Fintech & regulatory

Compliance

How the current policy set maps to common compliance frameworks. Coverage is advisory: it is measured against the controls mapped in opserapol, not the full framework, and is not an audit artifact.

PCI DSS4.0100%

Payment Card Industry Data Security Standard

14 of 14 mapped controls covered
SOC 22017 TSC100%

AICPA Trust Services Criteria (Security)

6 of 6 mapped controls covered
CIS Kubernetes Benchmarkv1.8100%

Section 5 — policies enforceable at admission

16 of 16 mapped controls covered
NIST SP 800-53rev. 5100%

Security and privacy controls

13 of 13 mapped controls covered
ISO/IEC 270012022100%

Annex A controls

7 of 7 mapped controls covered
DORAEU 2022/2554100%

Digital Operational Resilience Act (EU financial entities)

5 of 5 mapped controls covered
NIST SP 800-53 rev. 5nist-800-53
13/13 (100%)
ControlTitleMapped policies
AC-3Access Enforcement
AC-6Least Privilege
AU-2Event Logging
CM-2Baseline Configuration
30-Day Scan Age90-Day Image AgeADD Command used instead of COPYAlpine Linux Package Manager (apk) in ImageContainer using read-write root filesystemContainer with privilege escalation allowedCurl in ImageDeployments should have at least one ingress Network PolicyDeployments with externally exposed endpointsDocker CIS 4.1: Ensure That a User for the Container Has Been CreatedDocker CIS 4.4: Ensure images are scanned and rebuilt to include security patchesDocker CIS 4.7: Alert on Update InstructionDocker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabledDocker CIS 5.15: Ensure that the host's process namespace is not sharedDocker CIS 5.16: Ensure that the host's IPC namespace is not sharedDocker CIS 5.19: Ensure mount propagation mode is not enabledDocker CIS 5.21: Ensure the default seccomp profile is not disabledDocker CIS 5.7: Ensure privileged ports are not mapped within containersDocker CIS 5.9 and 5.20: Ensure that the host's network namespace is not sharedEmergency Deployment AnnotationEnvironment Variable Contains SecretInsecure specified in CMDIptables or nftables Executed in Privileged ContainerKubernetes Dashboard DeployedLogin BinariesMount Container Runtime SocketMounting Sensitive Host DirectoriesNo CPU request or memory limit specifiedPod Service Account Token Automatically MountedPrivileged ContainerProcess with UID 0Red Hat Package Manager ExecutionRed Hat Package Manager in ImageRequired Annotation: EmailRequired Annotation: Owner/TeamRequired Image LabelRequired Label: Owner/TeamSecret Mounted as Environment VariableSecure Shell (ssh) Port ExposedSecure Shell (ssh) Port Exposed in ImageSecure Shell Server (sshd) ExecutionUbuntu Package Manager in ImageWget in Image
CM-6Configuration Settings
CM-7Least Functionality
RA-5Vulnerability Monitoring and Scanning
SC-7Boundary Protection
SI-2Flaw Remediation
SI-3Malicious Code Protection
SI-4System Monitoring
SR-4Provenance (Supply Chain)
SR-11Component Authenticity