Annual Technical Evaluation Procedure

Owner: Security Officer · Approved by leadership · Version 1.0 · Effective 27 May 2026 · Next review 27 May 2027

1. Purpose

This procedure defines the controlled annual cadence under which Glassbreak re-tests every control statement in the Information Security Policy against the running platform. It produces a dated evaluation report comparing the prior year to the current year that an auditor can sample.

The evaluation provides the periodic technical assurance expected by frameworks such as HIPAA (45 CFR § 164.308(a)(8)) and ISO 27001 (Clause 9.1) and complements — but does not replace — continuous evidence from the daily security-posture snapshot.

2. Scope

The evaluation covers every control statement in sections 3.1 through 3.11 of the Information Security Policy:

Confidentiality controls (encryption-on-device, credential hashing, transport security, secret handling).
Integrity controls (authorisation, audit logging, cross-vertical sync signing, change management).
Availability controls (multi-stack architecture, recovery objectives, backup integrity, observability and SLOs).
Identity and access controls (MFA, least privilege, session lifecycle, privileged-action logging).
Cryptography controls (algorithm inventory, library provenance, Wycheproof corpus, key lifecycle).
Change-management, vendor-management, logging and audit, incident-response, risk-management, and coordinated- disclosure controls.

3. Ownership

Accountable owner — the Security Officer runs the evaluation and signs the report.
Engineering input — engineering performs the technical re-tests and produces the supporting evidence for each control.
Counter-signer — at least one member of leadership counter-signs the report.

4. Cadence

One evaluation per calendar year, scheduled at the same point in the year as the policy effective date and completed within a +/- 30-day window.
An interim evaluation is run on the affected control family after any material change to the platform that invalidates the previous year's evidence for that family.

5. Evaluation method

5.1 Automated re-test

The full daily security-posture snapshot probe set is re-run on the in-scope production surface; the probe outputs and the 30-day public attestation history are captured as evidence for the controls each probe maps to.
The full disaster-recovery scenario suite is re-run; the pass/fail history for the period is captured as evidence for the availability and integrity controls each scenario maps to.

5.2 Sampled manual re-test

For each control not fully covered by an automated probe, a manual re-test is performed against a sample of the population. The sample size, the sampling method, and the items sampled are recorded.
Where the control depends on an artefact that must exist (for example, a signed access-review record), the artefact is located, opened, and its existence and completeness recorded.
Where the control depends on a configuration that should hold (for example, MFA enforced on a console), the configuration is inspected and the inspection method recorded.

5.3 Year-over-year comparison

For each control statement, the prior year's status (Met, Partial, Gap) is restated and the current year's status is set.
Where status has improved, the structural change responsible is recorded.
Where status has regressed, the regression is logged as an open finding with a remediation deadline under the Remediation SLA procedure.

6. Procedure

Open the evaluation by tagging the prior year's report as the comparison baseline.
Run each automated re-test per §5.1.
Run each sampled manual re-test per §5.2.
For each control, record the evidence reference, the method used, the current status, and the year-over-year delta.
Open a finding for every regression and every newly identified partial.
Draft the report, including a narrative section summarising the year-over-year story.
The Security Officer signs; the counter-signer reviews and signs.
File the signed report in the compliance evidence store and index it by year.

7. Template

Each annual evaluation produces a single report with the following structure. This template is the artefact that an auditor may sample.

Header — evaluation identifier, year covered, target completion date, actual completion date, Security Officer, counter-signer(s).
Scope confirmation — the version of the Information Security Policy under test and the list of control statements in scope.
Method summary — the automated probe set used, the DR scenario suite version, and the sampling method for the manual re-test.
Control-by-control results — table with: control reference (e.g. §3.4), control statement, evidence reference, method, current status, prior-year status, delta.
Findings — every regression and every newly identified partial, with severity, owner, remediation deadline.
Narrative — short year-over-year story covering what changed structurally and what is in flight.
Sign-off — Security Officer signature and date, counter-signer signature and date.

8. First instance

The inaugural technical evaluation was completed on the effective date of this procedure (27 May 2026). It set the baseline against which subsequent annual evaluations are compared and captured the control-by-control status as of that date. The signed report is held in the compliance evidence store and available under NDA.

9. Records

Signed evaluation reports are retained for at least 5 years.
Supporting evidence (probe outputs, scenario logs, sampling worksheets) is retained alongside the report.
Open findings remain tracked under the Remediation SLA procedure until closure.

10. Review of this procedure

This procedure is reviewed at least annually and after any material change to the structure of the Information Security Policy that changes what must be evaluated. The next scheduled review is 27 May 2027.

11. Related documents

Counter-signed PDF copy available on request to compliance@glassbreak.io.