Control Library
BLACKOUT defines a library of controls (BLK-001 to BLK-040) for GTM security governance.
Control Categories
| Category | Controls | Focus |
|---|---|---|
| Vendor Management | BLK-001 to BLK-010 | Vendor approval, review, documentation |
| Consent & Privacy | BLK-011 to BLK-020 | GDPR, CCPA, consent mechanisms |
| Data Protection | BLK-021 to BLK-030 | Data minimization, retention, access |
| Monitoring | BLK-031 to BLK-040 | Detection, alerting, incident response |
Vendor Management Controls
BLK-001: Vendor Inventory
Requirement: Maintain a complete inventory of all third-party scripts.
Evidence: BLACKOUT scan results showing all detected vendors.
BLK-002: Vendor Approval Process
Requirement: Document approval workflow for new vendors.
Evidence: Vendor approval records, classification decisions.
BLK-003: Vendor Risk Assessment
Requirement: Assess risk before deploying new vendors.
Evidence: BTSS scores, BTI category analysis.
BLK-004: Vendor Contract Review
Requirement: Review vendor DPAs and privacy terms.
Evidence: Contract documentation, legal sign-off.
BLK-005: Vendor Periodic Review
Requirement: Re-assess vendors quarterly.
Evidence: Quarterly scan comparison, drift analysis.
Consent & Privacy Controls
BLK-011: Consent Before Collection
Requirement: No data collection before user consent.
Evidence: Pre-consent scan showing no data exfiltration.
BLK-012: Consent Mechanism Validation
Requirement: Verify consent banner functions correctly.
Evidence: Scan with consent simulation.
BLK-013: Cookie Disclosure Accuracy
Requirement: All cookies disclosed in privacy policy.
Evidence: Cookie inventory vs policy diff.
BLK-014: Third-Party Disclosure
Requirement: All third parties disclosed to users.
Evidence: Vendor list vs privacy policy comparison.
BLK-015: Consent Persistence
Requirement: Consent choice persists across sessions.
Evidence: Multi-session scan verification.
Data Protection Controls
BLK-021: Data Minimization
Requirement: Vendors collect only necessary data.
Evidence: Data flow analysis, PII detection.
BLK-022: No Undisclosed Data Sharing
Requirement: No data shared with undisclosed parties.
Evidence: Piggyback chain analysis.
BLK-023: Secure Data Transmission
Requirement: All data transmitted over HTTPS.
Evidence: Protocol analysis in HAR.
BLK-024: Data Retention Limits
Requirement: Cookie/storage expiration within policy.
Evidence: Cookie expiration audit.
BLK-025: No Fingerprinting
Requirement: No browser fingerprinting techniques.
Evidence: Fingerprint detection analysis.
Monitoring Controls
BLK-031: Continuous Monitoring
Requirement: Automated regular scanning.
Evidence: Scan schedule, historical data.
BLK-032: Drift Detection
Requirement: Alert on vendor behavior changes.
Evidence: Drift event history, alert configuration.
BLK-033: Incident Response Plan
Requirement: Documented response to violations.
Evidence: Playbook documentation, incident records.
BLK-034: Evidence Preservation
Requirement: Forensic evidence retained for incidents.
Evidence: Evidence pack archive.
BLK-035: Audit Trail
Requirement: Log all classification decisions.
Evidence: Decision audit log.
Using Controls with BLACKOUT
Control Coverage Panel
The Control Coverage panel shows:
- Which controls are covered by current scans
- Gap analysis for uncovered controls
- Evidence mapping for each control
Evidence Mapping
Each finding can be mapped to controls:
{
"finding_id": 123,
"controls_addressed": ["BLK-001", "BLK-011", "BLK-021"],
"evidence_refs": [...]
}Compliance Reports
Generate control-based reports:
GET /api/reports/control-coverage?site_id={siteId}Custom Controls
Enterprise plans can define custom controls:
- Navigate to Settings > Controls
- Click Add Control
- Define:
- Control ID
- Category
- Requirement text
- Evidence criteria
- Automation rules
Framework Mapping
BLACKOUT controls map to industry frameworks:
| Framework | Mapping |
|---|---|
| GDPR | BLK-011 through BLK-015 |
| CCPA | BLK-013, BLK-014, BLK-021 |
| SOC 2 | BLK-031 through BLK-035 |
| ISO 27001 | All controls |
Request a framework-specific mapping report from your account manager.