Controls -> Evidence Map (Altaba / Yahoo SEC (2018))¶
Technical appendix for leadership and compliance.
Purpose¶
This technical appendix maps controls to objective evidence for Controls -> Evidence Map (Altaba / Yahoo SEC (2018)), enabling rapid substantiation of implementation and operating effectiveness. It is used by security, compliance, and legal teams to demonstrate what is deployed, how it is monitored, and what records support examiner or litigation requests.
Hallucinated writing examples¶
Scenario: In an illustrative period following the SEC April 2018 cease-and-desist order on delayed breach disclosure (time), the Senior Lead Security Engineer (role) prepares a controls to evidence map (type) for Chief Information Security Officer; Compliance Program Owner (audience).
Technical Objective: Map control state to evidence for disclosure alignment after the SEC order.
1) Incident Escalation:
Required Control State: Documented path from IR to Legal with SLAs.
Evidence: Tickets, escalation logs, disclosure committee minutes (privileged review).
Signals: Median time from verification to legal notification.
2) Disclosure Controls:
Required Control State: Controls designed to ensure incident information reaches those responsible for filings.
Evidence: Control narratives, testing workpapers, training records.
Signals: Testing remediation aging.
3) Logging:
Required Control State: Retention and access controls on forensic logs.
Evidence: Log inventory, retention configs, sample exports.
Signals: Coverage percentage for critical systems.
Document-type guide: security-control-implementation-explanation
Writing tips: Writing best practices