Night Mode LabsBlue Book
Governance

Compliance Evidence

Compliance evidence should be generated as a byproduct of normal engineering workflows. Manual screenshots and ad hoc spreadsheets do not scale.

Evidence sources

Useful evidence often comes from:

  • Source control history and pull request reviews.
  • CI/CD run logs, approvals, and deployment records.
  • Infrastructure plan and apply logs.
  • Access review exports and identity provider logs.
  • Vulnerability scan results and remediation records.
  • Incident records, postmortems, and follow-up completion.
  • Backup, restore, and disaster recovery test results.

Control mapping

Map controls to systems of record.

Evidence quality

Good evidence is:

  • Tied to a named control and audit period.
  • Exported from a system of record.
  • Timestamped and attributable.
  • Reproducible without special tribal knowledge.
  • Stored with retention and access controls.

Exceptions

Exceptions need owners, expiry dates, compensating controls, and risk acceptance. Permanent exceptions should trigger an architecture review workshop.

Track:

  • What control is not met.
  • Why the exception exists.
  • Who accepted the risk.
  • When it expires.
  • What will remove the exception.

Platform Product Model

Previous Page

Data Platform Practices

Next Page

On this page

Evidence sourcesControl mappingEvidence qualityExceptions