Fintech & regulatory

Compliance

How the current policy set maps to common compliance frameworks. Coverage is advisory: it is measured against the controls mapped in opserapol, not the full framework, and is not an audit artifact.

PCI DSS4.0100%

Payment Card Industry Data Security Standard

14 of 14 mapped controls covered
SOC 22017 TSC100%

AICPA Trust Services Criteria (Security)

6 of 6 mapped controls covered
CIS Kubernetes Benchmarkv1.8100%

Section 5 — policies enforceable at admission

16 of 16 mapped controls covered
NIST SP 800-53rev. 5100%

Security and privacy controls

13 of 13 mapped controls covered
ISO/IEC 270012022100%

Annex A controls

7 of 7 mapped controls covered
DORAEU 2022/2554100%

Digital Operational Resilience Act (EU financial entities)

5 of 5 mapped controls covered
PCI DSS 4.0pci-dss-4
14/14 (100%)
ControlTitleMapped policies
1.2.5All services, protocols and ports allowed are identified, approved and have a defined business need
1.3.1Inbound traffic to the CDE is restricted to that which is necessary
2.2.1Configuration standards are developed, implemented and maintained for system components
30-Day Scan Age90-Day Image AgeADD Command used instead of COPYAlpine Linux Package Manager (apk) in ImageContainer using read-write root filesystemContainer with privilege escalation allowedCurl in ImageDeployments should have at least one ingress Network PolicyDeployments with externally exposed endpointsDocker CIS 4.1: Ensure That a User for the Container Has Been CreatedDocker CIS 4.4: Ensure images are scanned and rebuilt to include security patchesDocker CIS 4.7: Alert on Update InstructionDocker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabledDocker CIS 5.15: Ensure that the host's process namespace is not sharedDocker CIS 5.16: Ensure that the host's IPC namespace is not sharedDocker CIS 5.19: Ensure mount propagation mode is not enabledDocker CIS 5.21: Ensure the default seccomp profile is not disabledDocker CIS 5.7: Ensure privileged ports are not mapped within containersDocker CIS 5.9 and 5.20: Ensure that the host's network namespace is not sharedEmergency Deployment AnnotationEnvironment Variable Contains SecretInsecure specified in CMDIptables or nftables Executed in Privileged ContainerKubernetes Dashboard DeployedLogin BinariesMount Container Runtime SocketMounting Sensitive Host DirectoriesNo CPU request or memory limit specifiedPod Service Account Token Automatically MountedPrivileged ContainerProcess with UID 0Red Hat Package Manager ExecutionRed Hat Package Manager in ImageRequired Annotation: EmailRequired Annotation: Owner/TeamRequired Image LabelRequired Label: Owner/TeamSecret Mounted as Environment VariableSecure Shell (ssh) Port ExposedSecure Shell (ssh) Port Exposed in ImageSecure Shell Server (sshd) ExecutionUbuntu Package Manager in ImageWget in Image
2.2.4Only necessary services, protocols, daemons and functions are enabled
2.2.6System security parameters are configured to prevent misuse
5.2.1Anti-malware solutions are deployed on all system components
5.3.2Anti-malware mechanisms perform periodic and active/real-time scans
6.3.1Security vulnerabilities are identified and managed
6.3.2An inventory of bespoke and custom software is maintained for vulnerability management
6.3.3Applicable security patches are installed within an appropriate timeframe
6.4.3Software integrity is verified before deployment (supply chain)
7.2.1An access control model is defined providing least privileges
10.2.1Audit logs capture all access and actions on system components
11.3.1Internal vulnerability scans are performed regularly