cc6.3-3-001

CC6.3 · D3 · detection_and_precision

Difficulty

Gaps

Red Herrings

87%

Avg Score

Task

You are conducting a SOC 2 Type II readiness assessment for ClearView Analytics covering Q4 2025. Review the data access authorization policy, the actual database grant configuration, and the data access request log. Cross-reference these documents to identify inconsistencies between policy and implementation. Assess compliance with CC6.3.

Evidence

evidence/authorization-policy.md — ClearView Analytics data access authorization policy
evidence/aws-rds-access-grants.json — PostgreSQL role and grant configuration for production database
evidence/data-access-requests-q4.csv — Data access request tickets for Q4 2025

Findings

ID	Type	Severity	Finding
F-001	gap	high	developer_debug role has full read-write access to all production tables The policy (Section 3.1) requires CISO approval for write access to customer databases. The database grants show 'developer_debug' role has SELECT, INSERT, UPDATE, DELETE on ALL TABLES in clearview_pr...
F-002	gap	high	evan.smith has both etl_pipeline and developer_debug roles — segregation of duties violation The role_memberships show evan.smith has both 'developer_debug' (full read-write to all tables) and 'etl_pipeline' (full read-write + TRUNCATE to all tables). This gives one user two overlapping privi...
F-003	gap	high	analytics_readonly role has access to production database, not just analytics replica Policy Section 3.4 states analysts access customer data through a 'read-only analytics replica' with PII masking. However, the database grants show 'analytics_readonly' has SELECT on ALL TABLES in cle...
F-004	gap	medium	marketing_integration accesses customer PII without Privacy Officer approval evidence The marketing_integration role has SELECT access to customers, customer_events, and customer_profiles in production. DAR-404 shows Privacy Officer approved this. However, this is Confidential customer...
F-005	gap	medium	developer_debug role granted via postgres superuser, not governed process The database grants show developer_debug was granted by 'postgres' (the superuser account) on 2023-09-05, predating the current policy (effective August 2025). This suggests legacy access that was nev...

Results

Model	Provider	Score	Recall	Prec.	F1	Gaps	Reported
Sonnet 4.6	Anthropic	100%	100%	42%	59%	5/5	12
Opus 4.7	Anthropic	100%	100%	42%	59%	5/5	12
GPT-5.5	OpenAI	100%	100%	50%	67%	5/5	10
GPT-4.1	OpenAI	80%	80%	50%	62%	4/5	8
Haiku 4.5	Anthropic	80%	80%	50%	62%	4/5	8
GPT-4o	OpenAI	60%	60%	50%	55%	3/5	6