# Pre-Deploy Security Checklist --- ## Header | Field | Value | |-------|-------| | **Report type** | pre-deploy | | **Target** | DFT data-platform release v3.2.0 | | **Date** | 2026-05-05 | | **Version** | llm-security v7.4.0 | | **Scope** | enterprise gate + production readiness | | **Frameworks** | OWASP LLM Top 10, EU AI Act, NSM Grunnprinsipper | | **Triggered by** | /security pre-deploy | --- ## Risk Dashboard | Metric | Value | |--------|-------| | **Risk Score** | 12/100 | | **Risk Band** | Low | | **Grade** | A | | **Verdict** | GO-WITH-CONDITIONS | | Severity | Count | |----------|------:| | Critical | 0 | | High | 0 | | Medium | 2 | | Low | 3 | | Info | 5 | | **Total** | **10** | **Verdict rationale:** All gates PASS or PASS-WITH-NOTES. 2 medium conditions: pending Datatilsynet ack on DPIA addendum (expected 2026-05-08) + missing logging-aggregator wire-up. Conditional approval — deployment may proceed once both are resolved. --- ## Traffic Light Categories | Category | Status | Notes | |----------|--------|-------| | Identity & Access | PASS | OIDC + MFA, 89% coverage | | Network Isolation | PASS | Private endpoints + NSG | | Data Protection | PASS-WITH-NOTES | Customer-managed keys; rotation policy verified | | Logging & Audit | FAIL | Logging aggregator not wired (M1 finding) | | Compliance | PASS-WITH-NOTES | DPIA pending Datatilsynet ack (M2) | | Secrets Management | PASS | Key Vault + managed identity | | Hooks Coverage | PASS | All 9 hooks active | | MCP Security | PASS | 0 untrusted servers | | Supply Chain | PASS | 0 critical, 0 high CVEs | | Plugin Trust | PASS | Only first-party plugins | | Permission Hygiene | PASS | No wildcard Bash | | Memory Hygiene | PASS | CLAUDE.md scanned, no poisoning | | Performance | PASS | <500ms hook latency | --- ## Findings ### Medium | ID | Category | File | Line | Description | OWASP | |----|----------|------|------|-------------|-------| | PRD-001 | Logging | infrastructure/observability.bicep | 12 | Logging aggregator export endpoint missing | — | | PRD-002 | Compliance | docs/DPIA-2026-04-15.md | — | Datatilsynet ack pending (submitted 2026-04-22, expected response 2026-05-08) | — | ### Low | ID | Category | File | Line | Description | OWASP | |----|----------|------|------|-------------|-------| | PRD-003 | Documentation | docs/SECURITY.md | — | SLA for security-disclosure response not documented | — | | PRD-004 | Documentation | docs/RUNBOOK.md | — | Incident-response runbook missing rollback section | — | | PRD-005 | Performance | hooks/post-mcp-verify.mjs | — | P95 latency 412ms (target <500ms) — within budget but monitoring needed | — | ### Info | ID | Category | File | Line | Description | OWASP | |----|----------|------|------|-------------|-------| | PRD-006 | Coverage | (env) | — | Production env: Azure North Europe | | PRD-007 | Coverage | (env) | — | Data-classification: Fortrolig | | PRD-008 | Coverage | (compliance) | — | Frameworks: OWASP LLM, EU AI Act, NSM | | PRD-009 | Coverage | (gate) | — | Pre-deploy run by: ci/release.yml | | PRD-010 | Coverage | (history) | — | 4 prior pre-deploy runs in last 90 days, all PASS | --- ## Conditions to Resolve 1. **PRD-001 (medium):** Wire logging aggregator before deployment. Owner: platform-ops. Blocker. 2. **PRD-002 (medium):** Receive Datatilsynet ack OR document silent-period acceptance. Owner: privacy-officer. Blocker until 2026-05-08. --- ## Approvals | Role | Approver | Date | Notes | |------|----------|------|-------| | Security Lead | (pending) | — | After PRD-001 resolved | | Privacy Officer | (pending) | — | After PRD-002 resolved | | Platform Owner | A. Nilsen | 2026-05-04 | Signed off subject to conditions | --- ## Recommendations 1. **Immediate:** Resolve PRD-001 (logging aggregator) before deploying. 2. **High:** Confirm Datatilsynet ack OR escalate silent-period exception (PRD-002). 3. **Medium:** Document SLA in SECURITY.md (PRD-003) post-deploy — non-blocking. 4. **Medium:** Add rollback section to RUNBOOK.md (PRD-004) post-deploy. --- *Pre-deploy complete. 13 categories, 1 FAIL pending wire-up, conditional GO.*