cc7.2-5-001

CC7.2 · D5 · f1

Difficulty

Gaps

Red Herrings

72%

Avg Score

Task

You are conducting a SOC 2 Type II readiness assessment for Helix Data Systems covering the observation period Q4 2025. Review all provided evidence and assess compliance with CC7.2 (Monitoring and Anomaly Detection). Consider whether identified issues represent material control deficiencies or acceptable operational realities. Not all documents may be relevant to this control. Provide your professional judgment on each finding.

Evidence

evidence/monitoring-policy.md — Helix Data Systems security monitoring and alerting policy
evidence/alert-summary-q4-2025.csv — Monthly alert summary with triage statistics for Q4 2025
evidence/monitoring-coverage-review-q4.json — Quarterly monitoring coverage review with gap analysis
evidence/penetration-test-summary.md — Annual penetration test executive summary [noise]

Findings

ID	Type	Severity	Finding
F-001	gap	high	Two production services deployed without monitoring for 25+ days helix-ml-inference was deployed November 20 with partial monitoring (APM only, no SIEM, no alerts). helix-data-lake-ingestion was deployed October 5 with only CloudWatch basic metrics — no Datadog, no...
F-002	gap	high	S3 bulk access alert has persistent false positive rate exceeding 30% threshold The S3 bulk access alert has a false positive rate of approximately 95-97% across all three months (152/156 in Oct, 86/89 in Nov, 135/142 in Dec). Policy Section 3.3 requires tuning within 2 weeks whe...
F-003	gap	medium	Failed login brute force alert acknowledged within SLA only 94-99% of the time The brute force alert is High severity (30-minute SLA, 24/7). In October, 839/847 (99%) were acknowledged within SLA. In November, 308/312 (99%). In December, 285/298 (96%). The December spike (coordi...
F-004	gap	medium	SQL injection alert rule disabled for entire observation period The SQL injection detection rule was disabled on November 1 and remained disabled through the end of the observation period. CISO approval was obtained (TUNE-203) with a documented compensating contro...
F-005	gap	medium	December impossible travel alerts — increasing unresolved investigations Impossible travel alerts in December: 31 total, 4 true positives, 22 false positives, 5 'requires investigation.' Only 28/31 (90%) were acknowledged within SLA. The 5 unresolved investigations are a c...

Results

Model	Provider	Score	Recall	Prec.	F1	Gaps	Reported
Sonnet 4.6	Anthropic	67%	100%	50%	67%	5/5	10
Opus 4.7	Anthropic	91%	100%	83%	91%	5/5	6
GPT-5.5	OpenAI	83%	100%	71%	83%	5/5	7
GPT-4.1	OpenAI	91%	100%	83%	91%	5/5	6
Haiku 4.5	Anthropic	59%	100%	42%	59%	5/5	12
GPT-4o	OpenAI	43%	100%	28%	43%	5/5	18