CC8.1 · D4 · f1
evidence/change-management-policy.md — Stratos Inc. change management policyevidence/change-log-q4-2025.csv — Change request log for Q4 2025 (15 changes)evidence/cab-meeting-minutes-q4.md — Change Advisory Board meeting minutes for Q4 2025evidence/sdlc-overview.md — Software development lifecycle overview [noise]evidence/incident-log-q4-2025.csv — Incident log for Q4 2025 [noise]| ID | Type | Severity | Finding |
|---|---|---|---|
| F-001 | red_herring | low | CHG-414 emergency change during holiday freeze — but CISO approval was obtained CHG-414 (DB failover) was deployed during the holiday freeze on Dec 22. This looks like a freeze violation, but the policy explicitly allows emergency changes during freeze with CISO approval. The cha... |
| F-002 | red_herring | low | CHG-415 deployed on Dec 20 (start of holiday freeze) — but approved and scheduled before freeze CHG-415 was deployed on December 20, which is the first day of the holiday freeze. However, it was approved at the December 16 CAB meeting and scheduled before the freeze began. The policy states free... |
| F-003 | gap | high | CHG-410 deployed during holiday freeze without CISO approval CHG-410 (log4j patch) was a Standard change deployed on November 26 during the Thanksgiving holiday freeze (Nov 25-30). Policy Section 5 requires CISO approval for changes during freeze periods, even ... |
| F-004 | gap | high | CHG-411 retrospective CAB review exceeded 48-business-hour SLA CHG-411 was an emergency change deployed December 1. The retrospective CAB review occurred December 9 — 6 business days later. Policy Section 3.2 requires retrospective CAB review within 48 business h... |
| F-005 | gap | high | CHG-407 and CHG-411: developer deployed their own emergency change (segregation violation) Policy Section 3.3 states 'Production deployments are executed by the SRE team, not the development team.' CHG-407 was developed by maya.jackson and deployed by maya.jackson. CHG-411 was developed by ... |
| F-006 | gap | high | CHG-409 approved without CAB quorum — high-risk change without Security Lead CHG-409 was a High-risk change (customer data export endpoint) approved at the November 18 CAB meeting. The CAB minutes show only Derek Huang and Raj Patel attended — quorum was NOT met (requires VP E... |
| F-007 | gap | medium | CHG-409 missing post-implementation verification CHG-409 has post_impl_verified = No with no post-implementation date. Policy Section 3.5 requires verification within 2 hours. The change is marked as Completed despite this missing step. This means t... |
| F-008 | gap | medium | CHG-412 security review performed by the same person who developed the change CHG-412 (TLS cipher suite update) was developed by maya.jackson. The change log notes 'Security review by maya.jackson (same person who developed the change).' Policy Section 3.3 requires segregation ... |
| Model | Provider | Score | Recall | Prec. | F1 | Gaps | Reported |
|---|---|---|---|---|---|---|---|
| Sonnet 4.6 | Anthropic | 92% | 100% | 86% | 92% | 6/6 | 7 |
| Opus 4.7 | Anthropic | 80% | 100% | 67% | 80% | 6/6 | 9 |
| GPT-5.5 | OpenAI | 86% | 100% | 75% | 86% | 6/6 | 8 |
| GPT-4.1 | OpenAI | 92% | 100% | 86% | 92% | 6/6 | 7 |
| Haiku 4.5 | Anthropic | 92% | 100% | 86% | 92% | 6/6 | 6 |
| GPT-4o | OpenAI | 100% | 100% | 100% | 100% | 6/6 | 5 |