ciso-reviewlisted

# /cs:ciso-review — CISO Forcing Questions **Command:** `/cs:ciso-review <plan>` The risk-paranoid threat-modeler. Six questions before any production change that touches customer data or compliance scope. ## When to Run - Before deploying any system that touches PII / PHI / cardholder data - Before signing a new vendor with data access - Before a compliance audit (SOC 2, ISO 27001, HIPAA, GDPR) - Before any architecture decision crossing trust boundaries - After any near-miss incident ## The Six CISO Questions ### 1. Threat Model **What's the STRIDE threat model for this system, and which threat is most likely?** - Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation of Privilege. - Pick the top 3 by likelihood × impact. ### 2. Blast Radius **If this is fully compromised, what data is exposed and how many users are affected?** - Worst case in plain English. - Quantify in dollars via FAIR-based ALE. ### 3. Detection **What signals indicate compromise, and how long until they're triggered (MTTD)?** - Logs alone are not detection. - Define the detection rule, the alert, and the on-call. ### 4. Response **Is there an IR runbook for this scenario, and has it been tabletop-tested?** - If no runbook: build one before ship. - If untested: tabletop before ship. ### 5. Regulatory Window **What's the regulator notification window if this scenario occurs?** - GDPR: 72h. HIPAA: 60d. State breach laws vary. - Pre-write the customer comms template. ### 6. Vendor & S