Originally published on LinkedIn.
The Central Question
Who has access to my data and information at Organization PDQ?
That question sounds simple. It is not. In my experience, organizations of any size — from a 10-person shop to a Fortune 50 — struggle to answer it comprehensively and accurately. And that difficulty has real consequences when GDPR, CCPA, or a breach investigator shows up asking the same question.
What the Tool Does
This is a free, open-access audit tool for evaluating supply chain physical and logical access controls. It was designed as a table-top exercise resource — structured enough to reveal real gaps, simple enough that multiple departments can use it together without needing a dedicated consultant in the room.
It uses three informational “threads” as guides, starting with “Who has access to my data?” You select a target organization or function and work through the audit. Most organizations will encounter two kinds of stopping points quickly:
- Questions that require input from multiple departments that do not currently talk to each other about this
- Honest “I don’t know” moments that reveal gaps in visibility
Both are valuable findings. The goal is not to pass the audit. The goal is to understand the real scope of the problem.
What This Is Not
- It is not a replacement for NIST, ISACA, or AICPA frameworks — it complements them
- It is not cyber-specific — it intentionally includes physical security layers
- It is version 0.1 — acknowledged as incomplete, released responsibly to improve security before customers or regulators identify the gaps
The question this tool is really asking: What if we cannot answer this one simple question — for just one customer — with 100% accuracy? That is the starting point for a supply chain security conversation worth having.
Contact me directly to request the current version of the tool.