The Trust Practice Digital Trust Governance

The Trust Practice

Examples

De-identified and illustrative examples showing the structure, tone, and quality of TrustSurface Practice outputs.

Request a Review Book a discussion
Example 1

Review summary card

The summary card is the first thing leadership sees. It provides the overall posture interpretation and frames the key areas of attention.

The Trust Practice · Digtial Trust Review · Executive summary De-identified · NFP sector

Organisation: [De-identified health NFP]

Primary surfaces assessed: primary domain, two subdomain services, email sending posture, status communication.

Overall trust posture: Amber - reviewable gaps identified. At least one area presents material exposure to public trust and reputational risk.

Email
Amber
Web
Green
DNS
Green
Status
Red

Priority finding count: 3 (1 high, 1 medium, 1 low). Two findings are addressable without governance decisions. One requires a leadership decision about ownership before technical remediation can begin.

Example 2

Findings and evidence

Each finding links an observable signal to its governance or operational implication.

The Trust Practice · Digtial Trust Review · Findings extract De-identified
F-01 · No public status surface
No publicly accessible status page or service communication channel was found. During incidents or degraded service periods, there is no established mechanism for operational transparency. This is a governance gap and reputational exposure point, not only a technical omission.
Source: Direct observation of primary domain and subdomain surfaces.
High
F-02 · DMARC policy at monitoring only
A DMARC TXT record is present but configured at p=none. Spoofed email from this domain cannot be rejected or quarantined. The control is present but not enforced.
Source: DNS query via Cloudflare DoH. TXT record confirmed. Policy field: p=none.
Medium
F-03 · HTTPS posture satisfactory
Primary domain and assessed subdomains enforce HTTPS with valid certificates. HTTP requests redirect correctly. HSTS configured on primary domain.
Source: HTTP response header inspection. Certificate details from crt.sh.
Satisfactory
Example 3

Prioritised action list

Actions are prioritised by impact and feasibility. Each action includes who should own it.

The Trust Practice · Digtial Trust Review · Priority action list De-identified
P1
Establish a public status surface
A basic operational status page removes a significant transparency gap at minimal cost. This is a governance and communications decision as much as a technical one.
Owner: Communications / Digital · Effort: Low · Timeframe: Within 4 weeks
High
P2
Advance DMARC to quarantine policy
Configure aggregate reporting and monitor for two to four weeks before advancing to p=quarantine. Technical change with a governance checkpoint.
Owner: IT / Email infrastructure · Effort: Low · Timeframe: 6–8 weeks with monitoring
Medium
P3
Clarify domain ownership and delegation
Two subdomains have inconsistent DNS delegation. Not immediately harmful but represents governance drift that can create problems during personnel changes or vendor transitions.
Owner: IT / Leadership · Effort: Medium · Timeframe: Next planning cycle
Low
Example 4

Roadmap excerpt

A Roadmap organises actions into phases with ownership, sequencing, and governance considerations.

The Trust Practice · Trust Maturity Roadmap · Phase structure (extract) De-identified
Phase 1 - Immediate (0–4 weeks)

Establish status surface. Brief communications and digital leads on ownership. Confirm DMARC reporting destination and initiate monitoring period.

Owner: Head of Digital / IT Manager
Phase 2 - Near-term (4–10 weeks)

Advance DMARC to quarantine following monitoring period. Initiate domain register review. Brief CEO on governance posture and ownership gaps.

Owner: IT Manager + Executive sponsor
Phase 3 - Planning cycle

Domain ownership governance model. Consider periodic posture review cadence. Confirm next Review timing.

Owner: Leadership team

The full Roadmap is a companion engagement to the Review, not a separate product. Learn about the Roadmap.

Seen enough?

The best next step is a short enquiry. The right starting point can be confirmed from there.

Request a Review Book a discussion