STEWARDSHIP
Protecting what
you have built
for the long years.
Stewardship is the domain of protection and preservation. Backups, security, compliance, records, and the careful management of everything the business has created. It is invisible when tended. It becomes catastrophic when it has been quiet for too long.
Domain 06 · Typical State
Waiting
Most active partnerships
Waiting
Stewardship often needs structured attention
Daily automated backups running and verified
SSL certificates valid and monitored for expiry
Security scan clean for last 30 days
User access audit done in last 90 days
Privacy policy current and published
What this domain is
The work nobody sees
until it is not being done.
Stewardship is the domain of long-year thinking. It is about making sure that the data the business depends on cannot be lost, the systems cannot be compromised without detection, and the legal and compliance obligations are met without anyone having to scramble.
Businesses typically discover that Stewardship has been quiet at the worst possible moment. The backup that never ran. The SSL certificate that expired because nobody was watching. The user account that was never removed when the staff member left. The privacy policy that has not been updated since the website was launched three years ago.
Yutie holds Stewardship proactively. Backups are verified, not just configured. Security is monitored, not just assumed. Access is audited on a schedule. Compliance obligations are reviewed when regulations change. The domain is scored monthly and any degradation is flagged before it becomes a crisis.
60%
SMEs that close after a major data loss
Studies consistently show that more than half of small businesses that experience a significant data loss do not recover. Stewardship prevents this.
14d
Average time to detect a breach
Most small businesses do not detect a security breach for two weeks or more. Stewardship monitoring reduces this window dramatically.
3×
Cost of reactive vs proactive security
Fixing a compromised system costs approximately three times more than the ongoing cost of monitoring and prevention.
What Yutie does here
Every service in this domain,
named and explained.
Every service in the Stewardship domain is about protection, preservation, and compliance. These are not exciting services. They are the ones that ensure everything built in the other seven domains is still there tomorrow.
01
Automated Backup System
Daily automated backups of all website files and databases, stored in a location separate from the production server. Backups that are not verified are not backups. Yutie configures the system and verifies that it is working every month.
Daily automated cPanel backup configuration
Database backup separate from file backup
Off-server backup storage (separate hosting account or cloud storage)
Backup retention policy (30-day rolling minimum)
Monthly backup restoration test
Backup failure alert configuration
Backup confirmation in monthly Stewardship report
02
SSL Certificate Management
SSL certificates expire. When they do, browsers display security warnings and the website loses trust signals instantly. Yutie monitors expiry dates and renews before the risk window arrives.
Current SSL certificate status audit
Expiry date monitoring with 60-day advance alert
Let's Encrypt automated renewal setup where applicable
Commercial SSL certificate renewal management
SSL installation verification after renewal
Mixed content audit (HTTP elements on HTTPS pages)
SSL grade rating (A or A+ target)
03
Security Monitoring and Malware Scanning
Malware on a website is often silent. The site appears to work normally while it is sending spam, stealing data, or redirecting visitors. Yutie runs regular scans and acts immediately on findings.
Monthly malware scan using server-level or third-party tool
File integrity monitoring (detecting unauthorised file changes)
Blacklist monitoring (checking if domain is blacklisted)
WordPress or CMS security plugin configuration
Login attempt monitoring and brute-force protection
Suspicious user behaviour alert configuration
Security scan summary in monthly Stewardship report
04
User Access Audit
Overpermissioned user accounts are one of the most common security vulnerabilities. Former employees, old contractors, and dormant accounts all represent access that should not exist.
Full audit of all system users: website CMS, hosting, CRM, email
Former staff account identification and removal
Permission level review (principle of least privilege)
Admin account reduction to minimum required
Two-factor authentication recommendation and setup for admin accounts
Shared password policy audit
Access audit repeated every 90 days
05
GDPR and Privacy Compliance
Data protection is a legal obligation, not an optional feature. Yutie reviews and implements the minimum viable compliance infrastructure for businesses operating with personal data.
Privacy policy review and update (or creation if absent)
Cookie consent banner installation and configuration
Data collection audit: what personal data is being collected and where
Data processing purpose documentation
Data retention policy definition
Right to erasure process documentation
Privacy policy page published with current date
06
Legal Document Infrastructure
The terms of service, privacy policy, disclaimer, and refund policy that a business publishes define the legal relationship with every visitor and client. Most businesses have outdated versions or none at all.
Terms and conditions review or creation
Privacy policy review or creation
Cookie policy review or creation
Refund and cancellation policy
Intellectual property and copyright notice
Disclaimer text where applicable
Legal documents published and linked from footer and relevant pages
07
Data Retention and Deletion Policy
Not all data should be kept forever. A retention policy defines what is kept, for how long, and what happens when it is no longer needed. This reduces liability and keeps systems clean.
Data category identification (client data, prospect data, employee data)
Retention period definition per category
Deletion process documentation
Automated deletion rule setup where technically possible
Annual data audit against retention policy
Client data deletion process on contract end
Retention policy published in privacy documentation
08
Disaster Recovery Planning
What happens if the website is hacked and the hosting account is compromised? Most businesses have no answer. Yutie prepares a written recovery plan so the answer is ready before it is needed.
Worst-case scenario definition (complete data loss, hosting compromise)
Recovery asset inventory (backups, access credentials, configuration notes)
Step-by-step recovery procedure documented
Recovery time objective (RTO) estimate
Recovery point objective (RPO) based on backup frequency
Emergency contact list for hosting, domain registrar, developer
Annual disaster recovery plan review
09
Software and Plugin Update Management
Outdated software is the most common entry point for website attacks. Yutie manages the update cycle for all software components so the attack surface is minimised.
CMS core update schedule (WordPress, Perfex, or other)
Plugin and theme audit: active, inactive, and abandoned plugins
Plugin update cycle (monthly minimum)
Update staging: test on staging environment before production
Abandoned plugin replacement with maintained alternatives
PHP version monitoring and upgrade planning
Update log maintained for reference
10
Sensitive Data Audit
Most businesses have sensitive data in places they do not realise: email threads with client IDs, unencrypted spreadsheets with financial data, shared folders with no access controls. Yutie finds it.
Email content scan for sensitive data patterns
Shared folder access review
Spreadsheet containing sensitive data identification
Cloud storage permission audit
Client data location mapping
Payment card data handling review (PCI-DSS awareness)
Sensitive data reduction recommendations
11
Password and Credential Security
Shared passwords, weak passwords, and passwords stored in plain text are security liabilities. Yutie establishes password hygiene practices and provides infrastructure for managing credentials.
Password manager setup and team training (Bitwarden or equivalent)
Shared account password policy
Critical account two-factor authentication setup
Password strength audit for existing shared accounts
Credential rotation schedule for critical systems
Emergency credential access documentation
Credential storage policy
12
Compliance Monitoring
Regulations change. New obligations arise. Yutie monitors the compliance landscape relevant to the business and flags changes that require action.
Applicable regulation identification (GDPR, local data laws, industry-specific)
Annual compliance review against current regulations
New regulation alert monitoring
Compliance action plan when new obligations arise
Legal document update trigger on regulatory change
Compliance status in monthly Stewardship report
Domain States
What each state looks like
in the Stewardship domain.
Every domain is classified monthly as Tending, Waiting, or Quiet. Here is what each state means specifically for Stewardship.
Tending
Everything built is protected and recoverable.
When Stewardship is Tending, backups run and are verified, SSL certificates are current, security scans are clean, user access reflects who actually should have it, and legal documents are published and current.
Daily backups running with monthly restoration test passed
SSL certificate valid with 60+ days to expiry
Last security scan clean
User access audit done in last 90 days
Privacy policy published and dated within 12 months
No unknown admin accounts in any system
Waiting
Infrastructure is being built and legacy issues resolved.
Waiting means Stewardship work is underway: backups being configured, old user accounts being audited, legal documents being written. The domain is not yet fully tended but the gaps are known and being addressed.
Backup system configured but restoration not yet tested
SSL certificate present but automated renewal not yet set up
Security scan done, some issues identified and being resolved
User access audit in progress
Privacy policy drafted, not yet published
Some former user accounts identified, removal in progress
Quiet
The business is exposed and does not know it.
Quiet means the Stewardship domain has no active management. Backups may or may not be running. Nobody knows when the SSL certificate expires. Security has never been audited. Former employees may still have access.
Backup status unknown or unverified
SSL certificate expiry date not monitored
No security scan run in last 6 months
Former staff accounts not removed
No privacy policy or policy last updated over 2 years ago
Passwords shared in email or WhatsApp
No disaster recovery plan
The transformation
What changes when this domain
moves from Quiet to Tending.
Before: domain is quiet or unmanaged
A backup has never been tested, so it may not work when needed
The SSL certificate expires and visitors see security warnings before anyone notices
A former employee still has admin access to the website
The privacy policy is 3 years old and references a regulation that has changed
A security breach runs silently for weeks before discovery
After: domain is tended
Backups run daily and a restoration test confirms they work every month
SSL expiry is monitored and renewal happens 30 days before expiry
User access reflects only current team members with appropriate permissions
Privacy policy is current, published, and reviewed when regulations change
Security scans run monthly and any finding triggers an immediate response
Domain connections
How Stewardship connects to the other domains.
No domain exists independently. The Shalom Score reflects how each domain affects the others.
04
Operations
File management and process documentation in Operations are part of Stewardship's data integrity scope.
05
Finance Visibility
Financial records are Stewardship data. Invoice history, payment records, and tax documents must be retained correctly.
07
Intelligence
Stewardship health metrics are inputs to the Shalom Score in the Intelligence domain.
08
Readiness
Stewardship and Readiness overlap on hosting security. SSL lives in both; security at the server level is Readiness.