Playground — Threat Model — The Clearing Room

Readiness Threat model maturity.

Discovery

78% Strong foundation. Component and access mapping enables credible journey answers.

Journey

57% Share, Retain, and Dispose stages have partial answers. Downstream outcome assessments for B4, B5, and D1 are weakened without complete journey coverage.

Outcomes

31% 12 of 39 contributing outcomes assessed. B3.a is not-achieved with no remediation evidence linked. Gaps in Objective B reduce confidence in the security posture claim.

Evidence

42% 5 evidence items linked. B3.a (not-achieved) and C2.a (partial) have no supporting evidence — these are the weakest claims in the model.

Assumptions

71% 7 assumptions surfaced, 2 with errata. 3 remain untested — until tested, they represent unvalidated risk acceptance.

Delegation

100% 1 question deferred and answered. No outstanding delegations.

This threat model is partially complete. The discovery phase is strong but the journey and outcome coverage has gaps that weaken the overall security posture claim. An auditor would flag the unlinked evidence on not-achieved outcomes and the untested assumptions as material gaps.

Phase 1 Discovery Map the system before modelling threats

01 Components 60%

Web applicationAPI / backend serviceDatabaseMessage queue / event busObject / file storageCache layerLoad balancer / reverse proxyMobile applicationDesktop applicationBatch / scheduled jobsML / AI modelIoT / edge deviceDNS / domain managementEmail serviceSearch index

02 Processing 70%

Real-time / synchronousBatch / asynchronousStream processingManual / human-in-the-loopAutomated decisions about peopleProfilingAggregation / analyticsData transformationEncryption / decryption operationsBackup and restore

03 Geography 33%

UK onlyEU / EEAUnited StatesOther international locationsSingle cloud regionMulti-region cloudOn-premises data centreHybrid (cloud + on-prem)Edge / distributed locationsThird-party data centre (colocation)Staff devices (laptops, phones)Remote / home working

04 Access 70%

Internal staffContractors / temporary staffExternal users / customersPublic / unauthenticatedThird-party organisationsService accounts / machine-to-machinePrivileged administratorsSupport / helpdeskDevelopersAuditors / compliance

05 Build 40%

Custom-built / in-houseCOTS (commercial off-the-shelf)Open sourceManaged service / SaaSLow-code / no-code platformLegacy / inherited systemForked / modified open sourceMicroservices architectureMonolithic architectureServerless / FaaS

06 Suppliers 58%

Cloud infrastructure providerPayment processorEmail / communication providerAuthentication providerCDN / DDoS protectionMonitoring / observabilityAnalytics / trackingCI/CD pipelinePackage registriesDNS / domain registrarBackup / DR providerSecurity / consulting firms

07 Identity & Access 62%

Single sign-on (SSO)Multi-factor authenticationRole-based access controlAttribute-based access controlPrivileged access managementAPI keys / tokensOAuth / OIDCCertificate-based authenticationIP allowlistingVPN / zero-trust network accessJust-in-time access provisioningRegular access reviewsJoiners / movers / leavers process

08 Logging & Visibility 75%

Application logsAccess / authentication logsAudit trail (who did what, when)Infrastructure / cloud logsSIEM / centralised log aggregationAlerting on anomaliesUptime / availability monitoringApplication performance monitoringVulnerability scanningDependency / SBOM scanningRegular penetration testingIncident response plan

09 Permission Models 70%

Admin roles documentedData access mapped to rolesAPI access controlled and scopedDeployment access restrictedDirect database access controlledSecrets management in placeLeast privilege principle appliedSeparation of duties enforcedBreak-glass / emergency access procedurePermission drift monitored

Phase 2 Common criteria Data types, obligations, and known exceptions across all stages

Data types in play

Personal data (Art 4(1))Financial / paymentCredentials / secretsCommunications metadataCommercial confidential

Obligations that apply

UK GDPRData Protection Act 2018PCI DSSCyber Essentials / CE+Contractual (DPA / DSA)NCSC CAF

Known risk exceptions

Deferred remediation (with timeline)Vendor dependency — awaiting fixAccepted residual risk (documented)

Phase 3 Information journey Seven stages, four questions each, with sub-prompts and confidence

01 Collect Sarah MitchellHead of Information Security

Q1. What are we collecting at this stage?

6/7 Good

Customer PII (name, email, phone, billing address) via web registration form. Payment card details entered directly into Stripe Elements iframe — never touches our servers. Support tickets via authenticated web form with optional file attachment (max 10MB). SSO tokens from Google/Microsoft OAuth for enterprise customers.

Source of data is authenticatedData integrity verified on receiptSchema or format validation in placeConsent mechanism documentedLawful basis identified and recordedData minimisation applied — only what is neededProvenance of data is traceable

Q2. What can go wrong here?

4/6 Moderate

Registration form accepts free-text fields — injection risk on name and address fields. Email validation is client-side only, no server-side verification of deliverability. File attachments on support tickets could contain malware. OAuth state parameter must be validated to prevent CSRF. No rate limiting on registration endpoint — enumeration and bot abuse risk.

Injection or tampering risk assessedSource spoofing or impersonation consideredOver-collection risk assessedAvailability dependency on source identifiedWhat happens if data arrives corrupted or incompleteAssumptions about data quality are named

Q3. What are we going to do about it?

4/5 Good

Server-side input validation with strict allowlists on all PII fields. Email verification link required before account activation. File attachments scanned by ClamAV before storage. OAuth state validated server-side with PKCE. Registration endpoint rate-limited to 5 attempts per IP per hour. All collection events logged with timestamp and source IP.

Input validation implementedRate limiting or abuse prevention in placeCollection events logged with timestampsFallback or degradation behaviour definedRejection criteria documented — what we refuse

Q4. Did we do a good enough job at this stage?

3/4 Low

Input validation tested with OWASP testing guide payloads. Registration rate limiting confirmed under load test. However, we have not tested the ClamAV integration with polymorphic samples — only EICAR test file. The OAuth PKCE flow has been reviewed but not pen-tested independently. Residual risk: sophisticated file-based attacks may bypass scanning.

Tested with adversarial or malformed inputReviewed by someone other than the implementerResidual risk documented and acceptedControls are proportionate to the data sensitivity

Confidence note: ClamAV gap and no independent pen test of OAuth flow.

02 Transmit Dev PatelInfrastructure Lead

Q1. What journeys does the data take?

5/5 High

Browser to platform: TLS 1.3 terminated at load balancer. Platform to PostgreSQL: TLS within VPC. Platform to Stripe: TLS 1.2+ to Stripe API endpoints. Platform to email provider: TLS to SendGrid API. Internal service mesh uses mTLS between microservices.

Encryption in transit (TLS 1.2+)Trust boundaries mapped and documentedNetwork segmentation documentedAll intermediaries identified (CDN, proxy, gateway)Certificate pinning or validation considered

Q2. What can go wrong in transit?

3/5 Moderate

Load balancer terminates TLS — traffic within the VPC is encrypted but the load balancer has access to plaintext. SendGrid API key transmitted in HTTP headers — if intercepted at the provider side, email sending could be hijacked. No certificate pinning on mobile app — susceptible to corporate proxy interception.

Man-in-the-middle risk assessedData leakage in transit (headers, logs, errors) consideredDNS and routing integrity verifiedProtocol downgrade attacks consideredReplay attack risk assessed

Q3. What are we going to do about it?

3/4 Good

VPC peering with no public internet exposure for database traffic. Stripe API keys rotated quarterly and stored in AWS Secrets Manager. SendGrid API key scoped to send-only permissions. Mobile app uses public key pinning with backup keys. All inter-service traffic logged at the mesh level.

Mutual authentication where appropriateMessage integrity checks (HMAC, signatures)Channel binding or token binding consideredTransit anomalies monitored and alerted

Q4. Did we do a good enough job?

3/3 Moderate

Network architecture reviewed by external consultant in January 2026. Certificate pinning tested on both iOS and Android builds. However, the mTLS certificate rotation is manual — automated rotation not yet implemented. This is a known operational risk.

Tested across all identified pathsNetwork architecture reviewed independentlyResidual transit risk documented

03 Process Sarah MitchellHead of Information Security

Q1. What processing actually happens?

6/7 Good

Billing calculation: usage metering aggregated hourly, invoiced monthly via Stripe. Customer segmentation: automated tier assignment based on usage thresholds (no human profiling). Support ticket routing: keyword-based assignment to team queues. Account deactivation: automated after 90 days of non-payment with 3 warning emails. All processing performed by the platform team in London. No offshore processing. No automated individual decision-making under Art 22.

Processing purposes documented and limitedWho performs the processing (role, team, third party)Where processing occurs (jurisdiction, infrastructure)Under what authority or delegationAutomated decision-making identified (Art 22)Profiling assessed — does this build a profile of individualsData enrichment or combination with other sources

Q2. What can go wrong in processing?

4/6 Moderate

Billing calculation errors could result in overcharging — financial and reputational impact. Tier assignment logic is opaque to customers — could be perceived as unfair even though it is rule-based. Support ticket routing by keyword could misroute sensitive security reports to general support. Account deactivation automation has no human review step — a payment processing failure at Stripe could cascade into mass deactivations.

Logic errors or bias in processing consideredArchitectural anti-patterns identified and documentedPrivilege escalation paths assessedSide-channel or timing attacks consideredPurpose creep or function creep risk assessedPermission model gaps — who can do what

Q3. What are we going to do about it?

4/4 Good

Billing calculations reconciled daily against Stripe's records with alerts on discrepancy. Tier assignment rules published in customer documentation. Security-related support tickets tagged separately with dedicated routing. Account deactivation requires 3 failed payment attempts AND manual approval for accounts above a revenue threshold. All processing actions logged with actor attribution.

Least privilege enforced for processing accessProcessing actions logged with actor attributionSeparation of duties where appropriateRegular review cycle for processing logic

Q4. Did we do a good enough job?

2/3 Very low

Billing reconciliation has caught 2 discrepancies in the last quarter, both resolved within 24 hours. Tier assignment reviewed quarterly. However, the mass-deactivation scenario has not been tested — we have no chaos engineering practice for payment processor failures. This is a gap.

Processing logic tested with edge casesReviewed by domain expert, not just developerResidual processing risk documented

Confidence note: No chaos testing for payment processor failure cascades.

04 Store Dev PatelInfrastructure Lead

Q1. Where does this data live at rest?

6/6 High

PostgreSQL 16 on AWS RDS (eu-west-2). Encrypted at rest with customer-managed KMS key. Redis for session cache (4-hour TTL, encrypted in transit). S3 for support ticket attachments (SSE-S3 encryption, bucket policy denies public access). Daily automated backups retained for 30 days in the same region. No cross-region replication.

All storage locations inventoriedEncryption at rest (AES-256 or equivalent)Key management documented (who holds keys, rotation)Backup locations and encryption documentedCaches and temporary stores identifiedStorage jurisdiction documented

Q2. What can go wrong at rest?

3/5 Moderate

RDS snapshots inherit the KMS key — if the key is compromised, all snapshots are exposed. Redis has no at-rest encryption — session data is plaintext in memory. S3 bucket policy could be misconfigured by a team member with IAM write access. Backup retention of 30 days means deleted customer data persists in backups for up to 30 days after deletion request.

Unauthorised access to storage assessedBackup exposure or theft risk consideredKey compromise impact assessedPhysical access controls consideredData remanence on decommissioned media

Q3. What are we going to do about it?

3/4 Moderate

KMS key policy restricted to 2 IAM roles with MFA required for key management actions. Redis configured with AUTH and TLS. S3 bucket policy version-controlled and changes require PR review. Deletion requests logged and reconciled against backup retention schedule — customers informed of the 30-day backup window in privacy notice.

Access controls with least privilegeStorage access monitored and alertedKey rotation schedule in placeImmutable audit logs for storage access

Q4. Did we do a good enough job?

2/3 Low

KMS key access audited quarterly via CloudTrail. S3 bucket policy reviewed monthly. Redis AUTH tested in staging. However, we have not tested the scenario where a KMS key is rotated — we do not know if old snapshots remain decryptable. This needs investigation.

Access controls tested (penetration / red team)Storage architecture reviewed independentlyResidual storage risk documented

Confidence note: KMS key rotation impact on existing snapshots is untested.

05 Share Rachel OkonkwoData Protection Officer

Q1. Who else receives this data, and on what footing?

6/6 Good

Stripe (processor): payment card data, billing address, invoice amounts. SendGrid (processor): customer email addresses, notification content. AWS (sub-processor): all data at rest and in transit within their infrastructure. Google Analytics: anonymised usage data only (IP anonymisation enabled). No international transfers — all processors confirmed EU/UK data residency.

All recipients identified and documentedLegal basis for each sharing relationshipController / processor roles documentedSub-processors identified and approvedInternational transfers identified (Art 44-49)Transfer mechanism documented (adequacy / SCCs / BCRs)

Q2. What can go wrong in sharing?

4/5 Moderate

Stripe has access to billing data that could be correlated with transaction patterns. SendGrid processes email addresses — a breach at SendGrid would expose our entire customer email list. AWS has theoretical access to all data as the infrastructure provider. Google Analytics anonymisation could be reversed with sufficient auxiliary data.

Over-sharing or excessive disclosure riskUnauthorised onward sharing by recipientJurisdiction change risk (recipient relocation)Impact of recipient breach on our dataAPI exposure or integration leakage

Q3. What are we going to do about it?

4/4 Good

DPAs in place with Stripe, SendGrid, and AWS. Stripe PCI DSS Level 1 certified — we rely on their attestation. SendGrid access scoped to send-only — no access to stored email lists. AWS shared responsibility model documented. Google Analytics replaced with privacy-respecting alternative on the roadmap for Q3 2026.

Data processing agreements in placeMinimisation before sharing — only what is neededAudit rights over recipients documentedBreach notification obligations documented

Q4. Did we do a good enough job?

2/3 Low

DPAs reviewed by external counsel in March 2026. Stripe and AWS certifications verified. SendGrid's security posture reviewed via their SOC 2 Type II report. However, we have not exercised our audit rights with any processor. The Google Analytics replacement is not yet implemented.

Sharing mechanisms tested for leakageSharing agreements reviewed by legalResidual sharing risk documented

Confidence note: Audit rights not yet exercised with any processor.

06 Retain Rachel OkonkwoData Protection Officer

Q1. For how long is this data kept, and why?

4/5 Good

Active customer data: retained for duration of contract plus 12 months. Billing records: 7 years (HMRC requirement). Support tickets: 3 years from resolution. Audit logs: indefinite. Account data after deletion request: purged from primary stores within 30 days, from backups within 30 days of next backup cycle. Marketing consent records: retained indefinitely as evidence of lawful basis.

Retention schedule documented per data categoryRetention period justified (not just 'in case')Legal hold requirements identifiedArchival vs active storage distinguishedTrigger for retention review documented

Q2. What can go wrong in retention?

4/4 Good

The 12-month post-contract retention is generous — the original justification was 'in case they come back' which is not a valid lawful basis. Support tickets retained for 3 years may contain sensitive information shared during troubleshooting. Audit log indefinite retention means the dataset grows without bound — no archival strategy.

Over-retention risk — keeping data beyond purposeOrphaned data — no owner, no purpose, still storedRetention schedule drift — policy says X, reality is YBackup retention exceeding primary retention

Q3. What are we going to do about it?

4/4 Low

Retention schedule documented and published in the privacy notice. Automated purge jobs run weekly for expired data. Post-contract retention reduced from 12 months to 3 months (change pending legal sign-off). Support tickets reviewed at 12 months and sensitive content redacted. Audit log archival to cold storage after 2 years — implemented but not yet tested under load.

Automated purge or archival at retention endRegular review of retained data against scheduleBackup retention aligned with primary retentionProcess for retention queries from data subjects

Confidence note: Retention reduction not yet approved. Archival untested at scale.

Q4. Did we do a good enough job?

3/3 Moderate

Automated purge verified monthly with reconciliation reports. Retention schedule reviewed quarterly against stated purposes. However, the 12-to-3-month reduction has not yet been approved by legal and is therefore not in effect. The audit log archival has not been tested with a realistic data volume.

Retention enforcement tested and verifiedRetention schedule reviewed against current purposesResidual retention risk documented

07 Dispose Dev PatelInfrastructure Lead

Q1. What does disposal actually look like, end to end?

3/5 Good

Account deletion: soft-delete in application, hard-delete from PostgreSQL after 30-day grace period. S3 objects: lifecycle policy deletes after retention period. RDS snapshots: automatic expiry after 30 days. Redis: TTL-based expiry, no manual intervention needed. Physical media disposal: managed by AWS under their shared responsibility model — we do not handle physical media.

Disposal method documented (crypto-erase, physical destruction, overwrite)All copies identified for disposal (primary, backup, cache, log)Third-party disposal obligations documentedDisposal certification or evidence capturedPhysical media disposal process documented

Q2. What can go wrong in disposal?

4/4 Moderate

Soft-delete grace period means data is recoverable for 30 days — a determined insider could access 'deleted' accounts. RDS snapshots retain data beyond the application-level deletion. Search indices and caches may retain references to deleted data. Third-party processors (Stripe, SendGrid) may retain data beyond our deletion request.

Incomplete disposal — copies survive in backups or logsData recovery from disposed mediaThird party fails to dispose as contractedTiming gap between disposal decision and execution

Q3. What are we going to do about it?

3/4 Moderate

Soft-delete access restricted to 2 admin roles with MFA. Deletion cascade includes search index purge and cache invalidation. Stripe and SendGrid deletion requests issued via API at time of account deletion with confirmation logged. Quarterly audit of soft-deleted accounts to verify hard-delete completion.

Disposal verification process in placeDisposal logged with timestamps and actorThird-party disposal auditableCascade deletion across all linked stores

Q4. Did we do a good enough job?

2/3 Moderate

Deletion cascade tested end-to-end in staging including search index and cache. Stripe/SendGrid deletion confirmation verified. However, we have not verified that AWS actually destroys the physical media underlying decommissioned EBS volumes. We rely on their attestation. Residual risk accepted.

Disposal completeness tested (can data be recovered?)Disposal process reviewed independentlyResidual disposal risk documented

Phase 4 Delegation Questions deferred to other people with receipt trail

Share Q2 — What can go wrong in sharing?

Deferred by Sarah Mitchell Head of Information Security 2026-04-05 09:14:22Z

Answered by Rachel Okonkwo Data Protection Officer 2026-04-07 11:32:08Z

Answer

Stripe has access to billing data that could be correlated with transaction patterns to infer customer behaviour. SendGrid processes email addresses — a breach at SendGrid would expose our entire customer email list. AWS has theoretical access to all data as the infrastructure provider. Google Analytics anonymisation could be reversed with sufficient auxiliary data. The DPA with our email provider does not explicitly restrict them from using metadata for their own product improvement.

Phase 5 Outcome assessments CAF contributing outcomes with status, rationale, and attribution

A1.a Achieved

Board-level accountability established. The CTO is the named accountable executive for cyber risk. Cyber risk is a standing item at monthly leadership meetings with documented decisions.

Sarah Mitchell Head of Information Security 2026-04-08 14:20:01Z

A2.a Achieved

Risk management follows a documented process. Risk register maintained in the company wiki, reviewed monthly. Residual risks formally accepted by CTO with rationale recorded.

Sarah Mitchell Head of Information Security 2026-04-08 14:25:00Z

A3.a Partial

Asset management covers production infrastructure and SaaS tooling. However, developer laptops and local environments are not included in the asset register. Remediation planned for Q3 2026.

Sarah Mitchell Head of Information Security 2026-04-08 14:32:00Z

B1.a Achieved

Security policies published on the internal wiki and acknowledged by all staff annually. Last full review completed February 2026. Next review scheduled August 2026.

Sarah Mitchell Head of Information Security 2026-04-08 15:01:00Z

B2.a Achieved

Role-based access control enforced across all systems. Quarterly access reviews documented. Joiners/movers/leavers process automated via HR integration.

Dev Patel Infrastructure Lead 2026-04-09 09:14:00Z

B3.a Not achieved

Encryption at rest is in place but KMS key rotation has not been performed since initial deployment 14 months ago. Key policy allows 4 IAM roles to decrypt — should be 2. Remediation scheduled.

Dev Patel Infrastructure Lead 2026-04-08 14:22:44Z

B4.a Partial

Network segmentation exists between production, staging, and corporate networks. However, the VPN allows broad access to the production VPC — micro-segmentation not yet implemented.

Dev Patel Infrastructure Lead 2026-04-09 09:30:00Z

B5.a Achieved

Vulnerability management programme in place. Weekly automated scans with Qualys. Critical/high vulnerabilities SLA: 7 days. Patch compliance tracked and reported monthly.

Dev Patel Infrastructure Lead 2026-04-09 09:45:00Z

C1.a Achieved

Security monitoring via AWS GuardDuty, CloudTrail, and Datadog SIEM. Alert triage SLA of 4 hours for high-severity events. Monthly false-positive tuning reviews.

Dev Patel Infrastructure Lead 2026-04-09 10:00:00Z

C2.a Partial

Anomaly detection covers authentication events and API rate spikes. Does not yet cover data exfiltration patterns or unusual database query volumes. Enhancement planned.

Dev Patel Infrastructure Lead 2026-04-09 10:15:00Z

D1.a Achieved

Incident response plan documented, tested via tabletop exercise in March 2026. Roles and responsibilities assigned. Communication templates prepared for customers, regulators, and media.

Sarah Mitchell Head of Information Security 2026-04-10 11:00:00Z

D2.a Not assessed

Phase 6 Evidence Files, locations, and references linked to outcomes and stages

policy Information Security Policy v3.1 sharepoint

https://acme.sharepoint.com/policies/infosec-v3.1.pdf

B1.aA2.a

Sarah Mitchell Head of Information Security

https://acme.atlassian.net/wiki/spaces/SEC/pages/risk-register

A2.a

Sarah Mitchell Head of Information Security

log-extract GuardDuty alert triage log — Q1 2026 url

https://acme-sec.s3.eu-west-2.amazonaws.com/guardduty-triage-q1-2026.csv

C1.a

Dev Patel Infrastructure Lead

screenshot Stripe PCI DSS attestation url

https://stripe.com/docs/security

journey:collect

Rachel Okonkwo Data Protection Officer

email Legal review of processor DPAs other

Email from external counsel, 12 Mar 2026, ref: ACM-2026-0341

journey:shareB1.a

Rachel Okonkwo Data Protection Officer

Phase 7 Assumptions Named assumptions with errata trail and test status

journey:collect confirmed

Stripe's PCI DSS Level 1 certification is sufficient — we do not need to independently verify their controls.

Sarah Mitchell Head of Information Security 2026-04-03 09:20:00Z

journey:collect untested

ClamAV will detect all malicious file uploads in support ticket attachments.

Dev Patel Infrastructure Lead 2026-04-03 09:35:00Z

journey:transmit partially-confirmed

AWS VPC encryption in transit is equivalent to application-level encryption for inter-service communication.

Dev Patel Infrastructure Lead 2026-04-04 10:15:00Z

journey:dispose confirmed

The soft-delete grace period of 30 days is acceptable under GDPR Article 17 right to erasure.

Rachel Okonkwo Data Protection Officer 2026-04-06 14:30:00Z

journey:share untested

Google Analytics IP anonymisation is sufficient to avoid processing personal data.

Google Analytics does not process personal data.

Reason: Revised after ICO guidance clarified that anonymisation must be irreversible, and GA's IP truncation may not meet this threshold.

Amended by Rachel Okonkwo Data Protection Officer 2026-04-09 10:05:17Z

Rachel Okonkwo Data Protection Officer 2026-04-05 11:00:00Z

B1.a untested

SendGrid's SOC 2 Type II report adequately demonstrates their security posture without exercising audit rights.

Sarah Mitchell Head of Information Security 2026-04-07 16:00:00Z

A1.a confirmed

Monthly leadership meetings provide sufficient board-level oversight of cyber risk.

Quarterly board meetings provide sufficient oversight.

Reason: Increased to monthly after an incident in Q4 2025 revealed that quarterly cadence missed a 6-week window where a critical vulnerability was unaddressed.

Amended by Sarah Mitchell Head of Information Security 2026-04-10 16:41:02Z

Sarah Mitchell Head of Information Security 2026-04-08 14:10:00Z

Phase 8 Audit log Chronological record of every action with actor attribution

2026-04-03 08:12:04Z system.create System created Sarah MitchellHead of Information Security

2026-04-03 08:14:11Z answer.save journey.collect.Q1 Sarah MitchellHead of Information Security

2026-04-03 08:31:45Z answer.save journey.collect.Q2 Sarah MitchellHead of Information Security

2026-04-03 09:02:18Z answer.save journey.collect.Q3 Sarah MitchellHead of Information Security

2026-04-03 09:15:33Z answer.save journey.collect.Q4 Sarah MitchellHead of Information Security

2026-04-05 09:14:22Z question.deferred journey.share.Q2 → Rachel Okonkwo Sarah MitchellHead of Information Security

2026-04-07 11:32:08Z answer.save journey.share.Q2 Rachel OkonkwoData Protection Officer

2026-04-08 14:20:01Z outcome.set A1.a → achieved Sarah MitchellHead of Information Security

2026-04-08 14:22:44Z outcome.set B3.a → not-achieved Dev PatelInfrastructure Lead

2026-04-09 10:05:17Z assumption.amend GA personal data assumption revised Rachel OkonkwoData Protection Officer

2026-04-09 10:08:33Z evidence.add Information Security Policy v3.1 Sarah MitchellHead of Information Security

2026-04-10 16:41:02Z assumption.amend Board oversight cadence increased to monthly Sarah MitchellHead of Information Security

Relationships How everything connects. Discovery feeds the journey. The journey feeds outcome assessments. Weak discovery means weak journey answers. Weak journey answers mean unsubstantiated outcomes.

Discovery → Journey → Outcomes