevent expansion of an event and to mitigate its effects.Goal 4Cybersecurity Governance — accountable leadership routes remediation and oversight work to the responsible teams.Practice 8PartialSecurity Operations and Incident Response — triage, route, and track remediation work through to closure.§164.308(a)(1)(ii)(B)Risk Management — implement security measures sufficient to reduce risks and vulnerabilities to a reasonable level.11.01.aReporting Information Security Events — security events reported through appropriate channels and remediated.
DecisionGV.OCOrganizational Context — the circumstances surrounding the organization's cybersecurity risk management decisions are understood.Enhanced — GovernancePartialCybersecurity Governance (Enhanced) — board-level oversight of the cybersecurity program and its risk decisions.N/A405(d) HICP is a practice-level technical framework; no board-Decision control maps directly to this stage.§164.308(a)(8)Evaluation — periodic technical and nontechnical evaluation establishing the extent to which safeguards meet the Rule.05.01.aManagement Direction for Information Security — management provides direction and support for information security decisions.
Generated by Valentra Nexusas offa_2026-05-14_7c3aed

Take this Decision Packet to your team

Add your work email and we'll send the canonical Decision Packet — yours to take into a procurement review.

Valentra Nexus is the operating layer for cybersecurity programs: it continuously operates six stages from asset discovery to board-ready Decision Packets so compliance committees lead with evidence, not assumptions.

as of HIPAA Security Rule §164.308