Skip to content
LeWinter Advisory
← Capabilities
Cybersecurity Assessments Proof: Hospitality 2025

IT assessment anchored to CIS Controls for mid-market operators

Full IT assessment across governance, infrastructure, data, and security on a mid-sized resort operator. Thirty-three findings, CIS Controls IG1 coverage flagged on every one, prioritized 38-item roadmap.

Who this is for. Mid-sized operators in hospitality, manufacturing, retail, and regulated mid-market where IT has been running on narrow in-house capacity, infrastructure has aged, and leadership needs a defensible picture of actual risk before committing to spend. Anyone whose last “assessment” was a vendor pitch dressed up as a report.

The capability. A framework-anchored IT assessment across governance, service desk, infrastructure, data, and security. Anchored to CIS Controls Implementation Group 1 (IG1) as the baseline. Deliverable is a traceable matrix of findings mapped to specific controls with measurable evidence, and a prioritized roadmap your IT team or partner can execute against.

About CIS Controls IG1. The Center for Internet Security publishes a prioritized catalog of cybersecurity safeguards. IG1 is the baseline tier, the set of controls every organization should have in place before investing in anything more advanced: multi-factor authentication, limiting administrator rights, keeping systems patched and securely configured, centralizing logs, maintaining tested off-site backups, and knowing what hardware and software actually exists on the network. That is where mid-sized operators need to be first. Endpoint detection and response, security event correlation tooling, and advanced Microsoft 365 controls come next, as capacity allows.

How I run the assessment

Ground it in real evidence. Network vulnerability scans across internal segments. Forensic imaging and offline analysis of selected endpoints. Firewall configuration export and log review. On-site walkthroughs of server rooms, wiring closets, and guest or public-facing Wi-Fi infrastructure. Stakeholder interviews with the executive sponsor, IT leadership, and the hands-on technicians.

Fix what can be fixed while the audit is running. When scans surface an internet-facing firewall management interface or firmware with actively exploited vulnerabilities, I flag it and work with IT to close it during the engagement. The assessment does not wait for the final report to reduce risk.

Deliver a working document, not a shelf document. Every finding becomes a row in a traceable matrix. The finding itself, the recommended action, the specific CIS Controls it satisfies, whether it achieves full or partial IG1 coverage, and the evidence or metric that will prove the fix took. IT is instructed to treat the matrix as a living ledger and to add columns for Owner, Start and Target Dates, and Status, with monthly progress reported on the metrics that matter. How many users have MFA. What percentage of systems are fully patched. How much of the network is being logged centrally. Whether backups have been test-restored. How fast known vulnerabilities are being closed.

Expand scope when the narrow scope stops making sense. Assessments often start as a narrow Microsoft 365 investigation or a specific infrastructure question. When the technical review surfaces a broader picture, the engagement rewrites cleanly into a full assessment rather than finishing a line of inquiry that has stopped mattering.

What you get

  • Current-state IT assessment across governance, service desk, infrastructure, data, and security
  • CIS Controls traceability matrix with finding-level IG1 coverage flags and measurable evidence per item
  • Prioritized 30 to 40 item roadmap with sequencing and effort
  • Executive briefing deck for the board or leadership team
  • Optional follow-on: remediation leadership as a separate engagement

Demonstrated outcomes

On a mid-sized resort operator in the Pacific region, approximately six weeks from kickoff through report presentation, ten business days on site. Anonymized.

  • Full current-state IT assessment across governance, service desk, infrastructure, data, and security, delivered to executive leadership.
  • 616 vulnerabilities identified across three internal network segments, including 177 high-severity findings on the server network alone.
  • Forensic-confirmed compromise of one Windows laptop, where malware had arrived bundled with a 7-Zip installer downloaded from a non-official source, and one Android phone, where certificate store corruption was blocking security updates and antivirus definition refreshes.
  • Critical firewall exposures closed during the engagement, including an internet-facing management interface and firmware carrying vulnerabilities known to be actively exploited in the wild.
  • CIS Controls traceability matrix with 33 findings and IG1 coverage flags, with a specific evidence or metric defined for every item.
  • Prioritized 38-item roadmap framed as a 90-day trajectory with partner support, or 120 to 180 days with internal staff augmentation.

When to reach out

Any of the following should prompt a call.

  • A peer operator up the street just survived a ransomware attack and you do not know whether your own cybersecurity posture is where it needs to be.
  • You engaged IT to fix a narrow problem and the investigation has surfaced bigger issues nobody has mapped.
  • You have never had a framework-anchored picture of your security posture, and you are tired of vendor reports that hand you a list without a sequence.
  • You have aging infrastructure, unclear ownership, and a general manager, CFO, or board member asking the right question: what is our actual risk, and what do we do about it first.
  • You need a defensible answer for a procurement or customer security questionnaire, and the existing documentation will not hold up.

Service lines

Cybersecurity Assessments IT & Business Transformation Advisory
Scope an engagement See all capabilities