CC6.3 · D4 · f1
evidence/data-access-policy.md — Aurora Labs data access authorization policy defining RBAC, least privilege, segregation of duties, DLP controls, and quarterly access certification requirements.evidence/database-permissions-export.json — MongoDB Atlas RBAC export showing roles, privileges, and user assignments for the aurora-prod-east-1 cluster as of December 15, 2025.evidence/access-certification-q4.csv — Quarterly access certification log for Q4 2025 across 8 Aurora Labs systems, including completion dates, findings, and reviewer notes.evidence/exception-register.csv — CISO-approved exception register documenting policy deviations with compensating controls, risk ratings, and review outcomes.evidence/encryption-standards.md — Aurora Labs encryption standards policy covering data at rest, in transit, and key management. Not relevant to CC6.3 access authorization controls. [noise]| ID | Type | Severity | Finding |
|---|---|---|---|
| F-001 | red_herring | low | Data analytics role has broad production read access across all collections The data-analytics role in the MongoDB permissions export grants read access to 10 production collections including financial data (billing, invoices, revenue_records, payment_transactions). This appe... |
| F-002 | gap | high | Finance employee j.morrison holds billing-service role with write access to financial collections User j.morrison (James Morrison, Finance department) is assigned the billing-service role, which grants insert and update access to the billing, invoices, and payment_transactions collections. As a Fi... |
| F-003 | gap | medium | Looker Analytics Platform access certification completed 21 days late The Q4 2025 access certification for the Looker Analytics Platform (CERT-Q4-2025-006) was due on October 14, 2025, but was not completed until November 4, 2025 — 21 calendar days after the certificati... |
| F-004 | gap | high | Contractor r.santos has no account expiration date despite policy requirement Contractor Ricardo Santos (r.santos, TechBridge Consulting) has a contract end date of 2025-12-31 but no expiration date set on the database account. Section 6.2 of the data access policy requires tha... |
| F-005 | gap | high | Service account svc-etl-snowflake has production write access with no designated owner The svc-etl-snowflake service account is assigned the etl-pipeline role, which includes insert and update access to the revenue_records collection in the production database. The account has no design... |
| Model | Provider | Score | Recall | Prec. | F1 | Gaps | Reported |
|---|---|---|---|---|---|---|---|
| Sonnet 4.6 | Anthropic | 67% | 100% | 50% | 67% | 4/4 | 8 |
| Opus 4.7 | Anthropic | 57% | 100% | 40% | 57% | 4/4 | 10 |
| GPT-5.5 | OpenAI | 60% | 75% | 50% | 60% | 3/4 | 6 |
| GPT-4.1 | OpenAI | 55% | 75% | 43% | 55% | 3/4 | 7 |
| Haiku 4.5 | Anthropic | 67% | 100% | 50% | 67% | 4/4 | 8 |
| GPT-4o | OpenAI | 40% | 50% | 33% | 40% | 2/4 | 6 |