# Security Posture Workflow — Diagrams

Mermaid diagrams for the Host Finding Review & Remediation process.
Renders natively in GitHub, GitLab, and most modern documentation tools.

---

## Diagram 1 — Host Finding Review Workflow (Steps 1–5)

```mermaid
flowchart TD
    START([Open Reporting Page]) --> SYNC

    SYNC["① Sync & Sort<br/>Click Sync · Sort Due Date ascending"]
    SYNC --> DUE{Overdue<br/>findings?}
    DUE -->|Yes — start here| HOST
    DUE -->|No — start with amber| HOST

    HOST["② Identify the Host<br/>Verify IP in IPControl / Infoblox"]
    HOST --> CORRECT{Hostname<br/>correct?}
    CORRECT -->|No| EDIT["Inline-edit Host / DNS cell<br/>Amber dot marks the override"]
    EDIT --> OWN
    CORRECT -->|Yes| OWN

    OWN["③ Identify Asset Ownership<br/>Check BU column"]
    OWN --> BU{Our BU?}
    BU -->|"NTS-AEO-STEAM<br/>or ACCESS-ENG"| CVE
    BU -->|"Other BU<br/>or blank"| CARD["Add to CARD Queue<br/>☑ checkbox → CARD → Add to Queue"]
    CARD --> CARD2([Process in dedicated CARD session])

    CVE["④ Review CVEs in the Finding<br/>Up to 2 shown · hover +N badge for more"]
    CVE --> DBCHECK{CVE in<br/>database?}
    DBCHECK -->|No| ADDCVE["Create CVE entry on Home page<br/>NVD auto-fill populates details"]
    ADDCVE --> RESEARCH
    DBCHECK -->|Yes — review existing notes/docs| RESEARCH

    RESEARCH["Research CVE<br/>Vendor advisory · Cisco Bug Search<br/>Juniper PSN · Support ticket"]
    RESEARCH --> ACTION

    ACTION["⑤ Determine Required Action"]
    ACTION --> PATH{What does<br/>research show?}

    PATH -->|"Patch available<br/>FW / SW update"| PA
    PATH -->|"Fix is config<br/>change only"| PB
    PATH -->|"Not applicable<br/>to platform / version"| PC
    PATH -->|"Cannot patch<br/>vendor / EOL / business"| PD

    PA["PATH A — Remediation<br/>Firmware or Software Upgrade"]
    PA --> PA1["Plan & schedule upgrade<br/>Add note to finding row"]
    PA1 --> PA2(["Finding drops off after<br/>next Ivanti scan ✓"])

    PB["PATH B — Remediation<br/>Configuration Change"]
    PB --> PB1["☑ checkbox → Vendor → Archer<br/>Add to Queue"]
    PB1 --> PB2["Open Archer EXC ticket<br/>in dedicated session"]
    PB2 --> PB3(["Enter EXC-XXXXX<br/>in finding Notes cell ✓"])

    PC["PATH C — False Positive"]
    PC --> PC1["Take device screenshot<br/>Hostname · IP · SW version"]
    PC1 --> PC2["Obtain vendor documentation<br/>advisory / email / support ticket"]
    PC2 --> PC3["Upload evidence to CVE database<br/>Home page → CVE row → Upload"]
    PC3 --> PC4["☑ checkbox → Vendor → FP<br/>Add to Queue"]
    PC4 --> PC5(["Submit FP workflow in Ivanti<br/>in dedicated session ✓"])

    PD["PATH D — Risk Acceptance"]
    PD --> PD1["Take device screenshot<br/>Collect version info"]
    PD1 --> PD2{Vendor comms<br/>needed?}
    PD2 -->|Yes| PD3["Open vendor support ticket<br/>Request patch timeline / mitigations"]
    PD3 --> PD4
    PD2 -->|No| PD4["☑ checkbox → Vendor → Archer<br/>Add to Queue"]
    PD4 --> PD5["Open Archer EXC ticket<br/>in dedicated session"]
    PD5 --> PD6(["Enter EXC-XXXXX<br/>in finding Notes cell ✓"])

    %% Styling
    classDef step    fill:#1e3a5f,stroke:#0ea5e9,stroke-width:2px,color:#e2e8f0
    classDef decision fill:#1a2e1a,stroke:#10b981,stroke-width:2px,color:#e2e8f0
    classDef pathA   fill:#14391f,stroke:#10b981,stroke-width:1.5px,color:#e2e8f0
    classDef pathB   fill:#2d1f14,stroke:#f59e0b,stroke-width:1.5px,color:#e2e8f0
    classDef pathC   fill:#2d1414,stroke:#ef4444,stroke-width:1.5px,color:#e2e8f0
    classDef pathD   fill:#1a1430,stroke:#8b5cf6,stroke-width:1.5px,color:#e2e8f0
    classDef card    fill:#1a2e1a,stroke:#10b981,stroke-width:1.5px,color:#e2e8f0
    classDef done    fill:#0f172a,stroke:#475569,stroke-width:1.5px,color:#64748b

    class SYNC,HOST,OWN,CVE,RESEARCH,ACTION step
    class DUE,CORRECT,BU,DBCHECK,PATH decision
    class PA,PA1,PA2 pathA
    class PB,PB1,PB2,PB3 pathB
    class PC,PC1,PC2,PC3,PC4,PC5 pathC
    class PD,PD1,PD2,PD3,PD4,PD5,PD6 pathD
    class CARD,CARD2 card
    class EDIT done
```

---

## Diagram 2 — FP Workflow Badge Status Decision Tree

What to do when a finding already has a workflow badge in the Reporting page.

```mermaid
flowchart LR
    A([Finding in<br/>Reporting Page]) --> B{"Check<br/>Workflow column"}

    B -->|No badge| C["UNTRIAGED<br/>No action on record"]
    C --> C1(["Follow the<br/>Step 1–5 triage workflow ↑"])

    B -->|"🔵 Blue<br/>Requested"| D["IN FLIGHT<br/>FP submitted · awaiting approval"]
    D --> D1{"SLA window<br/>approaching?"}
    D1 -->|No| D2(["Monitor — no action yet ✓"])
    D1 -->|Yes| D3(["Follow up with<br/>the approver"])

    B -->|"🟡 Amber<br/>Reworked"| E["NEEDS REVISION<br/>Reviewer returned the ticket"]
    E --> E1["Open ticket in Ivanti<br/>Review feedback"]
    E1 --> E2(["Update justification<br/>and resubmit"])

    B -->|"🟡 Amber<br/>Actionable"| F["NEEDS RESPONSE<br/>Ticket flagged for team action"]
    F --> F1(["Open ticket in Ivanti<br/>Respond to the request"])

    B -->|"🔴 Red<br/>Expired"| G["EXCEPTION LAPSED<br/>Finding has re-opened"]
    G --> G1(["Submit a new FP request<br/>in Ivanti<br/>Reference previous ticket"])

    B -->|"🔴 Red<br/>Rejected"| H["CONFIRMED VULNERABILITY<br/>Security team denied the FP"]
    H --> H1(["Remediate the vulnerability<br/>Do not resubmit FP<br/>without new evidence"])

    %% Styling
    classDef trigger  fill:#0f172a,stroke:#0ea5e9,stroke-width:2px,color:#e2e8f0
    classDef blue     fill:#1e3a5f,stroke:#0ea5e9,stroke-width:1.5px,color:#e2e8f0
    classDef amber    fill:#2d2014,stroke:#f59e0b,stroke-width:1.5px,color:#e2e8f0
    classDef red      fill:#2d1414,stroke:#ef4444,stroke-width:1.5px,color:#e2e8f0
    classDef none     fill:#1a1a2e,stroke:#475569,stroke-width:1.5px,color:#94a3b8
    classDef done     fill:#0f172a,stroke:#334155,stroke-width:1px,color:#64748b

    class A,B trigger
    class D,D1,D2,D3 blue
    class E,E1,E2,F,F1 amber
    class G,G1,H,H1 red
    class C,C1 none
    class D2,D3,E2,F1,G1,H1 done
```

---

## Diagram 3 — Action Decision Matrix (Quick Reference)

Condensed view of the five research outcomes and their required actions.

```mermaid
flowchart LR
    START(["Research complete<br/>Step 4 done"]) --> Q{"What is the<br/>remediation path?"}

    Q --> R1["Firmware or<br/>Software update available"]
    R1 --> A1(["No ticket needed<br/>Schedule upgrade<br/>Add note to finding"])

    Q --> R2["Fix is a<br/>configuration change"]
    R2 --> A2(["Archer EXC ticket required<br/>Stage as Archer in Queue"])

    Q --> R3["Not applicable<br/>to this platform / version"]
    R3 --> A3(["FP workflow in Ivanti<br/>Evidence in CVE database"])

    Q --> R4["Patch not yet<br/>available from vendor"]
    R4 --> A4(["Archer EXC ticket<br/>Renew when patch ships"])

    Q --> R5["Device is EOL / EOS<br/>or business constraint"]
    R5 --> A5(["Archer ticket with<br/>mitigation steps +<br/>remediation plan"])

    Q --> R6["Asset not owned<br/>by our BU"]
    R6 --> A6(["CARD queue<br/>CARD disposition process"])

    classDef q      fill:#1e3a5f,stroke:#0ea5e9,stroke-width:2px,color:#e2e8f0
    classDef green  fill:#14391f,stroke:#10b981,stroke-width:1.5px,color:#e2e8f0
    classDef amber  fill:#2d2014,stroke:#f59e0b,stroke-width:1.5px,color:#e2e8f0
    classDef red    fill:#2d1414,stroke:#ef4444,stroke-width:1.5px,color:#e2e8f0
    classDef teal   fill:#0f2d2d,stroke:#14b8a6,stroke-width:1.5px,color:#e2e8f0

    class START,Q q
    class R1,A1 green
    class R2,A2,R4,A4,R5,A5 amber
    class R3,A3 red
    class R6,A6 teal
```

---

*Source document: `docs/security-posture-workflow.md`*