Data protection

Forest treats your assessment data as sensitive, because it is. A complete picture of your security maturity, your gaps, and your spend is exactly what an attacker would want during reconnaissance. Protecting it is the point of this entire section.

Layers, not a single wall

No one control is enough on its own. Forest protects your data through several that reinforce each other. Authentication confirms who is signing in. Roles limit what each person can do. Tenant isolation keeps your data apart from every other organization. And activity records let you verify all of it after the fact.

The value of layering is that a weakness in one place does not become an open door. A stolen password is stopped by a second factor. An over-broad request is stopped by tenant isolation. A quiet change is caught in the activity record.

What this protects

• Your CAMP inputs, scores, and roadmap.

• Your capabilities, tool mappings, and contract details.

• The recommendations generated for your organization.

Strong data protection is mostly discipline, not magic. Keep roles tight, require a second factor, and review activity. The controls only work if you use them.

The rest of this section covers each layer in depth. Start with Role-based access control and Tenant isolation, then see Retention and deletion for how long data lives and how it leaves.