CISO Strategy Session - Meeting Notes
Meeting Objective
Demonstrate docs-as-code methodology and show how home enterprise patterns translate to CHLA production deployments.
Industry Context - Docs-as-Code Movement
|
Who’s doing this?
|
Tools I’m Using
| Tool | What It Does | Project Link |
|---|---|---|
Antora |
Multi-repo documentation sites |
|
AsciiDoc |
Semantic markup language (richer than Markdown) |
|
Asciidoctor |
AsciiDoc processor (Ruby/JS) |
|
D2 |
Diagrams as code - declarative (Terrastruct) |
|
Mermaid |
Diagrams as code - widely adopted (GitHub native rendering) |
|
age |
Modern encryption (FiloSottile) |
|
Pandoc |
Universal document converter |
My Security Practices
| Practice | Implementation | Details |
|---|---|---|
Secrets Management |
PRJ-SECRETS + gopass + age encryption |
All credentials encrypted at rest; environment-specific secrets; hardware key integration |
Email Security |
PRJ-AERC (terminal email client) |
OAuth2 tokens via scripts; no plaintext passwords; GPG-signed commits |
Disaster Recovery |
PRJ-RECOVERY + OPS-RECOVERY |
LUKS header backups; SSH key escrow; documented recovery procedures |
SSH Hardening |
Ed25519 keys only; agent forwarding disabled |
Hardware security keys (FIDO2); per-host configurations; jump host patterns |
Post-Quantum Ready |
ML-KEM hybrid key exchange |
OpenSSH 9.x with |
Encrypted Backups |
LUKS + age + NAS replication |
Full disk encryption; encrypted archives; off-site backup verification |
Security-Focused Implementations
| Organization | Approach |
|---|---|
HashiCorp |
All product docs in docs-as-code; Terraform, Vault, Consul docs are AsciiDoc/MDX |
Cisco DevNet |
API documentation generated from OpenAPI specs; learning labs in Markdown |
NIST |
OSCAL (Open Security Controls Assessment Language) - compliance as code |
CIS Benchmarks |
Moving to machine-readable formats for automated compliance |
MITRE ATT&CK |
Entire framework available as structured data (STIX/TAXII) |
Why This Matters for Security
-
Auditability - Git history shows who changed what, when
-
Peer Review - PRs for documentation changes (SOX/HIPAA friendly)
-
Consistency - Templates enforce standards across teams
-
Automation - CI/CD can validate, publish, and alert on changes
-
Encryption - Sensitive docs protected at rest (age, GPG)
-
Compliance - Documentation changes are tracked, reviewable, auditable
Agenda (30 min)
| Time | Topic | Duration |
|---|---|---|
0:00 |
Introduction / Context Setting |
2 min |
0:02 |
Docs-as-Code Demo |
8 min |
0:10 |
Home Enterprise → CHLA Production Pattern |
10 min |
0:20 |
Zero-Trust Implementation |
5 min |
0:25 |
Questions / Next Steps |
5 min |
Section 1: Context Setting (2 min)
Key Points:
-
"I’ve built a documentation engineering system that enables rapid, consistent security documentation"
-
"Everything is version controlled, peer-reviewable, and produces multiple output formats"
-
"I test security patterns at home first, then adapt for CHLA production"
Section 2: Docs-as-Code Demo (8 min)
2.1 Show the Build System
Terminal commands:
# Show build script capabilities
head -80 .principia/scripts/build/build-adoc.sh
# Build a monthly compilation
.principia/scripts/build/build-adoc.sh 03_Captures/2026/02/MONTH-2026-02.adoc
# Show outputs
ls -la 03_Captures/2026/02/output/Talking points:
-
"One source file, multiple outputs: HTML, PDF, DOCX"
-
"Watch mode for live editing - saves time"
-
"Encryption for sensitive documents"
-
"Batch builds for entire directories"
2.2 Show Variables/Attributes
Open in editor: 03_Captures/2026/02/MONTH-2026-02.adoc
Highlight:
// Variables - change once, updates everywhere
:prj-chla-linux-runbook: ../../../02_Assets/PRJ-ISE-CHLA-LINUX-ANTORA/...
// Document includes - modular composition
include::{day-01}[leveloffset=+1]
// Cross-references
link:{prj-chla-linux-runbook}[CHLA Linux Workstation Runbook]Talking point: > "No hardcoded values. Change an IP address in one place, it updates across all documentation."
2.3 Show Templates
Terminal:
ls 02_Assets/PRJ-ANTORA/templates/Talking point: > "Teams can spin up new documentation projects from templates. Consistent structure, immediate productivity."
Section 3: Home Enterprise → CHLA Pattern (10 min)
3.1 The Reference Implementation
Show Antora project count:
ls 02_Assets/ | grep -i antora | wc -l
# Answer: 10 Antora documentation projectsOpen browser: Home Enterprise Antora Site
02_Assets/PRJ-ISE-HOME-LINUX-ANTORA/docs/asciidoc/build/site/prj-ise-home-linux/0.2.0/index.htmlTalking points:
-
"Full ISE/802.1X/EAP-TLS implementation documented"
-
"Includes D2 diagrams - diagrams as code"
-
"Validation scripts embedded in documentation"
-
"1300+ lines on zero-trust dACL alone"
3.2 The Production Adaptation
Show side-by-side:
| Home Enterprise | CHLA Production |
|---|---|
|
|
Antora site (browsable) |
Standalone runbook (PDF for team) |
wpa_supplicant (Arch Linux) |
NetworkManager (Ubuntu) |
My workstations |
Dr. Shahab’s research workstation |
Open PDF: CHLA Runbook
02_Assets/PRJ-ISE-CHLA-LINUX-ANTORA/runbooks/output/linux-workstation-deployment-runbook.pdfTalking point: > "Same security patterns, adapted for CHLA’s environment. Ben and Victor can follow the PDF step-by-step."
3.3 Show netapi Automation
Terminal:
# Check ISE session
netapi ise mnt session b4:e9:b8:f6:c8:17
# List authorization rules
netapi ise get-authz-rules "Wired Closed MAB"
# Force reauthentication
netapi ise mnt coa-disconnect b4:e9:b8:f6:c8:17Talking point: > "I built tooling to automate ISE operations. Validation, session monitoring, policy changes - all scriptable."
Section 4: Zero-Trust Implementation (5 min)
4.1 dACL Design
Key principle: Deny internal first, permit only what’s needed
! Block lateral movement FIRST
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
! Then permit required services
permit udp any host <DC> eq 53 ! DNS
permit tcp any host <ISE> eq 8443 ! Posture
permit tcp any any eq 443 ! HTTPS
! Implicit deny all elseTalking point: > "Research workstations can reach the internet but cannot pivot to internal systems. Defense in depth: dACL + host firewall + VLAN segmentation."
4.2 Validation Evidence
Show test script output:
=== Testing BLOCKED traffic ===
Test 8: Ping to internal - should FAIL
[PASS] Internal ICMP blocked
Test 9: SSH to switch - should FAIL
[PASS] Switch SSH blocked
Test 10: SSH to NAS - should FAIL
[PASS] NAS SSH blockedTalking point: > "Every deployment is validated with automated tests. Not just 'it works' - proof that security controls are enforced."
Section 5: Questions / Next Steps (5 min)
Anticipated Questions
| Question | Answer |
|---|---|
"Can other teams adopt this?" |
Yes - templates + build scripts. I can onboard teams. |
"How does this integrate with CI/CD?" |
Build scripts can run in pipelines. Git triggers → doc builds. |
"What about sensitive documents?" |
Age encryption built in. Encrypted files can be git-tracked safely. |
"Timeline for CHLA Linux deployment?" |
Dr. Shahab workstation this week. Parallel tracks: Ben (endpoint), Victor (certs), me (ISE policy). |
Proposed Next Steps
-
This week: Complete Dr. Shahab workstation deployment
-
Next week: Document patterns for broader Linux deployment
-
Ongoing: Offer docs-as-code onboarding for interested teams
-
Future: Integrate with Sentinel for automated compliance reporting
Quick Reference - Files to Have Open
| What | Path |
|---|---|
Build script |
|
Monthly worklog |
|
Home Enterprise Antora site |
|
CHLA Runbook PDF |
|
Home Runbook PDF |
|
Templates |
|
Pre-Meeting Checklist
-
Terminal open with correct directory
-
Browser with Antora site loaded
-
PDF viewer with CHLA runbook open
-
Screen sharing ready
-
This notes doc open for reference
Meeting: CISO Strategy Session
Date: 2026-02-02 @ 4:00 PM Pacific
Prepared by: Evan Rosado