A comprehensive governance framework, documentation library, automation tooling, and web application for managing ICT governance across multi-tenant, multi-cloud environments. Built on the CBA Consult IT Management Framework, it provides policies, blueprints, validation pipelines, and operational tooling for AWS, Azure, Google Cloud Platform, and hybrid deployments.
| Table of Contents | Documentation Hub | Repository Guide |
| Audience | Start here |
|---|---|
| New to the project | Project scope and objectives |
| Governance teams | Core ICT Governance Framework |
| Improvement priorities | Improvement focus areas |
| ISO standards alignment | ISO Standards Library — inventory, crosswalks, 2026 reassessment |
| RPAS / agent governance | RPAS Governance, ADPA module, and Integration Guide |
| Client / service providers | Business Continuity Services |
| Implementers | Implementation summary |
| Security / compliance operators | Privileged access governance, Web application, and Seven-Pillar Implementation Plan |
| Developers | Web application README and Developer guide |
| Contributors | Contributing guidelines |
The framework addresses governance across complex tenant communities with varying security, compliance, and service requirements. It combines structured documentation, Infrastructure as Code templates, PowerShell automation, RPAS governance validation, and an interactive web portal.
Core capabilities:
ICT-Governance-Framework-Application/
├── docs/ # Primary documentation (policies, architecture, implementation)
├── adpa/ # ADPA product module (templates, entities, generation, systematics)
├── governance/ # RPAS-CM governance baseline and validation artifacts
├── ict-governance-framework/ # Web application, APIs, and frontend dashboard
├── azure-automation/ # PowerShell modules and Azure governance automation
├── blueprint-templates/ # Bicep/ARM templates and policy blueprints
├── Azure-IaC-Governance/ # Azure IaC governance patterns and templates
├── framework-evaluation/ # Framework assessment tools
├── generated-documents/ # Auto-generated documentation and templates
├── src/ # Shared source modules (e.g. document generation)
├── tests/ # Pester and Playwright test suites
├── .github/workflows/ # CI/CD, RPAS validation, and security scanning
├── README.md # This file
├── DEVELOPER.md # Local development and testing guide
└── LICENSE # MIT License
For a detailed breakdown by role and document category, see the Repository Guide.
X-JIT-Context middleware on protected API routesThis platform implements a live, audit-ready governance system aligned with NIST CSF 2.0, extending beyond static compliance into continuous, provable security operations.
correlation_idmitre_technique_T1003 → Credential Dumping)previous_value → new_valuenpm run export:audit-evidence)| Function | Status |
|---|---|
| Identify (ID) | ✅ Asset register + CASB integration |
| Protect (PR) | ✅ Identity (JIT), Devices |
| Detect (DE) | ✅ Continuous monitoring + XDR-aligned |
| Respond (RS) | ✅ Closed-loop incident lifecycle |
| Recover (RC) | 🟡 DR validation (Sprint D) |
| Govern (GV) | ✅ FAIR + calibration + executive dashboards |
Note: This implementation provides evidence-backed alignment with NIST CSF 2.0 but does not claim formal certification. See the NIST CSF 2.0 Compliance Review.
The repository embeds the Regulated Process Assurance System — Cloud Master (RPAS-CM) baseline under governance/. RPAS-CM is a portable, project-agnostic governance envelope that ensures AI agents and automation operate with integrity, accountability, and deterministic auditability.
It combines mechanical validation (Atomic Execution & Validation — AEV) with semantic governance assurance (ADPA guardrails) into a single enforceable lifecycle: Proposal → Decision → Execution.
TAR, COL, CSR, AMD)| Document | Purpose |
|---|---|
| RPAS.md | Core framework, guardrails (G1–G5), and naming conventions |
| RPAS-TAR.md | Traceability, Authority & Responsibility |
| RPAS-COL.md | Collision-prevention protocol |
| RPAS-TAR-COL.md | Combined TAR/COL matrix |
| RPAS-ESC.md | Escalation procedures |
| RPAS-HIL.md | Human-in-the-loop requirements |
| RPAS-OPM.md | Operational management |
| RPAS-PRE.md | Pre-execution checks |
| RPAS-TCL.md | Traceability control logic |
| CONTRIBUTING.md | RPAS contribution and amendment rules |
Amendment records (AMD-*.md) and release notes (v2.x.x-Release-Notes.md) document state transitions and hardening history.
governance/
├── RPAS*.md # Core methodology definitions
├── AMD-*.md # Amendment records
├── visuals/ # Governance flow diagrams
├── security/archive/ # Remediation records
└── rpas/ # Project integration scaffold
├── artifacts/ # ADPA, ARM, and AEV control metadata
├── hooks/ # Pre-commit hook templates
├── scripts/ # Registration and validation tooling
├── manifest.json # Baseline version and required files
├── project.binding.json # Project-specific RPAS binding
└── governance_checksum.json # Committed checksum for drift detection
The current integration mode is in-repo — ADPA systematics, RPAS governance, framework documentation, Compliance as Code, and the web application are a single product repository. The adpa/ module is the canonical source for policy alignment, templates, entity catalog, and document generation.
npm run adpa:validate # Validate ADPA project structure
npm run adpa:list # List ICT framework templates
npm run adpa:generate -- policy-alignment --var entityId=tenant-01
npm run adpa:prioritize # Telemetry → template priority queue (demo)
See adpa/README.md and ADPA Integration Guide.
Run from the repository root:
npm run governance:register # Install local registration state and pre-commit hook
npm run governance:validate # Validate required files, bindings, and checksum
npm run governance:checksum # Refresh checksum after intentional baseline changes
| Layer | What it checks |
|---|---|
| Local registration | Writes governance/rpas/.state/registration.json and installs the pre-commit hook template |
| AEV validation | Required RPAS files, project binding, ADPA/ARM/AEV artifacts, and checksum integrity |
| CI (GitHub Actions) | RPAS AEV Validation and RPAS Governance Validation run on every push and pull request |
If the checksum is stale after a baseline change, run npm run governance:checksum and commit the updated governance_checksum.json before validation will pass.
See RPAS.md for the full guardrail definitions and RPAS Governance Integration Guide for setup and upgrade instructions.
ADPA (Architecture Decision and Policy Alignment) is the translation layer between human-readable governance and machine-enforceable compliance. It connects the ICT Governance Framework — policies, standards, and strategic intent — to Compliance as Code and governance automation so that decisions made in the framework become traceable, testable, and continuously enforced.
flowchart LR
subgraph framework [ICT Governance Framework]
POL[Policies and Standards]
DEC[Architecture Decisions]
REQ[Compliance Requirements]
end
subgraph adpa [ADPA Bridge]
DOC[ADPA Documents]
TPL[Templates and Schemas]
META[TAR-COL Traceability]
BASE[Entity Baselines]
end
subgraph codified [Compliance as Code]
IAC[IaC Templates]
PAC[Policy-as-Code]
CSR[CSR-Certified Baselines]
CHECK[Automated Validation]
end
subgraph automation [Governance Automation]
CI[CI/CD and AEV Gates]
AZ[Azure Automation]
DRIFT[Drift Detection]
TELEM[Telemetry Compliance]
end
framework --> adpa
adpa --> codified
codified --> automation
automation -->|feedback| adpa
automation -->|evidence| framework
| From (ICT Governance Framework) | Through ADPA | To (Compliance as Code) | Enforced by (Governance Automation) |
|---|---|---|---|
| Governance policies and standards | Policy alignment documents | Azure Policy, Bicep modules, M365DSC config | Pipeline validation, policy compliance scans |
| Architecture decisions | ADPA decision records with evidence metadata | Reference architectures, approved IaC patterns | Architecture validation in CI/CD |
| Regulatory and compliance requirements | Requirement traceability templates | Compliance controls in code, entity baselines | Continuous compliance monitoring, audit reports |
| Change and amendment rituals | RPAS TAR-COL metadata and AMD records |
Version-controlled baseline updates | AEV gates, checksum validation, pre-commit hooks |
| Entity definitions (tenant, workload, subscription) | Certified golden-state baselines | Per-entity IaC and configuration state | Drift detection, telemetry comparison, remediation workflows |
Without ADPA, governance documents and automated enforcement remain disconnected. ADPA ensures every codified control traces back to an approved decision, every automation action produces auditable evidence, and every drift event can be classified against a known baseline.
| Layer | Role | Current foundation |
|---|---|---|
| ICT Governance Framework | Strategic and tactical policies, roles, and compliance frameworks | docs/governance-framework/, docs/policies/ |
| ADPA bridge | Decision records, policy alignment, traceability, and baseline certification | ADPA module, ADPA control artifact, ADPA templates, generated documents |
| Compliance as Code | Codified policies, infrastructure templates, and certified baselines | blueprint-templates/, IaC integration guide, CSR-42 baseline |
| Governance automation | Automated validation, monitoring, drift detection, and remediation | azure-automation/, RPAS validation scripts, continuous compliance monitoring |
| Entity baseline | Certified golden state per governed entity | Governance checksum, IaC golden state, Aspire manifest drift |
| Telemetry compliance | Real-time signals compared against baselines | Real-time monitoring summary, Critical violations dashboard |
RPAS-CM classifies deviations using a formal drift taxonomy:
Each drift type maps to a change-request path and, where applicable, a remediation workflow.
Telemetry feeds (Azure Monitor, Log Analytics, Sentinel, CASB/SIEM, endpoint inventory, and IaC validation) are being integrated to close the loop between static baselines and live environment state:
See also: IaC integration guide, Microsoft365DSC integration, and real-time compliance monitoring framework.
Active integration work targets:
TAR-COL traceability and amendment ritualsADPA document generation aligns with PMBOK value-delivery principles (outcomes over outputs, continuous value assessment, stakeholder-defined success). Templates are not produced for documentation volume — each artifact must trace to measurable value, an approved decision, or a compliance obligation.
Recommended ADPA template pack (mapped to the ICT Governance Framework):
| Template | Source framework document | PMBOK alignment | Primary value outcome |
|---|---|---|---|
| Framework charter | ICT Governance Framework | Benefits / stakeholder | Strategic alignment and governed scope |
| Multi-tenant governance | Multi-Cloud Multi-Tenant Framework | Resource / stakeholder | Tenant isolation and SLA-backed service tiers |
| Operating model | Strategic & Tactical Overview | Team / stakeholder | Clear authority and escalation (RPAS TAR) |
| Target state | Target Governance Framework | Planning / uncertainty | Gap closure toward industry benchmarks |
| Policy alignment | ICT Governance Policies | Quality / delivery | Policy → Compliance as Code traceability |
| RACI & authority | Roles & Responsibilities | Team / stakeholder | Non-overlapping accountability |
| KPI catalog | ICT Governance Metrics | Measurement / uncertainty | Quantified governance effectiveness |
| Compliance-as-code map | IaC Integration guide | Delivery / planning | Automated enforcement of approved controls |
| ISO 38500 crosswalk | ISO/IEC 38500 Standards | Quality / stakeholder | Conformance evidence for audit |
| Zero Trust assessment | Zero Trust Maturity Model | Uncertainty / measurement | Risk-informed security investment |
Template outputs carry TAR-COL metadata (governance/schemas/rpas-tar-col.schema.json) and tie to the value realization plan categories: cost reduction, risk reduction, revenue enablement, and strategic capability.
When entities (tenants, workloads, subscriptions, applications, identities) and template priorities are derived from live telemetry rather than static inventories alone, ADPA shifts from reactive documentation to evidence-led governance.
flowchart TB
subgraph telemetry [Live telemetry]
SENT[Microsoft Sentinel]
SIEM[SIEM / CASB / Log Analytics]
MON[Azure Monitor and Policy]
EP[Endpoint and identity signals]
end
subgraph entities [ADPA entity model]
ENT[Tenant / workload / app entities]
RISK[Risk and exposure scoring]
GAP[Governance gap detection]
PRI[Template priority queue]
end
subgraph adpa_gen [ADPA generation]
TPL[Context-aware templates]
DEC[Decision records]
BASE[Entity baselines]
RTM[Requirements and RTM updates]
end
subgraph value [PMBOK value loop]
MEAS[Measure outcomes]
OPT[Optimize portfolio]
PROVE[Audit evidence]
end
SENT --> ENT
SIEM --> ENT
MON --> GAP
EP --> RISK
ENT --> PRI
GAP --> PRI
RISK --> PRI
PRI --> TPL
TPL --> DEC
TPL --> BASE
TPL --> RTM
BASE --> MON
DEC --> PROVE
MEAS --> OPT
OPT --> PRI
How Sentinel and SIEM guide the system
| Telemetry signal | Entity or scope discovered | ADPA template triggered | Governance action |
|---|---|---|---|
| Shadow IT / unsanctioned SaaS (CASB + Sentinel) | Application entity | Policy alignment, Zero Trust assessment | Approve, block, or procure via governance workflow |
| Repeated policy violations (Azure Policy + Sentinel) | Workload / subscription entity | Compliance-as-code map, KPI catalog update | Codify remediation in IaC; amend baseline (AMD) |
| Incident correlation (Sentinel incidents / alerts) | Affected tenant and identity entities | Architecture decision record, risk register | Harden controls; link to CSR baseline |
| Compliance drift (continuous monitoring) | Configuration entity | Policy alignment, ISO crosswalk | PR-based IaC fix with AEV gates |
| Observability gaps (missing logs / connectors) | Platform entity | Framework charter section, operating model | Close instrumentation gap; resolve observability drift |
| High-risk exception patterns | Domain owner entity | RACI template, stakeholder communication | Escalate per RPAS-ESC; human-in-the-loop approval |
Entity baselines are hydrated from telemetry: discovery sources (Defender for Cloud Apps, Sentinel, resource graph) populate the governed entity catalog; ADPA compares live posture to certified golden state and classifies drift using the drift taxonomy. Connectors are defined in the enterprise connectors guide (sentinel, defender-cloud-apps).
Generation rules (target behaviour)
Telemetry-guided ADPA closes the gap between governance intent and operational reality, converting SIEM/Sentinel evidence into auditable decisions and codified remediation — the differentiator described in the business case ($2.3M annual value target, 94% ROI).
| Value category | Without telemetry-guided ADPA | With Sentinel/SIEM-guided ADPA | How value is measured |
|---|---|---|---|
| Cost reduction | Manual discovery, stale inventories, duplicate assessments | Auto-prioritized templates; generate only where drift or shadow IT is proven | Hours saved on assessment; FTE redeployment (value plan — process automation $450K) |
| Risk reduction | Late detection; documentation disconnected from incidents | Incident-linked decision records; baselines updated from real attack paths | Incident rate, MTTR, governance-related security cost ($150K target) |
| Compliance efficiency | Periodic audits; reactive remediation | Continuous drift → ADPA change request → IaC fix loop | Compliance automation %; audit prep time ($280K target) |
| Strategic capability | Static framework docs; maturity guesses | Live Zero Trust and policy-gap assessments from telemetry | Maturity score improvement; portfolio value realization rate |
| Stakeholder confidence | Reports lag reality | Real-time dashboards with traceable ADPA evidence | Stakeholder satisfaction; policy compliance rate (>95% KPI) |
PMBOK value-delivery chain
| PMBOK principle (7th/8th ed.) | ADPA + telemetry manifestation |
|---|---|
| Focus on value | Template queue ordered by value-at-risk from live signals |
| Be a steward | Entities and baselines reflect actual estate, not aspirational diagrams |
| Recognize complexity | Multi-source correlation (Sentinel + CASB + Policy) before generation |
| Demonstrate leadership | Executive KPI catalog fed by measured outcomes |
| Tailor based on context | Per-tenant / per-workload templates from entity classification |
| Build quality into deliverables | TAR-COL metadata and AEV gates on every generated artifact |
| Optimize risk responses | Drift severity drives template type and escalation path |
One-sentence value proposition: ADPA turns Sentinel and SIEM telemetry into governed entities, prioritized templates, and certified baselines — so every governance artifact is generated because the live environment proved it was needed, and every remediation can be traced to measurable value.
The ICT Governance Framework, ADPA, and RPAS form a single value system — not three parallel initiatives. Together they turn infrastructure optimization from local, project-by-project effort into portfolio-wide, auditable, continuously enforced governance.
flowchart TB
subgraph ict [ICT Governance Framework]
STRAT[Strategy policies roles metrics]
INTENT[What good looks like]
end
subgraph adpa [ADPA]
TRANS[Decisions templates baselines]
BRIDGE[Policy to Compliance as Code]
end
subgraph rpas [RPAS Governance]
ENF[AEV gates TAR-COL CSR AMD]
ASSURE[Integrity accountability audit trail]
end
subgraph infra [Optimized ICT infrastructure]
IAC[IaC golden state]
TELEM[Sentinel SIEM telemetry]
AUTO[Automation and drift remediation]
end
subgraph value [Measured value]
COST[Cost reduction]
RISK[Risk reduction]
REV[Portfolio and innovation ROI]
end
STRAT --> TRANS
TRANS --> ENF
ENF --> IAC
IAC --> TELEM
TELEM -->|drift gaps incidents| TRANS
TELEM -->|KPIs evidence| STRAT
IAC --> COST
TELEM --> RISK
ASSURE --> REV
| Layer | Role in optimization | Value it unlocks |
|---|---|---|
| ICT Governance Framework | Defines what to govern — policies, tenant models, Zero Trust, metrics, ISO 38500 alignment | Strategic alignment; stops undifferentiated spend |
| ADPA | Translates intent into traceable decisions, templates, entity baselines, and Compliance as Code | Closes the policy-to-code gap; evidence-led change |
| RPAS | Certifies every change as attributable and replay-safe (CSR-42, AEV, TAR-COL, AMD) | Prevents governance theatre; audit-ready lineage |
Infrastructure optimization in this framework is not only cost reduction on cloud resources. It means:
blueprint-templates/)The business case targets $2.3M annual value at 94% ROI on $1.275M investment:
| Value bucket | Annual target | Infrastructure optimization angle |
|---|---|---|
| Cost reduction | $1.2M (52%) | Automation, resource redeployment, compliance efficiency |
| Revenue / portfolio | $900K (39%) | 25% ICT investment ROI improvement; faster time-to-value |
| Strategic | $200K (9%) | Maturity positioning, stakeholder trust |
See the value realization plan for targets within cost reduction: process automation ($450K), resource optimization ($320K), compliance automation ($280K), and risk/incident reduction ($150K).
The business case models Status Quo (Do Nothing) explicitly:
| Metric | Do-nothing outcome |
|---|---|
| Annual value | −$650K (continued value leakage) |
| 5-year NPV | −$2.75M |
| Risk | High — worsening governance and regulatory pressure |
The $650K is accounted leakage. Hidden costs — often unbudgeted — compound on top:
| Hidden cost | Evidence in current-state analysis | Impact |
|---|---|---|
| Operational drag | 2,400 manual governance hours/month; 14-day decision cycle; 30% effort on non-value work | Teams firefight instead of standardize; every deployment reinvents approvals |
| Portfolio waste | 35% of ICT investments lack justification; 15% portfolio value leakage | Cloud sprawl, duplicate tools, ungoverned workload retirement |
| Risk and incident tax | $180K/year governance-related security issues; 23 audit findings (800 remediation hours) | Response cost, reputational damage, regulatory exposure |
| Drift and shadow estate | Shadow IT, config drift, observability gaps | Live estate diverges from approved baseline until breach or audit |
| Recovery exposure | Git-to-cloud recovery designed but not end-to-end validated | RTO/RPO targets fail silently until a real event |
| Governance credibility gap | Bootstrap ADPA (SET_ME); mock dashboards in some paths |
Client trust risk; invalid compliance assessment if presented as production-ready |
Practical formula: Hidden cost ≈ accounted leakage ($650K) + incident/audit tax + drift remediation surge + delayed projects + failed recovery events.
The framework evaluation methodology includes estimate cost of inaction in gap analysis because unmaintained governance gaps accelerate under regulatory and threat pressure.
ICT Governance Framework — know what to optimize
ADPA — turn intent into executable, traceable artifacts
RPAS — make optimization safe, auditable, and repeatable
Restore-RpasBaseline.ps1Executive summary: Optimizing ICT infrastructure under the ICT Governance Framework, with ADPA as the policy-to-code bridge and RPAS as the assurance layer, converts $650K+ annual value leakage into $2.3M annual measurable value — through automated compliance, fewer incidents, portfolio ROI improvement, and recoverable multi-cloud estates. Inaction does not save money; it defers cost into incidents, audits, drift remediation, and failed recovery events (modeled −$2.75M five-year NPV).
Technical summary: The framework defines the golden state, ADPA codifies and prioritizes it from live telemetry, RPAS certifies every change, and automation keeps production aligned — so infrastructure optimization is continuous, provable, and reversible.
| Dimension | Inaction / siloed tooling | ICT GF + ADPA + RPAS |
|---|---|---|
| Policy enforcement | Manual reviews, periodic audits | Compliance as Code + continuous scan |
| Change control | Tickets and email | AMD + AEV + PR-based IaC |
| Incident → improvement | Post-mortem slides | Sentinel signal → ADPA decision → baseline update |
| Drift | Discovered at audit or outage | Classified in minutes; governed remediation |
| Recovery | Restore backups to unknown config | Git + CSR baseline to known governed state |
| Audit evidence | Scattered, reconstructed | TAR-COL lineage, append-only AMD |
| Value measurement | Aspirational | KPI catalog tied to value realization plan |
The platform has transitioned from static compliance scaffolding to a live, adaptive governance system (SecOps loop, FAIR risk, calibration, executive dashboards). Formal NIST CSF 2.0 certification remains pending — see Gate A remediation for remaining items (CASB persistence, DR validation, Phase 3 attestation).
The framework delivers Business Continuity Services as a staged client offering — from protecting content alone, through combined infrastructure and content backup, to rebuilding the entire ICT estate from a Git repository across Azure, AWS, GCP, and hybrid clouds under RPAS governance.
The Git repository is the authoritative recovery source: governance documents, Compliance as Code templates, automation scripts, tenant configuration, and application definitions together describe not just what to restore but how the full ICT infrastructure should be running.
flowchart TB
subgraph s1 [Stage 1: Content Backup]
C1[Files, databases, M365 content]
C2[Recovery Services Vault / cloud backup]
end
subgraph s2 [Stage 2: Infrastructure and Content Backup]
I1[IaC templates in Git]
I2[Configuration and policy snapshots]
I3[Content plus infra state protected]
end
subgraph s3 [Stage 3: Git-to-Cloud ICT Recovery]
G1[Git repository as source of truth]
G2[Deploy to Azure / AWS / GCP]
G3[Entire ICT stack back online]
end
subgraph s4 [Stage 4: RPAS-Governed Continuation]
R1[CSR-certified baseline restored]
R2[Drift validation and telemetry]
R3[Content continuation with compliance]
end
s1 --> s2
s2 --> s3
s3 --> s4
s4 -->|amendments| G1
| Stage | Service scope | Recovery question answered | Framework support |
|---|---|---|---|
| 1. Content backup | Files, databases, SaaS content | Can we restore the data? | Recovery Services Vault, tenant backup config |
| 2. Infrastructure and content backup | IaC definitions, policies, configs, plus content | Can we restore data and the infrastructure that serves it? | blueprint-templates/, Azure-IaC-Governance/, M365DSC integration |
| 3. Full ICT recovery from Git | Entire ICT estate redeployed from version-controlled repo to target clouds | Can the whole ICT infrastructure be back up and running from Git? | IaC integration guide, azure-automation/, multi-tenant blueprint, CI/CD workflows |
| 4. RPAS-governed continuation | Stateful, compliant, telemetry-validated operations post-recovery | Does recovered infrastructure remain governed, certified, and continuous? | RPAS/AEV gates, ADPA baselines, drift detection, real-time monitoring |
Clients advance through these stages without disruptive replatforming — each stage extends the previous one.
When infrastructure and governance live in Git, disaster recovery becomes reproducible deployment rather than manual rebuild. The repository holds everything needed to reconstruct the ICT estate:
recovery-source/ (this repository)
├── docs/ # Governance policies and procedures
├── governance/ # RPAS baseline, amendments, CSR certification
├── blueprint-templates/ # Bicep/ARM — Azure infrastructure
├── Azure-IaC-Governance/ # Azure governance patterns
├── azure-automation/ # PowerShell deployment and compliance scripts
├── ict-governance-framework/ # Application platform and APIs
├── generated-documents/ # ADPA-generated client and project artifacts
└── .github/workflows/ # CI/CD pipelines for validated deployment
Multi-cloud recovery flow:
This model means recovery is not dependent on a single cloud region or vendor — the same Git repo can rebuild ICT infrastructure wherever the client needs it.
At the highest maturity stage, content continuation goes beyond backup:
Target objectives: RTO ≤ 4 hours, RPO ≤ 1 hour, with compliance drift detected within 30 minutes of configuration change (NFR backup/recovery).
For MSPs and cloud providers offering Business Continuity Services to clients:
See multi-tenant implementation guide, business continuity testing, and IaC management.
The following summarises how the RPAS Rollback & Recovery Service responds when a client suffers a ransomware attack. The full walkthrough includes timelines, commands, and audit deliverables.
Scenario: Contoso Health (Enterprise Healthcare tenant) — phishing email triggers ransomware that encrypts synced M365 files and attempts lateral movement to Azure VMs. Last certified baseline: CSR-42.
| Phase | Time | Action |
|---|---|---|
| Detect | T+0–15 min | CASB ransomware policy, Sentinel correlation, and continuous compliance monitoring raise critical alerts; human team isolates VM, revokes sessions, opens AMD record |
| Assess | T+15–45 min | RPAS drift taxonomy classifies security, configuration, and governance drift; team selects full state recovery to CSR-42 rather than in-place repair |
| RPAS rollback | T+45–90 min | Restore-RpasBaseline.ps1 -CsrId CSR-42 restores Git to last SAFE-certified commit; AEV gates validate checksum and artifact integrity |
| Git-to-cloud rebuild | T+90 min–3 h | Deploy clean infrastructure to recovery region from Bicep/M365DSC in repo; restore VM/DB from Recovery Services Vault; restore M365 content from pre-encryption backup |
| Verify & continue | T+3–4 h | Drift reports, policy scans, and telemetry confirm baseline match; traffic fails over; content continuation resumes under RPAS control |
| Post-incident | T+4 h+ | AMD closure, ADPA hardening decisions, audit-ready evidence package for client and regulators |
Recovery outcome: RTO ~3.5 h (target ≤ 4 h), RPO ~45 min (target ≤ 1 h) — entire ICT estate back online from Git with governed, certified, auditable state.
# Core rollback command — restore last certified RPAS baseline
./governance/rpas/scripts/Restore-RpasBaseline.ps1 -CsrId CSR-42
# Validate before redeployment
npm run governance:validate
# Confirm no remaining drift after recovery
./governance/rpas/scripts/New-RpasDriftReport.ps1
The ict-governance-framework/ directory contains the interactive governance portal — a Next.js frontend (:3000) backed by an Express API (:4000) and PostgreSQL persistence.
The portal treats infrastructure posture and human authority events as separate audit boundaries — a design aligned with NIS2 evidence presentation:
| Domain | What it tracks | UI surface |
|---|---|---|
| Assets | Infrastructure objects — tenant, origin, DR posture, CASB refs, RTO/RPO | /asset-register |
| JIT elevation | Standard operators requesting time-bounded privileged tokens | /jit-elevation |
| Break Glass | Out-of-band emergency windows, trend exposure, manual reconciliation | /break-glass |
Regulators reviewing configuration state use the Asset Register. Evaluating control effectiveness and systemic integrity pivots to the JIT / Break Glass ledgers — not per-asset audit drawers.
| Route | Menu | Purpose |
|---|---|---|
/asset-register |
Compliance → Asset Register | RPAS inventory: DR status, shadow IT, validation posture |
/jit-elevation |
Security → JIT Elevation | Create JIT tickets, browse ledger, view privileged actions |
/break-glass |
Security → Break Glass Console | Emergency ticket war-room, trend chart, cryptographic sweep |
/compliance-dashboard |
Compliance | Compliance posture overview |
/ciso-dashboard |
Security → CISO Dashboard | Executive security metrics |
cd ict-governance-framework
npm install
cp .env.example .env # database, JWT, JIT, and Break Glass secrets
createdb ict_governance_framework
npm run setup-db
npm run setup-users # dashboard roles and dev login (see app README)
npm run setup:governance
npm run setup:assets
npm run setup:jit-ledger
# Terminal 1 — API
npm run server # http://localhost:4000
# Terminal 2 — frontend
npm run dev # http://localhost:3000
Default dev credentials are created by setup-users (see web application README).
JIT elevation issues short-lived context tokens for protected mutations (asset promote/sync, governance incidents, measurement-plan patches). When JIT_ENFORCEMENT_ENABLED=true, callers must pass X-JIT-Context: Bearer <token> after POST /api/auth/jit/elevate.
Break Glass is an out-of-band emergency path when cloud identity is unavailable. Activation uses POST /api/auth/jit/emergency/activate with the configured system secret — not exposed in the UI. Optional BREAK_GLASS_ALERT_WEBHOOK_URL dispatches Slack-shaped alerts on activation.
| API | Method | Purpose |
|---|---|---|
/api/auth/jit/elevate |
POST | Create standard JIT elevation ticket |
/api/auth/jit/ledger |
GET | List ledger tickets (?category=jit or break_glass) |
/api/auth/jit/ledger/:ticketId/actions |
GET | Privileged action log for a ticket |
/api/auth/jit/emergency/activate |
POST | Break Glass activation (system secret) |
/api/auth/jit/emergency/revoke |
POST | Revoke active emergency ticket |
/api/auth/jit/emergency/reconcile |
POST | Manual cryptographic audit sweep |
/api/analytics/break-glass/trend |
GET | Break Glass exposure trend (integrity KPI input) |
Ledger tables: jit_elevation_ledger, privileged_action_logs (see sql/jit_ledger.sql).
Run from ict-governance-framework/ after the database is configured:
npm run verify:jit # JIT enforcement middleware
npm run verify:break-glass # Emergency activation lifecycle
npm run verify:analytics # Break Glass trend reconciliation
npm run verify:manual-audit # Manual ledger cryptographic sweep
npm run verify:assets # Asset register API
npm run verify:casb-ingest # CASB shadow-IT webhook ingest
npm run verify:secops # SecOps loop (MITRE, timeline, FAIR)
npm run verify:calibration # FAIR model calibration
npm run export:audit-evidence # Phase 3 + P4 audit evidence pack
See .env.example for the full list. Security-relevant entries:
| Variable | Purpose |
|---|---|
JIT_ENFORCEMENT_ENABLED |
Enforce JIT context on privileged routes (default on in production) |
JIT_ELEVATION_SECRET |
Signing secret for JIT context tokens |
BREAK_GLASS_ALLOWED |
Enable Break Glass emergency activation |
BREAK_GLASS_SYSTEM_SECRET |
Out-of-band activation secret |
BREAK_GLASS_ALERT_WEBHOOK_URL |
Slack/webhook URL for activation alerts |
GOVERNANCE_WEBHOOK_SECRET |
Gate A incident ingestion |
CASB_INGEST_WEBHOOK_SECRET |
Focus Area 5 shadow-IT ingest |
See the web application README for authentication, RBAC, and API details.
npm run verify:jit to confirm privileged-access enforcementnpm testContributions are welcome. Please read CONTRIBUTING.md and the Code of Conduct before submitting changes.
mainThis project is released under the MIT License. See also:
Organizations implementing this framework are responsible for ensuring compliance with applicable laws and regulations. The framework provides guidance but does not guarantee compliance with GDPR, HIPAA, SOX, ISO 27001, or other regulatory standards.
The framework evolved from the original CBA Consult vision of blueprint-based governance in multi-cloud environments. Key principles include:
For process ownership and drift management best practices, see the Governance Framework Best Practices wiki.
A companion mobile application provides end-user assessment of compliance and security posture: