Systems — S.

A home for answers.

Every system has security questions that need answering. The people who have the answers are spread across teams — infrastructure, identity, operations, legal, vendors. This tool routes the right questions to the right people, collects their answers with attribution and timestamps, chases them when they do not respond, and presents the status to the people who govern the portfolio.

How every question works

YES NO ? SKIP + notes, files, links

"?" sets a deadline and delegates to the person who has the answer. Automated chaser every 48 hours. Their response, or their silence, is recorded.

The phases

Data declaration

What data do we hold? What obligations apply? Who is the data owner under GDPR? What risk exceptions are already known? This comes first because every subsequent phase depends on it.

Data journey

How does data move? Seven stages: Collect, Transmit, Process, Store, Share, Retain, Dispose. Four questions at each stage, each with specific sub-prompts. Roughly 160 control points across the full journey. Each one: mine or someone else's.

Cyber wrapper

What protects the data? Nine areas: components, processing, geography, access, build, suppliers, identity & access, logging & visibility, permission models. Each area confirmed by a named person with a timestamp.

Operational upkeep

Who keeps it running and secure day to day? Eight areas: SOC, DFIR, vulnerability management, patch management, change management, access reviews, monitoring & alerting, BCP/DR. Each area confirmed by a named person.

Outcomes, evidence, and reporting

39 CAF outcomes assessed against the evidence collected in phases 0–3. DSPT Objective E for NHS. Each outcome has an IGP checklist, rationale, and evidence links. Decisions recorded with supersede chains. The compliance record writes itself as the work gets done.

Read the methodology →