Manual Remediation Checklist
Current compliance state is tracked by automated verification:
Nightly verification runs via system-verify.yml at 05:00 UTC and commits results to automation/reports/status.json.
Resolved Items
Section titled “Resolved Items”| # | System | Check | Resolution |
|---|---|---|---|
| 1 | GitHub | org_2fa_required | Enabled org-wide 2FA |
| 2 | GitHub | push_protection_enabled | Accepted risk — requires GHAS/Enterprise. Compensating: Claude Security Review workflow, secret scanning, Doppler-only secrets |
| 3 | Slack | required_channels | #security-alerts and #incidents created, bot added |
| 4 | Cloudflare | ssl_strict (3 zones) | Bootstrap enforced Full (strict) on all zones |
| 5 | Cloudflare | https_redirect (3 zones) | Bootstrap enforced Always Use HTTPS on all zones |
| 6 | Cloudflare | waf_active (3 zones) | WAF managed rulesets active on all zones |
| 7 | Cloudflare | rate_limiting (3 zones) | Accepted risk — requires Pro plan. Compensating: WAF + DDoS + GCP Cloud Monitoring |
| 8 | Google Workspace | password_policy | Min length 12, strong, enforce at login |
| 9 | Google Workspace | mfa_enforcement | Org-level 2FA enforcement enabled |
| 10 | Google Workspace | org_unit_structure | Engineering, Operations, Finance, Leadership OUs created |
| 11 | Google Workspace | vault_access | Vault API enabled, 1yr retention rules for Email/Drive/Chat |
| 12 | Google Workspace | managed_devices | 3 devices enrolled and approved (BYOD — company-owned only) |
| 13 | Google Workspace | dlp_rules_active | DLP rules configured and triggering |
| 14 | Google Workspace | context_aware_access | CEL-based CAA policy active on Admin Console and Vault |
| 15 | 1Password | vault_structure | Events API confirms active vaults with usage |
| 16 | Supabase | pitr_enabled | Accepted risk — compensated by daily B2 backups + 365-day retention |
| 17 | Backblaze | All checks | Buckets private, lifecycle rules set, keys scoped |
| 18 | Doppler | All checks | Project exists, env separation (dev/stg/prd), tokens scoped |
| 19 | GCP Cloud Monitoring | alert_policies_enabled | Alert policies configured with Slack notification channel |
Open Items
Section titled “Open Items”| # | System | Check | Status | Owner |
|---|---|---|---|---|
| 1 | Google Workspace | mfa_enrollment | FAIL — 3 users (gavin, mihai, sara) in enrollment grace period | Users |
| 2 | Supabase | rls_enforced | FAIL — 3 tables missing RLS: org_charts, org_chart_nodes, org_chart_snapshots | CTO |
Accepted Risks
Section titled “Accepted Risks”Formally documented in automation/config/accepted-risks.yaml. Review date: 2026-08-20.
| Risk | Control | Compensating Controls |
|---|---|---|
| Supabase PITR off | CC7.5 | Daily B2 backups, 365-day retention |
| GitHub push protection off | CC5.3 | Claude Security Review workflow, secret scanning, Doppler-only secrets |
| Cloudflare rate limiting (3 zones) | CC6.6 | WAF, DDoS protection, GCP Cloud Monitoring |
Do not manually edit resolved items — they are confirmed by system-verify.yml.