Justinaquino: "Add SCA Program Plan v3 and link to IT Operations & SOPs"

2026-03-20T10:07:17Z

"Add SCA Program Plan v3 and link to IT Operations & SOPs"

New page

= Security & Compliance Assistant Program Plan =

'''Version:''' 3 | '''Date:''' 20 March 2026 
'''Scope:''' All departments — Cornersteel Systems Corporation, Comfac Corporation (CF), Comfac Technology Options (CTO) 
'''Workload:''' 30 Hours / Week (Compressed / Flexible Schedule) 
'''Execution Cadence:''' Improvement Cycle — two major tasks per cycle, one formal Improvement Cycle artifact 
'''Philosophical Core:''' PDCA | TPS Lean | Theory of Constraints (ToC) 
'''Audit Model:''' Distributed — all staff across all three entities audit within their QOs, supported by pre-written checklists 
'''IT Track:''' Track 3 — sequenced after Marketing and Sales, whose cadence shapes IT's process definition. Tracks overlap where process owners and the SCA can work in parallel.

== Program Overview & Methodology ==

The SCA approaches compliance as a systems engineering challenge — not a paperwork exercise. The role acts as the organizational bridge between IT systems (ERPNext), Quality Management (ISO 9001), and Information Security (ISO 27001), working with process owners in each department to surface the ground-level reality of how work actually happens, then documenting and improving it incrementally. The audit burden on all staff is minimized by design.

The Operations Director maintains detailed, pre-written processes and checklist-driven procedures that allow any staff member across Cornersteel, CF, and CTO to step away and return to any audit activity without relearning. Auditing is baked into each person's Key Result Areas — not treated as a separate compliance event.

=== The Weekly Rhythm (30 Hours) ===

{| class="wikitable"
! Block !! Hours !! Activities
|-
| '''System Admin & Process Mapping''' || 12 hrs || Embedding with departments, mapping current workflows, reviewing IT backups and access controls, working with process owners.
|-
| '''Documentation & QMS Work''' || 12 hrs || Working with the QMS Coordinator, writing Wiki entries, practicing 8D investigations, drafting Quality Objectives, updating the department roadmap backlog.
|-
| '''Manager & AI Reflection''' || 6 hrs || Digesting findings, gap-checking against ISO standards with AI, and aligning with the Operations Director. Produces the weekly log entry and shapes the next Improvement Cycle tasks.
|}

'''Weekly Log Entry:''' At the end of each week, the SCA writes a brief (3–5 paragraph) Wiki entry covering: what was observed, what was documented, what anomalies or AI behavior issues were flagged, and what is being carried forward. This is the raw input that feeds the formal Improvement Cycle artifact.

== The Improvement Cycle ==

Every two weeks, the SCA produces one formal Improvement artifact. This is the primary compliance deliverable — not a status update, but a structured record of what was learned, what it means, and what happens next. Improvements are not limited to changes implemented — they include research conclusions, data gathered, and problems more deeply understood.

=== What Makes a Valid Improvement ===

An Improvement is valid when it satisfies all three of the following:

# '''Achievable in 2 weeks.''' The work — whether analysis, documentation, a process change, or a research conclusion — can be completed within the capacity of the SCA and any involved team members during that cycle.
# '''Scope is ruthlessly constrained.''' Connected to a High Level and a Ground Level. Every Improvement must name the High-Level aspect it serves (e.g., ISO 9001 Clause 8 — Operations, ISO 27001 Annex A.9 — Access Control, Business Continuity, QO performance for a department) and the Ground-Level manifestation it addresses (e.g., Sales team duplicates client records in ERPNext when CRM data is missing, causing billing errors). The connection between the two must be explicit.
# '''Tangible to stakeholders and end users.''' The output must be something a process owner, department head, or end user can point to, act on, or refer back to. A completed process diagram, a documented anti-pattern, a ranked backlog of gaps, a research summary with a recommendation — all qualify. A vague note that 'more work is needed' does not.

=== Improvement Cycle Artifact Structure ===

Each Improvement Cycle produces a single Wiki page (and where relevant, an ERPNext task or linked diagram) with the following fields:

{| class="wikitable"
! Field !! Description
|-
| '''Cycle #''' || Sequential number and date range (e.g., Cycle 03 — 14–28 April)
|-
| '''Department / Track''' || Which department or IT track this Improvement Cycle covers
|-
| '''High-Level Aspect''' || The ISO clause, security control, QO category, or strategic objective this connects to
|-
| '''Ground-Level Manifestation''' || The specific problem, anti-pattern, gap, or knowledge deficit being addressed — as observed at the operational level
|-
| '''Work Done This Cycle''' || What was actually completed: process mapped, interviews conducted, data gathered, diagram drafted, SOP written, research concluded, etc.
|-
| '''Tangible Deliverable''' || The artifact produced: Wiki page, process diagram, gap register entry, SOP draft, ranked backlog, research summary with recommendation
|-
| '''Stakeholder / End User Impact''' || Who benefits and how — in plain language that a non-technical process owner can understand
|-
| '''Next Cycle Direction''' || What the natural next increment is — not a commitment, but a directional signal for the upcoming planning session
|}

The Improvement Cycle artifact is not a report written for management. It is a living record that the SCA, process owners, and the Operations Director all reference. It feeds the department roadmap backlog and serves as auditable evidence of continuous improvement for ISO certification bodies.

== Department Documentation Sequence ==

The SCA works through departments in the sequence below, which follows the natural value chain of the business. The sequence is a guide, not a strict handoff — adjacent tracks will naturally overlap wherever process owners and the SCA can work in parallel. The SCA pulls documentation as availability and workflow allow, never forcing artificial completion gates between tracks.

'''Criteria of Success per Department:'''
* A documented and diagrammed process map of the department's current-state workflow
* An identified list of Areas for Improvement, classified by High-Level aspect and Ground-Level manifestation
* A Department Roadmap/Backlog — the ranked queue of tasks and improvements, with only the immediate near-term items detailed to Improvement Cycle resolution

=== Track 1: Marketing — Intelligence, Strategy & Commercial Communication ===

Marketing is the upstream source of the organization's commercial positioning. It covers market and competitive intelligence, translation of business strategy into advertising and collateral materials, and the strategic context that shapes Sales activities.

'''Process Scope.''' Market intelligence gathering and synthesis, campaign and material production workflow, content approval and version control, handoff of strategic context to Sales (briefings, battlecards, pricing rationale), CRM data origination from marketing activities.

'''Key Compliance Relevance.''' ISO 9001 Clause 7.4 (communication), Clause 8.2 (customer requirements), and information security requirements around competitive intelligence and pricing data storage.

'''Immediate Near-Term Focus.''' CRM data quality at origination — the Marketing-to-Sales handoff is the first point where ERPNext data integrity can break down. Identifying the specific anti-patterns (duplicate records, missing fields, inconsistent categorization) is the first Improvement Cycle target for this track.

'''Deliverable.''' Current-state process map of Marketing's workflow from intelligence to Sales handoff. CRM data quality gap register. Department roadmap backlog.

=== Track 2: Sales Onboarding — Commercial Conversion & Client Intake ===

Sales Onboarding covers the commercial conversion process from qualified lead through to signed engagement. The Sales track depends on Marketing's cadence.

'''Process Scope.''' Lead qualification and handoff from Marketing, proposal generation and approval, contract review and execution, client data capture into ERPNext at point of sale, handoff documentation from Sales to Operations for project kickoff.

'''Key Compliance Relevance.''' ISO 9001 Clause 8.2 (determination of requirements), Clause 8.4 (control of externally provided processes), and data protection requirements around client personal and commercial data.

'''Immediate Near-Term Focus.''' The Sales-to-Operations handoff: is the information Operations needs to start a project actually captured and transferred? Missing or informal handoffs are a recurring source of scope disputes and rework.

'''Deliverable.''' Current-state process map of the onboarding workflow. Gap register for contract and data capture completeness. Handoff checklist (first draft). Department roadmap backlog.

=== Track 3: IT / Operations — Internal & External Service Delivery ===

IT is itself an Operations department with two distinct client sets: internal (Comfac IT itself) and external (Cornersteel, CF, and CTO as clients of IT services). IT is sequenced after Marketing and Sales because its process definition is shaped by the cadence those departments establish.

'''Process Scope.''' Task intake and triage (internal vs. external client), prioritization logic, escalation paths, IT project lifecycle (from requirement to delivery), infrastructure change management, security incident response, and vendor/tool evaluation.

'''Key Compliance Relevance.''' ISO 27001 Annex A controls (access management, change management, incident response, supplier relationships) and ISO 9001 Clause 8 (operational planning). IT's QO performance metrics feed the group-wide compliance picture.

'''Deliverable per Cycle.''' Incremental process maps and gap entries as each sub-process is pulled. The IT roadmap backlog is built live — what is on the plate now is detailed; what comes after is a ranked directional queue updated each cycle.

'''Related SOPs & IT Operations Pages:'''
* [[SOP: Network Troubleshooting & pfSense Monitoring 251130]]
* [[Standard Operating Procedure: Distributed Minute Taking & Task Ownership 251208]]
* [[IT REQUEST (OP-ERP-ITR) - EDITED 250801]]
* [[IT IMPORTS PROCESSES]]
* [[Business Continuity]]
* [[Procedure: CC-Blast Data Breach Prevention]]
* [[2026 MIS IT KRA KPI Biz Plan]]

=== Track 4: Operations — Project Delivery & Field Execution ===

Operations covers the full delivery lifecycle: client site visits and surveys, requirements gathering, project kickoff, task execution, and project close.

'''Process Scope.''' Client visit and survey workflow, requirements documentation and sign-off, project kickoff process (including internal task creation in ERPNext), task assignment and progress tracking, project closure and handoff to Support.

'''Key Compliance Relevance.''' ISO 9001 Clause 8.3 (design and development), Clause 8.5 (production and service provision), Clause 8.6 (release of products and services).

'''Immediate Near-Term Focus.''' ERPNext task creation discipline at kickoff — are tasks created with enough detail to be auditable? Are they linked to the correct client, project, and contract?

'''Deliverable.''' Current-state process map of the full delivery lifecycle. ERPNext task discipline gap register. Kickoff checklist (first draft). Department roadmap backlog.

=== Track 5: Support — Quality Assurance, Helpdesk & Issue Resolution ===

Support is the feedback loop of the organization. It receives closed projects from Operations, handles ongoing client issues, manages the helpdesk queue, and surfaces quality problems back into the QMS through non-conformance and corrective action processes.

'''Process Scope.''' Helpdesk ticket intake and triage, issue classification and priority assignment, ERPNext issue tracking and task turnaround, escalation to Engineering or Operations, QA review at project close, non-conformance reporting and corrective action initiation.

'''Key Compliance Relevance.''' ISO 9001 Clause 9.1 (monitoring and measurement), Clause 10.2 (nonconformity and corrective action). Support's records are primary audit evidence for both ISO 9001 and ISO 27001 security incident handling.

'''Immediate Near-Term Focus.''' Issue-to-task turnaround time and traceability in ERPNext — can a specific client complaint be traced from ticket through resolution to corrective action?

'''Deliverable.''' Current-state process map of the support and QA workflow. Traceability gap register. Non-conformance template (first draft). Department roadmap backlog.

== Implementation Phases ==

=== Phase 1: ISO 9001 Foundation & Process Optimization (Current – August) ===

'''Focus:''' Cornersteel Pilot, PDCA Integration, ERPNext Visibility, Department Documentation Sequence

{| class="wikitable"
! Weeks !! Cycle !! Focus !! Key Deliverable
|-
| 1–2 || Cycle 1 || Orientation & First Observations — embed with Marketing, Sales, IT; attend QMS meetings; set up Wiki structure and ERPNext access. || Wiki entry: structured observation log. High-Level: ISO 9001 Clause 4. Ground-Level: initial observations of process divergence across at least two departments.
|-
| 3–4 || Cycle 2 || Track 1 — Marketing Process Map. Map current-state workflow from intelligence gathering to Sales handoff. Review ERPNext CRM data for origination quality issues. || Marketing current-state process diagram. CRM data quality gap register (first entries). ISO 9001 Clause 7.4 and 8.2.
|-
| 5–6 || Cycle 3 || Track 2 — Sales Onboarding & Handoff Documentation. Map Sales onboarding from qualified lead to Operations handoff. Continue Marketing map in parallel where available. || Sales onboarding current-state process diagram. First draft of Sales-to-Operations handoff checklist. ISO 9001 Clause 8.2 and 8.4.
|-
| 7–8 || Cycle 4 || Track 3 — IT Current Plate & Prioritization Logic. Embed with IT to map current task landscape. ERPNext team resources begin onboarding. || IT current task landscape map. First draft of IT prioritization logic documentation. ISO 27001 Annex A.12, ISO 9001 Clause 8.
|-
| 9–10 || Cycle 5 || ERPNext QO Visibility — Cross-Track Data Gap Analysis. Co-analyse QO data structures across three documented tracks with ERPNext team. || ERPNext QO data gap register (Marketing, Sales, IT). Recommended field and report corrections. ISO 9001 Clause 9.1.
|-
| 11–12 || Cycle 6 || Track 4 — Operations Delivery Process & August Milestone Prep. Begin Operations track process mapping. Finalize Cornersteel PDCA templates. Prepare CF/CTO migration map. || Operations current-state process map (Phase 1 portion). CF/CTO migration plan document. ISO 9001 Clause 8.3 and 8.5.
|}

'''Milestone — August FY End:''' The SCA is formally presented to the full group as the compliance bridge. The distributed audit model is introduced to all department heads with QO checklists distributed.

=== Phase 2: ISO 27001 Preparation & Academic Security Partnerships (September – February) ===

'''Focus:''' QO Consolidation, FY Planning Support, 27001 Gap Analysis, Staffing Recruitment, Support Track, Academic Partnerships

{| class="wikitable"
! Weeks !! Cycle !! Focus !! Key Deliverable
|-
| 13–14 || Cycle 7 || QO Consolidation — Comfac & Comfac IT. Gather, reconcile, and structure all QO data from both entities for the August FY-end presentation. || Consolidated QO register (Comfac + Comfac IT), formatted for Cornersteel August FY-end planning presentation. Gap list of QOs lacking owners or measurable targets. ISO 9001 Clause 6.2.
|-
| 15–16 || Cycle 8 || Track 5 — Support Process Map & 27001 Gap Analysis Launch. Two concurrent workstreams. Recruiting for network/sysadmin staff begins. || Support track process map, traceability gap register, non-conformance template. ISO 27001 gap analysis initiation. ISO 9001 Clause 10.2.
|}

'''November – January: Academic Partnerships & Knowledge Base'''
* Partner with local universities; onboard IT/CS interns and capstone students
* SCA trains students on SC frameworks; launches internal bug bounty program against internal apps and ERP environments
* Expand company Wiki with security guidelines and student engagement findings

'''February: Hardening & Capital Investment Planning'''
* Draft formal ISMS policies for CF and CTO, incorporating gap analysis findings and student testing results
* Prepare business case and vendor shortlist for professional external Penetration Testing and hardware/software upgrades needed for formal ISO 27001 certification

=== Phase 3: Advanced ISO 27001 Operations (March Onwards) ===

'''Focus:''' External Audits, Capital Investment Execution, Formal Certification

* '''External Penetration Testing.''' Engage professional external penetration testers. SCA coordinates testing, acts as blue team liaison, logs all findings into the continuous improvement tracker via Improvement Cycle artifacts.
* '''Formal Audit Readiness.''' Conduct internal mock audits for ISO 9001 (CF and CTO) and ISO 27001 using the distributed audit model.
* '''Network & Sysadmin Staff Integration.''' Newly recruited staff operating under 27001-aligned procedures. SCA transitions to coordination and audit oversight role.
* Certification timelines depend on external auditor availability and corrective action cycle outcomes.

== Distributed Audit Model ==

Auditing is not a compliance department event — it is everyone's job across all departments in Cornersteel, CF, and CTO. The design goal is to make compliance so embedded in daily work that staff forget it is compliance and remember it as their process.

{| class="wikitable"
! Component !! Description
|-
| '''QO Integration''' || Every staff member has audit-relevant tasks baked into their Quality Objectives. Performance is measured against these as part of the normal review cycle.
|-
| '''Pre-Written Checklists''' || The Operations Director and SCA maintain detailed, standardized processes and checklists. Staff can step away and return to any audit activity without relearning.
|-
| '''Department Roadmap Backlogs''' || Each department's backlog — produced during the documentation sequence — is the living record of what needs to improve, in what order. It is pulled, not pushed: only the immediate next item is fully detailed.
|-
| '''SCA as Facilitator''' || The SCA designs the systems, maintains the checklists, trains staff, and reviews Improvement Cycle outputs. The SCA does not own all audits. The whole organization audits itself.
|-
| '''Scale''' || New departments and new entities are onboarded to the same infrastructure. No proportional headcount growth in the compliance function is needed.
|}

== AI-Assisted Work: Known Failure Modes & Architectural Controls ==

All AI-assisted compliance tasks must account for four structurally documented failure modes in AI agents (sourced from Mount Sinai Health System research on AI agent reliability). These affect every AI-assisted workflow including ERPNext gap analysis, risk assessments, and audit report generation.

=== The 4 Failure Modes ===

==== 1. The Inverted-U of Performance — Edge Case Blindness ====
AI performs well on routine, textbook cases but fails silently at the extremes. High average accuracy scores mask critical failures precisely where stakes are highest.

''In our context:'' An AI reviewing ERPNext data will handle thousands of standard records accurately but may completely miss a cleverly modified duplicate invoice, an anomalous vendor record, or an edge-case non-conformance that does not fit a standard pattern.

==== 2. Chain of Thought Disconnect — Knows But Does Not Act ====
An AI's internal reasoning and its final output are semi-independent. The AI may correctly identify a risk in its reasoning trace but still produce a benign final recommendation regardless.

''In our context:'' An AI reviewing a compliance gap may internally flag a critical control failure but still output a low-priority finding. The SCA must review the reasoning trace, not just accept the conclusion.

==== 3. Anchoring Bias — Social Context Hijacks Judgment ====
When structured data is mixed with unstructured human language, the language can override the data entirely. A single reassuring note from a manager was shown to make AI 12x more likely to downgrade an actual risk.

''In our context:'' A senior manager noting 'I'm confident this vendor is fine' could cause the AI to ignore a real risk finding. All AI-assisted risk assessments must run on structured data before narrative context is added.

==== 4. Guardrails Fire on Vibes, Not Actual Risk ====
AI safety systems activate on surface-level language patterns rather than a true risk taxonomy — testing for the appearance of safety rather than actual safety.

''In our context:'' A monitoring tool might flag an email labeled 'confidential' while ignoring an employee exfiltrating 50,000 customer records labeled 'project backup.' Detection rules must be built on behavioral and structural indicators, not language cues.

=== The 4-Layer Architectural Response ===

{| class="wikitable"
! Layer !! Name !! Description
|-
| 1 || '''Progressive Autonomy''' || No AI agent is given full autonomous authority over a compliance output immediately. High-stakes AI assistance runs in shadow mode alongside human review until edge-case reliability is demonstrated.
|-
| 2 || '''Deterministic Validation''' || Where an AI's reasoning trace triggers a specific risk flag, a hard-coded checklist rule forces escalation — independent of what the AI's final output says. The SCA maintains these trigger rules in the compliance checklist infrastructure.
|-
| 3 || '''Eval Flywheel''' || The SCA regularly audits not just cases the AI flagged as problematic, but also a sample of cases the AI rated as clean. Discrepancies are captured in the weekly log and the Improvement Cycle artifact.
|-
| 4 || '''Factorial Stress Testing''' || When evaluating AI tools or reviewing AI-generated reports, the SCA periodically injects stressors — contradictory context, social pressure cues, time constraints — to verify that outputs do not shift based on framing rather than facts.
|}

== Weekly AI & Manager Reflection Protocol ==

Every Friday (or end of the 30-hour cycle), a 2-hour reflection block between the SCA, Operations Director, and AI tools. The protocol is structured to counteract known AI failure modes:

# '''Data Ingestion — Structured First.''' SCA inputs structured data (process maps, 8D reports, QO findings, gap register entries) before any narrative or management commentary. This prevents anchoring bias (Failure Mode 3).
# '''Reasoning Trace Review.''' SCA reviews the AI's chain of thought, not just its final output. Any disconnect between internal reasoning and final recommendation is flagged for manual escalation (Failure Mode 2).
# '''Edge Case Spot-Check.''' SCA manually reviews a sample of cases the AI rated as clean. Silent defects accumulate in the AI's confidently-cleared cases (Failure Modes 1 & 3, Eval Flywheel).
# '''Gap Check.''' AI reviews the SCA's work against ISO 9001/27001 standards and TPS methodologies to identify logical gaps or missing controls.
# '''Manager Alignment.''' Operations Director and SCA review AI feedback, confirm no anchoring bias in the session, and set the two major tasks for the next cycle.
# '''Weekly Log Entry.''' SCA writes a brief (3–5 paragraph) Wiki entry: what was observed, what was documented, what anomalies were flagged, what carries forward.

The Improvement Cycle artifact is the primary compliance deliverable. The weekly log is its input. Together they form the continuous improvement evidence chain required by ISO 9001 Clause 10.3 and ISO 27001 Clause 10.1.

== Related Pages ==

* [[2026 MIS IT KRA KPI Biz Plan]] — IT KRA/KPI targets and QO performance tracking
* [[SOP: Network Troubleshooting & pfSense Monitoring 251130]] — IT infrastructure SOP
* [[Standard Operating Procedure: Distributed Minute Taking & Task Ownership 251208]] — Meeting and task SOP
* [[IT REQUEST (OP-ERP-ITR) - EDITED 250801]] — IT request process
* [[Business Continuity]] — Business continuity procedures
* [[8D (Eight Discipline) Problem Solving Procedure]] — 8D problem-solving framework
* [[Procedure: CC-Blast Data Breach Prevention]] — Data breach prevention SOP
* [[System Hardening Strategy: Win2Lin Migration & Infrastructure 251129]] — Infrastructure hardening

SCA Program Plan 260320 - Revision history

Justinaquino: "Add SCA Program Plan v3 and link to IT Operations & SOPs"