Fintech & regulatory

Compliance

How the current policy set maps to common compliance frameworks. Coverage is advisory: it is measured against the controls mapped in opserapol, not the full framework, and is not an audit artifact.

PCI DSS4.0100%

Payment Card Industry Data Security Standard

14 of 14 mapped controls covered
SOC 22017 TSC100%

AICPA Trust Services Criteria (Security)

6 of 6 mapped controls covered
CIS Kubernetes Benchmarkv1.8100%

Section 5 — policies enforceable at admission

16 of 16 mapped controls covered
NIST SP 800-53rev. 5100%

Security and privacy controls

13 of 13 mapped controls covered
ISO/IEC 270012022100%

Annex A controls

7 of 7 mapped controls covered
DORAEU 2022/2554100%

Digital Operational Resilience Act (EU financial entities)

5 of 5 mapped controls covered
PCI DSS 4.0pci-dss-4
14/14 (100%)
ControlTitleMapped policies
1.2.5All services, protocols and ports allowed are identified, approved and have a defined business need
1.3.1Inbound traffic to the CDE is restricted to that which is necessary
2.2.1Configuration standards are developed, implemented and maintained for system components
30-Day Scan Age90-Day Image AgeADD Command used instead of COPYAlpine Linux Package Manager (apk) in ImageContainer using read-write root filesystemContainer with privilege escalation allowedCurl in ImageDeployments should have at least one ingress Network PolicyDeployments with externally exposed endpointsDocker CIS 4.1: Ensure That a User for the Container Has Been CreatedDocker CIS 4.4: Ensure images are scanned and rebuilt to include security patchesDocker CIS 4.7: Alert on Update InstructionDocker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabledDocker CIS 5.15: Ensure that the host's process namespace is not sharedDocker CIS 5.16: Ensure that the host's IPC namespace is not sharedDocker CIS 5.19: Ensure mount propagation mode is not enabledDocker CIS 5.21: Ensure the default seccomp profile is not disabledDocker CIS 5.7: Ensure privileged ports are not mapped within containersDocker CIS 5.9 and 5.20: Ensure that the host's network namespace is not sharedEmergency Deployment AnnotationEnvironment Variable Contains SecretInsecure specified in CMDIptables or nftables Executed in Privileged ContainerKubernetes Dashboard DeployedLogin BinariesMount Container Runtime SocketMounting Sensitive Host DirectoriesNo CPU request or memory limit specifiedPod Service Account Token Automatically MountedPrivileged ContainerProcess with UID 0Red Hat Package Manager ExecutionRed Hat Package Manager in ImageRequired Annotation: EmailRequired Annotation: Owner/TeamRequired Image LabelRequired Label: Owner/TeamSecret Mounted as Environment VariableSecure Shell (ssh) Port ExposedSecure Shell (ssh) Port Exposed in ImageSecure Shell Server (sshd) ExecutionUbuntu Package Manager in ImageWget in Image
2.2.4Only necessary services, protocols, daemons and functions are enabled
2.2.6System security parameters are configured to prevent misuse
5.2.1Anti-malware solutions are deployed on all system components
5.3.2Anti-malware mechanisms perform periodic and active/real-time scans
6.3.1Security vulnerabilities are identified and managed
6.3.2An inventory of bespoke and custom software is maintained for vulnerability management
6.3.3Applicable security patches are installed within an appropriate timeframe
6.4.3Software integrity is verified before deployment (supply chain)
7.2.1An access control model is defined providing least privileges
10.2.1Audit logs capture all access and actions on system components
11.3.1Internal vulnerability scans are performed regularly
SOC 2 2017 TSCsoc2
6/6 (100%)
ControlTitleMapped policies
CC6.1Logical access security software and architectures restrict access
CC6.6Boundary protection systems guard against threats from outside system boundaries
CC6.8Controls prevent or detect unauthorized or malicious software
CC7.1Vulnerabilities are identified, monitored and evaluated
CC7.2Anomalies indicative of malicious acts are monitored and analyzed
CC8.1Changes to infrastructure and software are authorized, tested and approved
CIS Kubernetes Benchmark v1.8cis-k8s
16/16 (100%)
ControlTitleMapped policies
5.1.5Ensure that default service accounts are not actively used
5.1.6Ensure that Service Account Tokens are only mounted where necessary
5.2.1Minimize the admission of privileged containers
5.2.2Minimize the admission of containers wishing to share the host process ID namespace
5.2.3Minimize the admission of containers wishing to share the host IPC namespace
5.2.4Minimize the admission of containers wishing to share the host network namespace
5.2.5Minimize the admission of containers with allowPrivilegeEscalation
5.2.6Minimize the admission of root containers
5.2.8Minimize the admission of containers with added capabilities
5.2.9Minimize the admission of containers with capabilities assigned
5.2.11Minimize the admission of containers without a seccomp profile
5.3.2Ensure that all Namespaces have Network Policies defined
5.4.1Prefer using secrets as files over secrets as environment variables
5.5.1Configure Image Provenance using ImagePolicyWebhook admission controller
5.7.2Apply Security Context to Pods and Containers
5.7.4The default namespace should not be used
NIST SP 800-53 rev. 5nist-800-53
13/13 (100%)
ControlTitleMapped policies
AC-3Access Enforcement
AC-6Least Privilege
AU-2Event Logging
CM-2Baseline Configuration
30-Day Scan Age90-Day Image AgeADD Command used instead of COPYAlpine Linux Package Manager (apk) in ImageContainer using read-write root filesystemContainer with privilege escalation allowedCurl in ImageDeployments should have at least one ingress Network PolicyDeployments with externally exposed endpointsDocker CIS 4.1: Ensure That a User for the Container Has Been CreatedDocker CIS 4.4: Ensure images are scanned and rebuilt to include security patchesDocker CIS 4.7: Alert on Update InstructionDocker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabledDocker CIS 5.15: Ensure that the host's process namespace is not sharedDocker CIS 5.16: Ensure that the host's IPC namespace is not sharedDocker CIS 5.19: Ensure mount propagation mode is not enabledDocker CIS 5.21: Ensure the default seccomp profile is not disabledDocker CIS 5.7: Ensure privileged ports are not mapped within containersDocker CIS 5.9 and 5.20: Ensure that the host's network namespace is not sharedEmergency Deployment AnnotationEnvironment Variable Contains SecretInsecure specified in CMDIptables or nftables Executed in Privileged ContainerKubernetes Dashboard DeployedLogin BinariesMount Container Runtime SocketMounting Sensitive Host DirectoriesNo CPU request or memory limit specifiedPod Service Account Token Automatically MountedPrivileged ContainerProcess with UID 0Red Hat Package Manager ExecutionRed Hat Package Manager in ImageRequired Annotation: EmailRequired Annotation: Owner/TeamRequired Image LabelRequired Label: Owner/TeamSecret Mounted as Environment VariableSecure Shell (ssh) Port ExposedSecure Shell (ssh) Port Exposed in ImageSecure Shell Server (sshd) ExecutionUbuntu Package Manager in ImageWget in Image
CM-6Configuration Settings
CM-7Least Functionality
RA-5Vulnerability Monitoring and Scanning
SC-7Boundary Protection
SI-2Flaw Remediation
SI-3Malicious Code Protection
SI-4System Monitoring
SR-4Provenance (Supply Chain)
SR-11Component Authenticity
ISO/IEC 27001 2022iso-27001
7/7 (100%)
ControlTitleMapped policies
A.8.2Privileged access rights
A.8.7Protection against malware
A.8.8Management of technical vulnerabilities
A.8.9Configuration management
30-Day Scan Age90-Day Image AgeADD Command used instead of COPYAlpine Linux Package Manager (apk) in ImageContainer using read-write root filesystemContainer with privilege escalation allowedCurl in ImageDeployments should have at least one ingress Network PolicyDeployments with externally exposed endpointsDocker CIS 4.1: Ensure That a User for the Container Has Been CreatedDocker CIS 4.4: Ensure images are scanned and rebuilt to include security patchesDocker CIS 4.7: Alert on Update InstructionDocker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabledDocker CIS 5.15: Ensure that the host's process namespace is not sharedDocker CIS 5.16: Ensure that the host's IPC namespace is not sharedDocker CIS 5.19: Ensure mount propagation mode is not enabledDocker CIS 5.21: Ensure the default seccomp profile is not disabledDocker CIS 5.7: Ensure privileged ports are not mapped within containersDocker CIS 5.9 and 5.20: Ensure that the host's network namespace is not sharedEmergency Deployment AnnotationEnvironment Variable Contains SecretInsecure specified in CMDIptables or nftables Executed in Privileged ContainerKubernetes Dashboard DeployedLogin BinariesMount Container Runtime SocketMounting Sensitive Host DirectoriesNo CPU request or memory limit specifiedPod Service Account Token Automatically MountedPrivileged ContainerProcess with UID 0Red Hat Package Manager ExecutionRed Hat Package Manager in ImageRequired Annotation: EmailRequired Annotation: Owner/TeamRequired Image LabelRequired Label: Owner/TeamSecret Mounted as Environment VariableSecure Shell (ssh) Port ExposedSecure Shell (ssh) Port Exposed in ImageSecure Shell Server (sshd) ExecutionUbuntu Package Manager in ImageWget in Image
A.8.16Monitoring activities
A.8.20Networks security
A.8.25Secure development life cycle
DORA EU 2022/2554dora
5/5 (100%)
ControlTitleMapped policies
Art. 9.2Protection and prevention — ICT security policies and tools
30-Day Scan Age90-Day Image AgeADD Command used instead of COPYAlpine Linux Package Manager (apk) in ImageCAP_SYS_ADMIN capability addedContainer using read-write root filesystemContainer with privilege escalation allowedCurl in ImageDeployments should have at least one ingress Network PolicyDeployments with externally exposed endpointsDocker CIS 4.1: Ensure That a User for the Container Has Been CreatedDocker CIS 4.4: Ensure images are scanned and rebuilt to include security patchesDocker CIS 4.7: Alert on Update InstructionDocker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabledDocker CIS 5.15: Ensure that the host's process namespace is not sharedDocker CIS 5.16: Ensure that the host's IPC namespace is not sharedDocker CIS 5.19: Ensure mount propagation mode is not enabledDocker CIS 5.21: Ensure the default seccomp profile is not disabledDocker CIS 5.7: Ensure privileged ports are not mapped within containersDocker CIS 5.9 and 5.20: Ensure that the host's network namespace is not sharedEmergency Deployment AnnotationEnvironment Variable Contains SecretFixable CVSS >= 6 and PrivilegedInsecure specified in CMDIptables or nftables Executed in Privileged ContainerKubernetes Dashboard DeployedLinux Group Add ExecutionLinux User Add ExecutionLogin BinariesMount Container Runtime SocketMounting Sensitive Host DirectoriesNo CPU request or memory limit specifiedPod Service Account Token Automatically MountedPrivileged ContainerPrivileged Containers with Important and Critical Fixable CVEsProcess with UID 0Red Hat Package Manager ExecutionRed Hat Package Manager in ImageRequired Annotation: EmailRequired Annotation: Owner/TeamRequired Image LabelRequired Label: Owner/TeamSecret Mounted as Environment VariableSecure Shell (ssh) Port ExposedSecure Shell (ssh) Port Exposed in ImageSecure Shell Server (sshd) ExecutionUbuntu Package Manager in ImageWget in Image
Art. 9.4(b)Network and infrastructure segmentation
Art. 9.4(c)Patching and updates of ICT systems
Art. 10.1Detection of anomalous activities and ICT incidents
Art. 28.1ICT third-party risk — supply chain integrity