Contact person: Business Client

Phone:Show

Email:Show

Location: YAHUD, Israel

Budget: Recommended by industry experts

Time to start: As soon as possible

Project description:
"To:
[Supplier / Company Name]

From:
Amiram [Last Name]

Date:
[Date]

1. Purpose of This Document

This document is intended to clearly and comprehensively describe the requirement to develop an automated, AI-based mechanism that will review, control, and approve/reject technical evidence within [login to view URL], as part of information security and compliance tasks.

The document serves as the basis for receiving a detailed proposal covering specification, development, implementation, and ongoing support.

2. Background

[login to view URL] is used to manage multiple tasks in the fields of information security and compliance. Technicians continuously upload various types of technical evidence (screenshots, logs, documents, descriptions of actions, etc.) to demonstrate that security controls have been implemented.

At present, the review of this evidence is performed manually by a professional stakeholder (e.g. CISO / security consultant). This creates:

High operational workload

Full dependency on a single human reviewer

Difficulty maintaining consistency in the quality and depth of reviews

Limited transparency and incomplete documentation of decisions, statuses, and audit trails

The goal is to replace the manual review process with an automated, intelligent, and controlled mechanism based on an AI Agent, integrated with [login to view URL] via an automation platform (Make or n8n).

3. Project Objectives

Full Automation of Evidence Review
Every piece of evidence uploaded to [login to view URL] (update, file, screenshot, log) will be automatically reviewed by a dedicated AI Agent.

Professional Evaluation Against Standards and Regulations
The review will be based on relevant regulatory and standard requirements, such as:

ISO/IEC 27001

Israeli Privacy Protection Regulations (including Amendment 13)

The organization’s internal Information Security Policy

Automated Decision-Making
For each piece of evidence, the system will determine:

PASS – the evidence is compliant and sufficient

FAIL – the evidence does not meet the requirement

NEED MORE EVIDENCE – information is missing / incomplete

Status and Documentation Management in [login to view URL]
Status changes, comments, follow-up tasks and audit logging will all be performed automatically.

Reduced Manual Work and Improved Review Quality
The solution should significantly reduce manual effort, increase consistency in decisions and ensure structured documentation for future audits (regulators, ISO, customers).

4. High-Level Process Description

Evidence Creation in [login to view URL]
The technician updates an existing item or opens a new task and uploads one or more of the following:

Screenshots

Files (PDF, DOCX, CSV, etc.)

Log files

Textual notes describing implementation of security controls

Automatic Trigger from [login to view URL] (Webhook)
When a new update is created or a file is uploaded to an item, a Webhook is sent to the automation platform (Make / n8n).

Data Ingestion in the Automation Platform (Make / n8n)

Retrieving the item and update data

Downloading attached files (images, documents, logs)

Converting files into a format suitable for AI processing (e.g. Base64 for images)

Sending Data to the AI Agent
The Agent receives as input:

The update text

Attached files (images / PDF / CSV, etc.)

Type of control / type of check (e.g. “24-month log retention”, “access control”, “backups”)

Customer details / technician details (for tailored messaging)

Professional Analysis by the AI Agent
The Agent assesses:

Whether the evidence fully satisfies the regulatory/standard requirement

Whether critical information is missing

Whether the proof is unclear, ambiguous, or incomplete

Whether there is a gap (for example: logs retained for 30 days instead of the required 24 months)

Structured Output (JSON)
The Agent returns a JSON payload containing at least:

Status: PASS / FAIL / NEED_MORE_EVIDENCE

A description of what is missing (if applicable)

A description of recommended actions (Actions / Remediation)

Suggested email text to the customer

Suggested email text to the technician

An indication of whether a new follow-up task should be opened

Automatic Updates in [login to view URL] and Related Systems
Based on the JSON result, Make / n8n will:

Update the task status (Approved / Rejected / Need More Evidence)

Add a comment to the item with a summary of the review

Open sub-items / follow-up tasks according to the Agent’s recommendations

Send an automatic email/update to the customer (as applicable)

Send an email/update to the technician with clear next steps

Record all actions in a dedicated Audit Log for compliance and traceability

5. Role of the Automation Platform (Make / n8n)

The automation platform will serve as the integration and technical logic layer between [login to view URL] and the AI, and will perform the following:

Receiving Webhooks from [login to view URL]

Retrieving item and update data through the Monday API

Downloading and processing attachments

Converting images and files into AI-ready formats

Calling OpenAI / Azure OpenAI / a dedicated Agent endpoint

Receiving a detailed JSON response from the Agent

Updating [login to view URL] objects and statuses via API

Sending notification emails (via external email service or Monday)

Writing and maintaining an Audit Log (dedicated Monday board / database / logging service)

6. Role of the AI Agent

The AI Agent is the “professional brain” layer on top of the AI model (OpenAI / Azure OpenAI). It is not a new model, but rather a logic and prompt layer.

Key responsibilities:

Interpreting and evaluating evidence against:

Standards (ISO 27001)

Israeli Privacy Protection Regulations (including Amendment 13)

The organization’s internal Information Security Policy

Making a decision: PASS / FAIL / NEED_MORE_EVIDENCE

Providing a clear, reasoned explanation (professional yet understandable)

Suggesting technical remediation / completion steps

Generating ready-to-use texts:

Email to the customer

Email to the technician

Text for automatic update in [login to view URL]

Returning a structured JSON output with a stable format that the automation layer can consume.

7. Information Security Requirements

Because the system will handle sensitive information (logs, infrastructure screenshots, internal system data, etc.), the following requirements must be met:

Logical Segregation in [login to view URL]

Use of a dedicated workspace for evidence handling

No direct customer access to this workspace

Access restricted only to authorized technicians and relevant internal staff

Zero Trust Access Model

No guest users

No external sharing of evidence boards

Role-based access strictly on a need-to-know basis

Strong Authentication

Mandatory MFA / SSO for all relevant users

Audit Log Retention

Automatic logging of all reviews, decisions, and updates

Retention of audit logs for at least 24 months

Sensitive Data Encryption (as required)

Assessment of the need to encrypt sensitive files (logs, infrastructure screenshots)

Recommendation of a secure storage architecture (object storage / DB / dedicated logging service)

8. Expected Final Outcome

Upon completion of the project, the system should deliver the following:

Every piece of evidence uploaded to [login to view URL] is automatically reviewed by the AI Agent.

Any deviation, non-compliance, or missing information is automatically detected and flagged.

Task statuses are automatically managed: Approved / Rejected / Need More Evidence.

Emails and/or notifications are automatically sent to customers and technicians with clear, professional wording.

Follow-up tasks are automatically created where needed.

All actions are fully documented in an Audit Log for audits, reviews, and regulatory inspections.

In practice, the system should function as:

An AI CISO Assistant, or

A Compliance Automation Engine,

replacing ongoing manual work, improving review quality, and ensuring end-to-end transparency.

9. Supplier Requirements – Proposal Components

Please ensure that the proposal you submit includes detailed information for the following:

Detailed Specification

Full functional and technical specification of the solution

Definition of JSON structure, Make / n8n flow design, integration points with Monday and AI services

Development and Implementation

Development and configuration of the automation flows (Make / n8n)

Setup and configuration of the AI Agent (prompts, logic, text templates)

Full integration with [login to view URL] (Webhooks, API, statuses, sub-items, etc.)

Information Security Aspects

Secure architecture recommendations

Permissions model, workspace segregation, log retention and encryption (where required)

Testing, Pilot, and Hardening

QA on multiple real-world scenarios

Support during a pilot phase and implementation of improvements based on feedback

Hardening and stabilization of the system

Documentation and Training

Full technical documentation (flows, JSON structure, integration points)

Short user/admin guide for system owners and technicians

Cost and Pricing Model

Clear breakdown of costs: specification, development, implementation, testing, training

Any additional licensing costs (if applicable) – itemized separately

Options for ongoing support / maintenance / enhancement retainer

Timeline

Estimated time for the specification phase

Estimated time for development and implementation

Estimated time for pilot and go-live

10. Summary

This project aims to create an automation and intelligence layer on top of [login to view URL] that will enable systematic, consistent, regulation-based evidence review, while significantly reducing manual effort and improving transparency and control.

I would appreciate receiving a detailed proposal in line with the sections above, including pricing, timelines, and an ongoing support model.

Kind regards," (client-provided description)