CC7.4 — Incident response evaluation and remediation tracking
Status: Partially implemented (Phase 0 closure trail demonstrates evaluation loop; formal post-incident review template target week 14) Owner: Agent #38 (Senior Compliance Lead, SOC 2 + ISO 27001) Last reviewed: 2026-05-28 Next review: 2026-08-28
Trust Services Criteria reference
The entity responds to identified security incidents by executing a defined incident-response programme to understand, contain, remediate, and communicate security incidents. CC7.4 specifically focuses on the post-incident evaluation, the remediation tracking, the closing-loop verification, and the integration into the broader risk-assessment + control-selection cycle.
How ZeroAuth meets this control
The evaluation + remediation tracker is docs/security/audit-findings.md. Every incident or finding gets a row with: ID (C-NN sequenced), title, severity (P0/P1/P2/P3), status (CLOSED / OPEN with target sprint / TRACKED for future-phase items), closing commit hash for closed rows, and notes — usually including the regression-test reference and the threat-model row that captures the residual surface.
The Phase 0 closure trail is the demonstration of the loop. 21 findings identified in the readiness audit. 5 P0 + 4 P1 closed in 2 weeks. Each closure carries (a) a closing commit hash, (b) a regression test that pins the closure, (c) a threat-model row update where a new attack surface was identified. Examples:
- C-1 (demo bypass) — closed
02e1734. Regression test:tests/proof-pairing.test.ts::"P0 audit finding C-1 closure". Threat-model row A-27 captures the residual surface. - C-3 (access-token query fallback) — closed
ee6aad4. Regression test:tests/console-auth.test.ts::"P0 audit finding C-3". Threat-model row A-28. - C-7 (circuit-key drift) — closed
e98d158. Regression test:tests/zkp-version.test.ts. ADR 0015 (commit27ed93c) is the decision record. - C-4 (audit-events tamper-evidence) — closed in commits
5e3b79d+a475ed8+d634b2d. ADR 0013 (commit27ed93c) + ADR 0014 (commit27ed93c) are the decision records. On-chain anchor in commitd6c6a4e. - C-8 (no biometric-payload guard) — closed
c09c081. Regression test:tests/biometric-rejection.test.ts. ADR 0016 (commit76f8d4e) strengthens the closure at the runtime layer. - C-12 (no cross-tenant rejection matrix) — closed
a1bbc47. Regression test:tests/tenant-isolation.test.ts. Threat-model row A-01.
The closed-loop closing-the-loop demonstration: commit 573ff5d ("track audit findings and update threat model for Phase 0 closures") is a single commit that simultaneously (a) updates the audit-findings doc with the new closure status, (b) extends the threat model with the corresponding A-NN row, and (c) flows the lesson back into the control catalogue.
Future incidents follow the same pattern. The expectation in 06-ways-of-working.md "Documentation hygiene" is: every PR that closes a finding updates docs/security/audit-findings.md (with the closing commit hash) and docs/threat_model.md (with the new mitigation or attack vector). The closed-finding regression suite (tests/security/regression.spec.ts, lands C-023 / sprint 2) is the structural prevention layer — once it lands, every PR runs the union of closed-finding tests and rejects any regression.
Post-incident review for non-finding incidents (e.g., a production outage, a customer-reported defect) is the gap. A written post-incident-review template lands week 14 (2026-08-24) as docs/operations/post-incident-review-template.md; the first applied review feeds the Q1 compliance retrospective (docs/compliance/retros/2026-q1.md).
Communication of remediation:
- To management — Friday status posts (read by all line VPs + Role 1) + monthly phase-progress review.
- To customers — per-tenant breach communication (template lands week 13 alongside the DPDP playbook).
- To regulators — DPB 72-hour notification (DPDP §8 breach-notification playbook, target week 6).
The R-COMP-01 risk (regulatory shift mid-evidence-period) carries an explicit re-attestation-clause mitigation in the SOC 2 + ISO engagement letters — so the remediation tracker itself remains compatible with auditor expectations even under regulatory drift.
Evidence references
docs/security/audit-findings.md— the remediation tracker, 21 Phase 0 findings with status + closing commit + regression-test reference.- Commit
573ff5d— closed-loop closing-the-loop demonstration (audit-findings + threat-model update). - Commit
02e1734— C-1 closure with regression test. - Commit
ee6aad4— C-3 closure with regression test. - Commit
e98d158— C-7 closure with regression test. - Commit
a475ed8+d634b2d— C-4 closure trail. - Commit
c09c081— C-8 closure with regression test. - Commit
a1bbc47— C-12 closure with regression test. docs/threat_model.mdrows A-01, A-15, A-27, A-28 — threat-model side of the closed-loop.docs/plan/bfsi-v1/06-ways-of-working.md"Documentation hygiene" — the rule that PRs update both docs.
Open gaps + remediation roadmap
- Closed-finding regression suite (
tests/security/regression.spec.ts) — C-023 sprint 2, target week 6 (2026-07-06). Required to enforce the prevent-regression property structurally. - Post-incident-review template (
docs/operations/post-incident-review-template.md) — target week 14 (2026-08-24). - Per-tenant breach communication template — target week 13 (2026-08-17).
- Quarterly compliance retrospective — first retro week 14, includes incident-trend analysis.
Test or audit query
grep "CLOSED" docs/security/audit-findings.md | wc -l returns ≥ 9. For each closed finding, git show <closing-commit> --stat shows the implementing diff. grep -E "C-[0-9]+ closure" tests/ returns the regression-test references. cat docs/threat_model.md | grep -E "A-27|A-28" confirms the threat-model rows were extended on closure.