π Board Report Generator (Rule-Driven)¶
Overview¶
The Board Report Generator produces professional, board-ready compliance reports through Rule-Driven Templating - combining simple SQL queries with polished PDF presentation. No AI required; sophistication comes from design and structure.
Why Rule-Driven vs AI¶
Board directors value:
- β Transparent, auditable calculations
- β Predictable, consistent reporting
- β Defensible in regulatory audits
- β Clear line from policy β task β evidence
AI summaries provide:
- β Black-box calculations
- β Unpredictable outputs
- β Difficult to audit
- β Higher operational costs
Architecture: Three Layers¶
1. Structured Data Model (The Foundation)¶
// Clear relationships enable reporting
tables {
policies: {
policy_id, policy_name, category, status
}
controls: {
control_id, policy_id, control_name, framework_mapping
}
tasks: {
task_id, control_id, assignee, due_date,
status: 'Not Started' | 'In Progress' | 'Pending Review' | 'Complete'
}
evidence: {
evidence_id, task_id, submitted_by, submitted_at,
attestation_statement
}
}
This relational structure IS the audit trail.
2. Simple Rule Engine (The Logic)¶
// Board Report Metrics (Simple SQL Queries)
// Overall Compliance Percentage
const overallCompliance = `
SELECT
(COUNT(CASE WHEN status = 'Complete' THEN 1 END) * 100.0 / COUNT(*)) as percentage
FROM tasks
`
// At-Risk Controls (Overdue)
const atRiskControls = `
SELECT
c.control_name,
t.assignee,
t.due_date,
DATEDIFF(CURRENT_DATE, t.due_date) as days_overdue
FROM tasks t
JOIN controls c ON t.control_id = c.control_id
WHERE t.status != 'Complete'
AND t.due_date < CURRENT_DATE
ORDER BY days_overdue DESC
`
// Compliance by Category
const complianceByCategory = `
SELECT
p.category,
COUNT(CASE WHEN t.status = 'Complete' THEN 1 END) as complete_tasks,
COUNT(*) as total_tasks,
(COUNT(CASE WHEN t.status = 'Complete' THEN 1 END) * 100.0 / COUNT(*)) as percentage
FROM policies p
JOIN controls c ON p.policy_id = c.policy_id
JOIN tasks t ON c.control_id = t.control_id
GROUP BY p.category
ORDER BY percentage ASC
`
// Items Pending Review (Bottlenecks)
const pendingReview = `
SELECT
c.control_name,
t.assignee,
t.submitted_at,
DATEDIFF(CURRENT_DATE, t.submitted_at) as days_pending
FROM tasks t
JOIN controls c ON t.control_id = c.control_id
WHERE t.status = 'Pending Review'
ORDER BY days_pending DESC
`
3. Professional PDF Template (The Output)¶
Technology: WeasyPrint (Python) or Puppeteer (Node.js) - render HTML to PDF
Report Structure:
<!-- Page 1: Executive Summary -->
<div class="page executive-summary">
<header>
<img src="{company_logo}" />
<h1>Cybersecurity Governance Report</h1>
<p>As of {report_date}</p>
</header>
<section class="kpis">
<div class="kpi">
<h2>{compliance_percentage}%</h2>
<p>Overall Compliance</p>
</div>
<div class="kpi">
<h2>{implemented_count}/{total_count}</h2>
<p>Controls Implemented</p>
</div>
<div class="kpi critical">
<h2>{at_risk_count}</h2>
<p>Controls At-Risk</p>
</div>
</section>
<section class="compliance-chart">
<h3>Compliance by Area</h3>
{category_bar_chart}
</section>
</div>
<!-- Page 2: Items Requiring Board Attention -->
<div class="page board-attention">
<h2>Items Requiring Board Attention</h2>
<section class="at-risk">
<h3>At-Risk Controls (Overdue)</h3>
{for control in at_risk_controls}
<div class="control-item critical">
<h4>{control.name}</h4>
<p><strong>Status:</strong> {control.days_overdue} days overdue</p>
<p><strong>Owner:</strong> {control.assignee}</p>
</div>
{endfor}
</section>
<section class="not-implemented">
<h3>High-Impact Controls Not Yet Implemented</h3>
{for control in high_impact_not_started}
<div class="control-item warning">
<h4>{control.name}</h4>
<p><strong>Status:</strong> Not Started</p>
<p><strong>Due Date:</strong> {control.due_date}</p>
</div>
{endfor}
</section>
</div>
<!-- Page 3: Attestation -->
<div class="page attestation">
<h2>Management Attestation</h2>
<p>This report reflects the state of compliance as of {report_date}.</p>
<div class="signature-block">
<p>_______________________</p>
<p>{ciso_name}, Chief Information Security Officer</p>
<p>Date: {report_date}</p>
</div>
</div>
Implementation Checklist¶
- Design SQL queries for key metrics
- Create HTML/CSS report template
- Integrate PDF generation library (WeasyPrint/Puppeteer)
- Build simple charting for category breakdown (Chart.js or similar)
- Add one-click "Generate Report" button to Director Dashboard
- Test with sample data across different compliance scenarios
- Add report generation to audit log
MVP Constraints¶
What's Included:
- Standard report format (1 template)
- Core metrics (compliance %, at-risk, category breakdown)
- Professional PDF output
- Exception-focused (board attention items)
What's Deferred:
- Custom report templates
- AI-generated narrative summaries
- Interactive/drill-down reports
- Automated report scheduling
- Natural language insights
Success Criteria¶
β Director can understand compliance posture in under 3 minutes β Report is board-meeting ready (professional presentation) β Calculations are transparent and auditable β Highlights exceptions requiring board attention β Generated in under 5 seconds
Future Enhancements (Post-MVP)¶
- AI-generated executive summary narratives
- Custom report templates
- Trend analysis across quarters
- Peer benchmarking
- Interactive dashboards
Related Documents: