📋 Outstanding Work Tracker

This document tracks work items that require external resources or manual processing before documentation can be completed.

Policy Extraction Work

Status: ✅ COMPLETE (2025-01-13)

Location: ../04-business/policy-templates/ Completed Actions:

1. ✅ Extracted all policies from Word format
2. ✅ Converted 18 policies to Markdown format with inline {{variables}}
3. ✅ Placed all policies in policy-templates directory
4. ✅ Documented all variables in variable-registry.md (40+ variables)
5. ✅ Organized variables by function (supports various org structures)
6. ✅ Implemented 3-tier policy pack structure (Starter/Standard/Complete)
7. ✅ Added simple 3-question implementation checks to all policies
8. ✅ Created Essential Eight Implementation Policy
9. ✅ Separated Password Authentication Policy from Access Control
10. ✅ Added board oversight sections to critical policies
11. ✅ Added Implementation Reality section to acknowledge real-world constraints
12. ✅ Removed all personal names and company-specific content

Deliverables:

• 18 policy templates with flexible variables
• 3-tier additive policy pack structure (8+5+5 policies)
• Complete variable registry with 40+ variables documented
• Policy pack structure documentation
• Clean templates without headers/footers/attribution
• Board-ready governance sections
• Practical implementation tracking

Next Steps:

• Implement variable collection during onboarding
• Create policy customization UI
• Build PDF generation with variable replacement
• Create policy pack selection workflow

Insurance Form Question Extraction

Status: ✅ COMPLETE (2025-06-13, Updated with 7^th form)

Location: ../05-architecture/data-sources/insurance-questions/ Completed Actions:

1. ✅ Obtained 7 insurance forms from:
2. AIG (CyberEdge Ransomware Supplemental)
3. Blue Zebra (Cyber Proposal Form)
4. Chubb (Small Business, Mid-Market & Forefront Portfolio)
5. Liberty (Ransomware Addendum)
6. Combined Application Form v2.3
7. ✅ Extracted 127 questions total (was 113)
8. ✅ Tagged each question with all 5 required attributes:
9. Insurance company
10. Form type and version
11. Risk pattern association (9 categories identified)
12. Framework mapping (E8, ISO27001, NIST, Privacy Act)
13. Answer type required (7 types: yes/no, text, numeric, etc.)
14. ✅ Moved all deliverables to internal docs for planning reference
15. ✅ Created analysis document connecting patterns to MVP design
16. ✅ Re-extracted with Chubb Forefront Portfolio form (+14 questions)

Deliverables (in /05-architecture/data-sources/insurance-questions/):

• insurance-questions.json (structured data ready for post-planning import)
• insurance-questions.csv (spreadsheet format ready for post-planning import)
• insurance-questions.md (human-readable format)
• extraction-summary.md (analysis and statistics)
• insurance-question-analysis.md (MVP design implications)
• index.md (directory documentation)

Quality Notes:

• Some questions fragmented due to PDF structure
• 72% general questions, 28% with specific risk patterns
• 92% general compliance, 8% framework-specific
• New Chubb form adds employment practices and crime controls

Post-Planning Actions:

• Import JSON/CSV into unified question bank when implemented
• Manual review to fix fragmented questions
• Deduplicate against other question sources
• Create question selection logic based on company profile

Question Bank Data Import

Status: IN PROGRESS

Location: ../05-architecture/data-extraction-placeholders/question-bank-import-placeholder.md Required Actions:

1. Receive question dump from human (MD or CSV format)
2. Parse and validate metadata
3. Build import scripts
4. Deduplicate questions
5. Create unified question bank

Human TODO:

• Prepare question dump in MD or CSV format
• Include as much metadata as possible per question
• Place in data-extraction-placeholders directory

Blocking:

• Unified Question Bank implementation
• Onboarding flow design

Cyber Audit Questionnaires

Status: PENDING

Required Actions:

1. Obtain ACSC Essential Eight assessment questionnaires
2. Extract all questions
3. Tag for:
4. Risk patterns
5. Framework controls
6. Evidence requirements
7. Maturity level mapping

Blocking:

• Unified Question Bank implementation
• Essential Eight assessment methodology

Report Templates Collection

Status: PENDING

Required Actions:

1. Collect example reports:
2. Board cyber reports
3. Compliance assessment reports
4. Risk register templates
5. Insurance readiness reports
6. Extract standard sections and placeholders
7. Define data mappings for auto-population

Notes from notes.md:

• Need header/footer customization
• Logo upload capability
• PDF export with single policy or monolithic options

Vendor Questionnaire Templates

Status: PENDING

Required Actions:

1. Create minimal viable vendor questionnaire
2. Design email template
3. Create web form for responses
4. Define response processing workflow

Notes from notes.md:

• Keep it simple for MVP
• Email to vendor → web form → basic processing

Board Meeting Transcript Processing

Status: PENDING

Required Actions:

1. Define transcript upload format
2. Create parsing logic for:
3. Meeting summaries
4. Verbal approvals
5. Status changes
6. Action items

Notes from notes.md:

• Allow transcript upload
• Extract verbal approvals automatically
• Update statuses based on decisions

---

How to Use This Tracker

1. Before creating documentation: Check if required source materials are available
2. When blocked: Note what external resources are needed
3. After obtaining resources: Update status and proceed with documentation
4. Regular review: Check this weekly to identify what can be unblocked

Priority Order for Obtaining Resources

1. HIGH: E8 assessment questionnaires (for compliance automation)
2. MEDIUM: Report templates (can create from scratch if needed)
3. MEDIUM: Vendor questionnaire examples
4. LOW: Board transcript examples (can simulate for MVP)

Completed:

• ✅ Insurance form samples (127 questions extracted from 7 forms)