Information Security Gap Assessment

Deji Clinic | Conducted by: Bola Lawal (Risk Assessor)

Project Objective

• To assess Deji Clinic’s information security posture, identify vulnerabilities, and recommend improvements to align with industry best practices using the CIS Controls framework.

Assessment Methodology

• 1. Data Collection – Reviewed policies, access logs, and systems configurations.
• 2. CIS Controls Mapping – Benchmarked current practices against CIS Controls v8.
• 3. Risk Analysis – Identified critical vulnerabilities based on impact and likelihood.
• 4. Reporting – Documented findings with actionable remediation steps.

Key Findings

• • Lack of Multi-Factor Authentication (MFA) for system access.
• • Inconsistent patch management for medical systems.
• • No formal incident response plan.
• • Weak password policy and unencrypted backups.

Risk Prioritization

• 1. High: Absence of MFA and weak password controls.
• 2. Medium: Missing incident response procedures.
• 3. Low: Outdated patching and encryption practices.

Recommendations

• • Implement MFA for all user accounts.
• • Establish a structured patch management policy.
• • Develop and test an incident response plan.
• • Encrypt all system backups and critical data.
• • Conduct quarterly internal audits.

Conclusion

• Deji Clinic demonstrates awareness of cybersecurity best practices but requires structured governance and enforcement of technical controls. Implementing the recommended measures will strengthen overall resilience.