CC8.1 · D1 · detection_only
evidence/change-management-policy.md — Orion Health change management policy| ID | Type | Severity | Finding |
|---|---|---|---|
| F-001 | gap | high | No segregation of duties in change deployment Section 4.3 states 'Changes are deployed by the requesting engineer.' The same person who requests a change also deploys it. CC8.1 requires segregation of duties — the person who develops/requests a c... |
| F-002 | gap | high | No testing requirement before production deployment The policy mentions CI/CD pipeline goes from staging to production but does not require testing in staging, test results sign-off, or QA validation before promotion to production. CC8.1 explicitly req... |
| F-003 | gap | medium | Emergency change process lacks controls Emergency changes require only verbal approval and a retroactive Jira ticket. No requirement for post-implementation security review, no time limit for creating the retroactive ticket, and no verifica... |
| Model | Provider | Score | Recall | Prec. | F1 | Gaps | Reported |
|---|---|---|---|---|---|---|---|
| Sonnet 4.6 | Anthropic | 100% | 100% | 38% | 55% | 3/3 | 8 |
| Opus 4.7 | Anthropic | 100% | 100% | 23% | 38% | 3/3 | 13 |
| GPT-5.5 | OpenAI | 100% | 100% | 20% | 33% | 3/3 | 15 |
| GPT-4.1 | OpenAI | 100% | 100% | 38% | 55% | 3/3 | 8 |
| Haiku 4.5 | Anthropic | 100% | 100% | 38% | 55% | 3/3 | 8 |
| GPT-4o | OpenAI | 100% | 100% | 60% | 75% | 3/3 | 5 |