CC4.2 — Evaluates and communicates deficiencies for remediation
Status: Implemented Owner: Agent #38 (Senior Compliance Lead, SOC 2 + ISO 27001) Last reviewed: 2026-05-28 Next review: 2026-08-28
Trust Services Criteria reference
The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board, as appropriate. The control covers the channel for capturing deficiencies, the severity rubric, the named owner per deficiency, the remediation tracking, and the closing-the-loop confirmation.
How ZeroAuth meets this control
The authoritative deficiency tracker is docs/security/audit-findings.md. Every finding has an ID (C-1 through C-21 for the Phase 0 batch; subsequent batches per phase), a title, a current status (CLOSED / OPEN with target sprint / TRACKED for future-phase items), a closing commit hash for closed items, and a notes column with the implementing details and test references. The severity rubric is explicit at the top of the document:
- P0 — production-blocking. Must close before any pilot.
- P1 — pilot-blocking. Must close before Phase 2 pilot kickoff.
- P2 — phase 2-blocking. Must close before pilot exit.
- P3 — phase 3-blocking. Must close before SOC 2 Type II evidence period.
The Phase 0 tally as of the LAST_UPDATED line of audit-findings.md: 5 of 7 P0 closed (C-1, C-3, C-7 with commit references; C-2 tracked-to-Phase-1-Sprint-3; C-9, C-10, C-11 open-sprint-2). 4 of 5 P1 closed (C-4, C-6, C-8, C-12; C-5 open-phase-1-PII-strip). All P2/P3 named with target sprint.
The deficiency-capture channels:
- Audit-finding identification — the Phase 0 readiness audit produced the 21-row baseline. Subsequent audits (sprint retros, external SOC 2 / ISO observation, the Trail of Bits review, the bug-bounty programme) feed new rows into the same table with the next free ID.
- Threat-model row — every new attack surface gets an
A-NNentry indocs/threat_model.md. Rows have a test-status + audit-signal column; an "MISSING" entry there is a deficiency awaiting test coverage. The Phase 0 update (commit573ff5d) added rows A-27, A-28 for the closed demo-bypass + access-token-query findings. - Sub-agent REQUEST_CHANGES — the
security-reviewerorcryptographer-reviewerposting REQUEST_CHANGES on a PR creates an in-cycle deficiency record. The PR is not mergeable until addressed (per06-ways-of-working.md"Sub-agent rules" — 24-hour escalation to Role 1 if ignored). - CI gate failure — a failed CI run is the loudest possible deficiency signal. ADR 0011 (commit
51bc705) forbids--no-verifyoverrides.
Communication paths to senior management:
- Daily 09:30 IST engineering standup captures blocker-class deficiencies same-day.
- Friday 18:00 status post by all 50 agents — line VPs and the founder read all of them.
- Monthly 1st phase progress review — formal channel into the board-equivalent (Role 1 + 36 + 42).
- Monthly 15th risk-register review — captures risk-class deficiencies that have not yet manifested.
- Quarterly compliance retrospective — quarter-end summary signed off by Agent #1 + Agent #36 per
compliance-roadmap-v1.md§8.1.
Remediation tracking is closed-loop. Each open audit finding carries an owner role + a target sprint. The closing commit hash is appended to the finding row when the implementing PR merges. The closed-finding regression guard (tests/security/regression.spec.ts, target C-023 sprint 2) is the structural prevention of regression. Every closed-finding commit (the Phase 0 batch: 02e1734, ee6aad4, e98d158, a475ed8, d634b2d, c09c081, a1bbc47, 5425032) has a test reference in audit-findings.md notes column.
The escalation matrix in 06-ways-of-working.md "Escalation" routes severity-1 production incidents to Roles 5, 21, 26 then Role 1 with a 15-minute pageable SLA. Customer escalations route via Role 42 → Role 46 with a 4-hour SLA. A sub-agent REQUEST_CHANGES not addressed within 24 hours escalates to Role 1. A phase-exit-gate-at-risk situation escalates to Role 1 + line VPs one week before the gate.
The Phase 0 demonstration: 5 P0 findings identified; 5 P0 closed in 2 weeks; the closing commit hashes are captured in audit-findings.md; the Phase 0 exit gate (week 2) is the management-confirmation moment; the threat model row update + audit-findings doc constitute the auditor-facing evidence trail. The docs/compliance/compliance-roadmap-v1.md LAST_UPDATED line tracks the most recent quarterly review.
Evidence references
docs/security/audit-findings.md— the canonical deficiency tracker, 21 Phase 0 findings, severity rubric, closing commit hashes.docs/threat_model.md—A-NNrow inventory; test-status + audit-signal columns mark deficiencies.docs/plan/bfsi-v1/06-ways-of-working.md"Escalation" — the escalation matrix.docs/plan/bfsi-v1/06-ways-of-working.md"Definition of Done (per commit)" — closes-the-loop requirements.- ADR
0011-branching-workflow.md(commit51bc705) — non-bypassable CI gate. - Commit
02e1734— C-1 closure (with linked test). - Commit
ee6aad4— C-3 closure. - Commit
e98d158— C-7 closure. - Commit
a475ed8+d634b2d+c09c081— C-4 + audit-chain closure trail. - Commit
a1bbc47— C-12 closure. - Commit
573ff5d— threat-model update on closure (closing-the-loop demonstration).
Open gaps + remediation roadmap
- Closed-finding regression test suite —
tests/security/regression.spec.tslands C-023 sprint 2. Target week 6 (2026-07-06). - Quarterly compliance retrospective — first retro target week 14 (2026-08-24).
- Severity rubric extension for non-security deficiencies — privacy, availability, change-management classes need the same P0/P1/P2/P3 mapping. Target week 13 alongside DPB filing.
Test or audit query
grep -c "CLOSED" docs/security/audit-findings.md returns ≥ 9 (Phase 0 closure count). For each closed finding, git log --oneline | grep <commit-hash> confirms the commit exists. The same audit-findings doc is the source-of-truth read by the SOC 2 auditor at evidence-period kickoff.