DATAZONE Control: Automated Compliance Reports for IT Infrastructure

Audits, insurance requests, and certifications all have one thing in common: They require evidence. Which servers are patched? Are backups working? Are there open vulnerabilities? Anyone who must answer these questions manually — SSH into every server, search through logs, collect screenshots — spends hours on work that can be automated. DATAZONE Control generates compliance reports automatically: scheduled or on demand, exportable as PDF, and with all the details auditors and insurers expect.

Why Automated Compliance Reports?

Manual compliance tracking has several problems:

• Time investment: 2-4 hours per month compiling patch status, backup logs, and security checks
• Error-prone: Manual verification misses systems that fall through the cracks
• Inconsistency: Different admins document differently
• Timeliness: Reports are already outdated when created
• Proof obligation: During security incidents, documentation must prove that measures were implemented

DATAZONE Control captures the state of all managed systems in real time. Compliance reports are therefore not an elaborate special task but an export of already available data.

Report Types

1. Update Status Report

The update status report shows the patch level of all managed systems:

Included Information:

• Last check for available updates (per system)
• Number of pending updates (security and regular)
• Installed kernel version vs. available version
• Date of last update installation
• Systems with overdue updates (older than defined threshold)
• Package lists of pending updates

Example Excerpt:

Host	OS	Last Check	Pending	Security	Last Update	Status
pve01	Debian 12.9	2026-04-19 03:00	0	0	2026-04-18	Current
pve02	Debian 12.9	2026-04-19 03:00	3	1	2026-04-15	Security update pending
web01	Ubuntu 24.04	2026-04-19 03:00	0	0	2026-04-17	Current
fw01	OPNsense 25.4	2026-04-19 03:00	1	0	2026-04-10	Minor update available
nas01	TrueNAS 26.04	2026-04-19 03:00	0	0	2026-04-12	Current

Systems with pending security updates are highlighted in red. The report also shows trends: How has the patch status evolved over the last month?

2. Security Check Report

Automated security checks verify the configuration of all systems against defined baselines:

Checked Categories:

• SSH configuration: Root login disabled, key-only auth, protocol version
• Firewall status: iptables/nftables active, default policy DROP
• Services: No unnecessary services active (Telnet, FTP, etc.)
• Users: No accounts without passwords, no inactive accounts
• File permissions: /etc/shadow, /etc/passwd, SSH keys
• Kernel parameters: ASLR active, SYN cookies enabled, IP forwarding controlled
• TLS configuration: Minimum TLS 1.2, no weak cipher suites
• Log rotation: Syslog active, logs not being overwritten

Rating System:

Each check receives a status:

• PASS: Configuration matches the baseline
• WARN: Deviation, but no critical risk
• FAIL: Security-relevant deviation, action required
• SKIP: Check not applicable (e.g., firewall check on a NAS)

The report contains a summary with a score per system (0-100) and details for each individual check.

3. Backup Validation Report

The backup report checks not only whether backups exist but whether they are functional:

Checked Aspects:

• Backup existence: Is a current backup available for each system?
• Backup age: Is the most recent backup within the defined RPO (Recovery Point Objective)?
• Backup integrity: Has the backup checksum been verified?
• Backup size: Unusual size changes (significantly smaller = possibly incomplete)
• Backup location: Are backups replicated offsite/externally?
• Retention: Are defined retention periods being met?

Example Excerpt:

Host	Last Backup	Age	Size	Integrity	Offsite	Status
pve01	2026-04-19 02:00	6h	128 GB	Verified	Yes	OK
pve02	2026-04-19 02:15	6h	95 GB	Verified	Yes	OK
web01	2026-04-18 23:00	9h	12 GB	Verified	Yes	OK
db01	2026-04-17 02:00	54h	340 GB	Verified	No	Warning: No offsite
nas01	2026-04-14 02:00	126h	4.2 TB	Not checked	No	Critical: Backup older than RPO

4. Vulnerability Scan Report

DATAZONE Control checks installed packages against known CVE databases:

Included Information:

• CVE ID, severity (CVSS score), affected package
• Installed vs. fixed version
• Patch availability
• Affected systems (grouped by CVE)
• Time since CVE publication

Severity Categories:

CVSS Score	Rating	SLA (recommended)
9.0–10.0	Critical	Patch within 24 hours
7.0–8.9	High	Patch within 7 days
4.0–6.9	Medium	Patch within 30 days
0.1–3.9	Low	Next regular patch cycle

Generating Reports

Ad-Hoc Report via Web Interface

1. Navigate to Reports → Generate
2. Select the report type (or multiple)
3. Choose the scope:
   • All systems
   • Specific group (e.g., “Berlin Office”)
   • Single system
4. Set time period (for trend data)
5. Choose format: PDF, HTML, or JSON
6. Click Generate

The report is generated within seconds and available for download.

Scheduled Reports

For regular compliance evidence, reports can be scheduled automatically:

1. Navigate to Reports → Schedules
2. Create a new schedule:
   • Name: Monthly Compliance Report
   • Report types: Update Status, Security Checks, Backup Validation
   • Scope: All systems
   • Schedule: Monthly, on the 1st at 06:00
   • Format: PDF
   • Recipients: it-management@example.com, compliance@example.com
   • Retention: 24 months

Scheduled reports are automatically generated, saved as PDF, and sent via email to defined recipients.

Generate Report via API

For integration into custom workflows:

# Generate compliance report via API
curl -X POST https://control.example.com/api/v1/reports/generate \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "type": ["updates", "security", "backups", "vulnerabilities"],
    "scope": "all",
    "format": "pdf",
    "period": "last_30_days"
  }'

The API returns a report ID that can be used to download the finished report.

PDF Export: Structure and Contents

The PDF report follows a standardized structure:

Cover Page

• Company name and logo
• Report type and period
• Generation date and time
• Scope (which systems)
• Overall score (0-100)

Executive Summary

One page with the most important metrics:

• Number of managed systems
• Patch compliance rate (% of systems up to date)
• Backup success rate
• Number of open vulnerabilities by severity
• Trend arrow (better/worse than previous month)

Detail Sections

Each report type gets its own section with:

• Summary
• Table of all systems with status
• Details on deviations and issues
• Recommended actions

Appendix

• Complete package lists (pending updates)
• CVE details with links
• Detailed check results
• Configuration changes since last report

Use Cases

Cyber Insurance

Cyber insurance providers increasingly demand evidence of IT security posture. DATAZONE Control provides:

• Patch status: Proof that security updates are applied promptly
• Backup evidence: Regular, verified backups exist
• Firewall configuration: Systems are protected by firewalls
• Encryption: TLS configuration meets current standards

In the event of a claim, the report documents that appropriate security measures were implemented at the time of the incident.

ISO 27001 / SOC 2

For certifications, controls must be demonstrated. DATAZONE Control covers among others:

• A.12.6.1: Management of technical vulnerabilities
• A.12.3.1: Information backup
• A.14.2.2: Change control procedures
• A.18.2.3: Technical compliance review

Automated reports serve as continuous evidence between audits.

Managed Service Providers

MSPs operating IT infrastructure for customers use compliance reports as:

• Service evidence: Documentation of performed maintenance
• SLA reporting: Adherence to agreed update and backup SLAs
• Transparency: Customers see the state of their infrastructure
• Escalation: Automatic alerts on SLA violations

Configuration: Baselines and Thresholds

Define Update Thresholds

Under Settings → Compliance → Update Policy:

• Security updates: Warning after 48 hours, Critical after 7 days
• Regular updates: Warning after 14 days, Critical after 30 days
• Kernel updates: Warning after 7 days (require reboot)

Backup Policy

Under Settings → Compliance → Backup Policy:

• RPO (Recovery Point Objective): Maximum backup age (e.g., 24 hours)
• Offsite requirement: At least one offsite copy per system
• Integrity check: Automatic verification after each backup
• Retention: Minimum retention period (e.g., 90 days)

Security Baseline

Under Settings → Compliance → Security Baseline:

• SSH: Root login disabled, key auth enforced
• Firewall: Default policy DROP on all systems
• TLS: Minimum TLS 1.2, no outdated cipher suites
• Services: Whitelist of allowed services per system type

Deviations from the baseline are reported as WARN or FAIL in the security check report.

Integration with External Systems

Ticket System

Compliance violations can automatically create tickets:

• Critical: Ticket with high priority, immediate notification
• Warning: Ticket with normal priority
• Info: Report only, no ticket

SIEM/Syslog

All compliance events are exported as structured logs and can be integrated into SIEM systems (Graylog, ELK, Wazuh).

Document Management System

PDF reports can be automatically exported to a DMS for audit-proof archiving.

Conclusion

Compliance reports in DATAZONE Control transform already captured infrastructure state into audit-ready documents. Instead of spending hours on manual data collection, a single click or cron job generates the complete report as PDF — with update status, security checks, backup validation, and vulnerability scans. Cyber insurers, ISO auditors, and customers receive consistent, current evidence without additional effort.