Learn by Directing AI
All materials

compliance-report-template.md

Compliance Report -- Directive 2026/CS-04

1. Executive Summary

Write for the directive committee -- they are not security professionals. Describe what was assessed, what was found, what was fixed, and what needs attention. No unexplained technical terms. Focus on risk to the organization and its stakeholders (tourists, guides, staff).

2. Assessment Scope

List the systems assessed, the time period of the assessment, and the methodology used. Reference the directive requirements being addressed.

3. Methodology

Describe the assessment approach in terms the committee can understand. Mention the tools used and why. Explain the distinction between automated scanning and manual assessment.

4. Findings

Finding ID Severity Portal Affected Description Status Remediation

Order findings by risk severity, not by discovery sequence. Severity should reflect business impact to the Bhutan Tourism Council specifically, not generic vulnerability scores.

5. Continuous Monitoring Capability

This is the section the directive committee will scrutinize most closely. Explain what your monitoring systems (Loki and Wazuh) detect and what they do not. In language the committee understands, describe: what happens when suspicious activity occurs, who gets alerted, how quickly, and what the response process is. Address the directive requirement for "continuous monitoring capability."

6. Recommendations

Specific, actionable recommendations ordered by priority. Include:

  • Remaining findings not yet remediated (with timeline)
  • Operational recommendations for maintaining the monitoring systems
  • Staffing implications (who reviews alerts, how often)
  • Any separate assessments recommended (e.g., systems outside the current scope)

Technical Appendix

A. Detection Rules Deployed

List all detection rules with their names, platforms (Loki/Wazuh), what they detect, and their current false positive profile.

B. CIS Benchmark Assessment

Summary of CIS Benchmark items assessed for the Wazuh deployment, findings, and remediation status.

C. Remediation Evidence

For each remediated finding: the original vulnerability, the fix applied, and evidence that the fix works (exploitation re-test results).