Back to Details

infrastructure-compliance-auditor

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Infrastructure Compliance Auditor

基础设施合规审计工具

Cross-cutting infrastructure security audit across ALL compliance frameworks. Replaces manual Vanta-style checks with deterministic, repeatable, evidence-generating infrastructure audits covering cloud, DNS, TLS, endpoints, access control, network, containers, CI/CD, secrets, logging, and physical security.
跨所有合规框架的基础设施安全审计。通过确定性、可重复、可生成证据的基础设施审计替代手动Vanta式检查,涵盖云、DNS、TLS、端点、访问控制、网络、容器、CI/CD、密钥、日志记录和物理安全。

Table of Contents

目录

Trigger Phrases

触发短语

Use this skill when you hear:
  • "infrastructure audit"
  • "cloud security audit"
  • "infrastructure compliance"
  • "DNS security audit"
  • "TLS audit"
  • "endpoint security"
  • "access control audit"
  • "network security assessment"
  • "infrastructure security"
  • "cloud compliance"
  • "Vanta alternative"
  • "compliance automation"
  • "security posture assessment"
  • "hardware security keys"
  • "YubiKey compliance"
当你听到以下内容时使用本工具:
  • "基础设施审计"
  • "云安全审计"
  • "基础设施合规性"
  • "DNS安全审计"
  • "TLS审计"
  • "端点安全"
  • "访问控制审计"
  • "网络安全评估"
  • "基础设施安全"
  • "云合规性"
  • "Vanta替代方案"
  • "合规自动化"
  • "安全态势评估"
  • "硬件安全密钥"
  • "YubiKey合规性"

Quick Start

快速开始

Run Full Infrastructure Audit

运行完整基础设施审计

bash
python scripts/infra_audit_runner.py --config infrastructure.json --output audit_report.json
1. 准备资产清单 → 记录所有云账户、域名、端点、服务
2. 运行infra_audit_runner.py → 生成所有11个领域的审计结果
3. 分类审计结果 → 按Critical > High > Medium > Low优先级排序
4. 映射到合规框架 → 识别哪些框架要求已满足/未满足
5. 创建修复计划 → 按严重程度SLA分配责任人、设置截止日期
6. 执行修复 → 24小时内修复Critical问题,72小时内修复High问题
7. 重新审计 → 验证修复结果,更新合规证据
8. 生成报告 → 执行摘要 + 详细审计结果 + 证据
严重程度修复时限:
严重程度修复截止日期重新审计截止日期
Critical24小时48小时
High72小时7天
Medium7天14天
Low30天45天
Info无截止日期下一个审计周期

Audit DNS Security for a Domain

DNS安全评估工作流

bash
python scripts/dns_security_checker.py --domain example.com --output dns_report.json
1. 枚举域名 → 主域名 + 所有子域名
2. 运行dns_security_checker.py → 检查SPF、DKIM、DMARC、DNSSEC、CAA、MTA-STS
3. 验证邮件认证链 → SPF → DKIM → DMARC对齐
4. 检查域名安全 → 注册商锁定、双因素认证、WHOIS信息、过期时间
5. 子域名审计 → 检查悬空CNAME记录(接管风险)
6. 生成DNS报告 → 审计结果 + 修复用DNS记录

Audit Access Controls

访问控制审查工作流

bash
python scripts/access_control_auditor.py --config access_controls.json --output access_report.json
1. 导出身份提供商配置 → 用户、组、角色、策略
2. 运行access_control_auditor.py → 检查MFA、SSO、RBAC、PAM、服务账户
3. 验证MFA覆盖率 → 必须100%,标记任何例外情况
4. 审查特权访问 → 谁拥有管理员权限?是否启用了JIT?
5. 检查服务账户 → 轮换、归属、权限
6. 访问权限重新认证 → 验证所有访问权限是否当前且合理
7. 生成访问报告 → 差距 + 修复步骤

Generate Compliance-Mapped Report

持续合规监控工作流

bash
python scripts/infra_audit_runner.py --config infrastructure.json --frameworks soc2,iso27001,hipaa --format markdown --output compliance_report.md
1. 安排自动扫描 → 每周基础设施审计,每日DNS检查
2. 跟踪合规分数趋势 → 各领域随时间的分数变化
3. 对合规退化发出警报 → 分数下降或新的Critical审计结果触发警报
4. 季度全面审计 → 手动审查 + 自动扫描
5. 年度认证准备 → 为审计师整理证据

Tools

参考指南

ToolPurposeInput
infra_audit_runner.py
Full infrastructure audit across all 11 domainsJSON config describing infrastructure
dns_security_checker.py
DNS-specific security audit (SPF, DKIM, DMARC, DNSSEC, CAA, MTA-STS)Domain name
access_control_auditor.py
Access control, MFA, SSO, PAM, RBAC auditJSON config describing access controls
指南位置覆盖范围
云安全基线
references/cloud-security-baseline.md
AWS、Azure、GCP CIS基准
访问控制标准
references/access-control-standards.md
MFA、SSO、PAM、零信任、YubiKey
合规框架映射
references/compliance-framework-mapping.md
控制措施到框架的完整映射

Audit Domains

验证检查点

1. Cloud Infrastructure Security

审计前验证

AWS Security Audit Checklist

IAM Policies and Roles
Check IDControlSeverityFrameworks
AWS-IAM-001Root account has MFA enabled (hardware MFA preferred)CriticalSOC 2 CC6.1, ISO 27001 A.9.2.1, PCI-DSS 8.3, NIST CSF PR.AC-1, HIPAA 164.312(d), FedRAMP AC-2
AWS-IAM-002Root account has no access keysCriticalSOC 2 CC6.1, ISO 27001 A.9.2.3, PCI-DSS 2.1, NIST CSF PR.AC-4
AWS-IAM-003No IAM policies with 
"Effect": "Allow", "Action": "*", "Resource": "*"
CriticalSOC 2 CC6.3, ISO 27001 A.9.4.1, PCI-DSS 7.1, NIST CSF PR.AC-4
AWS-IAM-004All IAM users have MFA enabledHighSOC 2 CC6.1, ISO 27001 A.9.4.2, PCI-DSS 8.3, HIPAA 164.312(d)
AWS-IAM-005IAM password policy enforces minimum 14 charactersMediumSOC 2 CC6.1, ISO 27001 A.9.4.3, PCI-DSS 8.2.3, NIST CSF PR.AC-1
AWS-IAM-006IAM roles use external ID for cross-account accessMediumSOC 2 CC6.3, ISO 27001 A.9.2.1
AWS-IAM-007Unused IAM credentials (>90 days) are disabledMediumSOC 2 CC6.2, ISO 27001 A.9.2.6, PCI-DSS 8.1.4
AWS-IAM-008IAM Access Analyzer is enabled in all regionsMediumSOC 2 CC6.1, ISO 27001 A.9.2.5
AWS-IAM-009No inline IAM policies (use managed policies)LowISO 27001 A.9.2.2
AWS-IAM-010IAM policy conditions restrict by source IP or VPC where possibleLowSOC 2 CC6.6, NIST CSF PR.AC-3
S3 Bucket Security
Check IDControlSeverityFrameworks
AWS-S3-001S3 Block Public Access enabled at account levelCriticalSOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.3, HIPAA 164.312(e)(1), GDPR Art.32
AWS-S3-002No S3 buckets with public ACLs or policiesCriticalSOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.3, HIPAA 164.312(e)(1)
AWS-S3-003Server-side encryption enabled (SSE-S3 minimum, SSE-KMS preferred)HighSOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 3.4, HIPAA 164.312(a)(2)(iv), GDPR Art.32
AWS-S3-004Versioning enabled on critical data bucketsMediumSOC 2 CC6.7, ISO 27001 A.12.3.1
AWS-S3-005Access logging enabled for all bucketsMediumSOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.2
AWS-S3-006Lifecycle policies configured for log retentionLowSOC 2 CC7.2, ISO 27001 A.12.4.1
AWS-S3-007MFA Delete enabled for critical bucketsMediumSOC 2 CC6.7, ISO 27001 A.12.3.1
AWS-S3-008S3 Object Lock enabled for compliance data (WORM)MediumSEC Rule 17a-4, HIPAA 164.312(c)(1)
VPC Configuration
Check IDControlSeverityFrameworks
AWS-VPC-001VPC Flow Logs enabled for all VPCsHighSOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.2, NIST CSF DE.CM-1
AWS-VPC-002Default security group restricts all inbound/outboundHighSOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.2
AWS-VPC-003No security groups allow 0.0.0.0/0 on SSH (22) or RDP (3389)CriticalSOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.3, NIST CSF PR.AC-5
AWS-VPC-004Private subnets used for databases and application tiersHighSOC 2 CC6.6, ISO 27001 A.13.1.3, PCI-DSS 1.3
AWS-VPC-005NACLs configured as additional defense layerMediumSOC 2 CC6.6, PCI-DSS 1.2
AWS-VPC-006VPC endpoints used for AWS service access (avoid public internet)MediumSOC 2 CC6.6, ISO 27001 A.13.1.1
AWS-VPC-007Transit Gateway or VPC Peering uses non-overlapping CIDRsLowISO 27001 A.13.1.1
RDS Security
Check IDControlSeverityFrameworks
AWS-RDS-001Encryption at rest enabled (KMS)HighSOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 3.4, HIPAA 164.312(a)(2)(iv)
AWS-RDS-002SSL/TLS connections enforced (
rds.force_ssl = 1
)		HighSOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 4.1
AWS-RDS-003Automated backups enabled with minimum 7-day retentionMediumSOC 2 CC6.7, ISO 27001 A.12.3.1, HIPAA 164.308(a)(7)(ii)(A)
AWS-RDS-004Multi-AZ deployment for production databasesMediumSOC 2 A1.2, ISO 27001 A.17.1.1
AWS-RDS-005Database instances not publicly accessibleCriticalSOC 2 CC6.6, PCI-DSS 1.3
AWS-RDS-006Enhanced monitoring enabledLowSOC 2 CC7.2, ISO 27001 A.12.4.1
AWS-RDS-007Deletion protection enabled for production instancesMediumSOC 2 CC6.7
CloudTrail and Monitoring
Check IDControlSeverityFrameworks
AWS-CT-001CloudTrail enabled in all regionsCriticalSOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.1, HIPAA 164.312(b), NIST CSF DE.CM-1, FedRAMP AU-2
AWS-CT-002CloudTrail log file validation enabledHighSOC 2 CC7.2, ISO 27001 A.12.4.3, PCI-DSS 10.5
AWS-CT-003CloudTrail logs delivered to S3 with encryptionHighSOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.5
AWS-CT-004CloudTrail integrated with CloudWatch LogsMediumSOC 2 CC7.2, ISO 27001 A.12.4.1
AWS-CT-005GuardDuty enabled in all regionsHighSOC 2 CC7.2, NIST CSF DE.CM-1
AWS-CT-006Security Hub enabled with CIS AWS Foundations BenchmarkMediumSOC 2 CC7.2, NIST CSF DE.CM-1
AWS-CT-007AWS Config enabled with required rulesHighSOC 2 CC7.2, ISO 27001 A.12.4.1, NIST CSF DE.CM-1, FedRAMP CM-8
KMS and Encryption
Check IDControlSeverityFrameworks
AWS-KMS-001Customer-managed KMS keys used for sensitive dataHighSOC 2 CC6.7, ISO 27001 A.10.1.2, PCI-DSS 3.5
AWS-KMS-002KMS key rotation enabled (annual automatic rotation)MediumSOC 2 CC6.7, ISO 27001 A.10.1.2, PCI-DSS 3.6.4
AWS-KMS-003KMS key policies follow least privilegeMediumSOC 2 CC6.3, ISO 27001 A.10.1.2
AWS-KMS-004KMS keys have alias and description for identificationLowISO 27001 A.10.1.2
Lambda and Serverless Security
Check IDControlSeverityFrameworks
AWS-LAM-001Lambda functions use IAM roles with least privilegeHighSOC 2 CC6.3, ISO 27001 A.9.4.1
AWS-LAM-002Lambda functions do not store secrets in environment variables (use Secrets Manager)HighSOC 2 CC6.7, PCI-DSS 3.4
AWS-LAM-003Lambda functions deployed in VPC when accessing private resourcesMediumSOC 2 CC6.6, ISO 27001 A.13.1.1
AWS-LAM-004Lambda function code is signedMediumSOC 2 CC7.1
AWS-LAM-005Dead letter queues configured for async invocationsLowSOC 2 A1.2
EKS/ECS Container Security
Check IDControlSeverityFrameworks
AWS-EKS-001EKS cluster endpoint not publicly accessible (or restricted by CIDR)HighSOC 2 CC6.6, ISO 27001 A.13.1.1
AWS-EKS-002EKS control plane logging enabled (api, audit, authenticator)HighSOC 2 CC7.2, ISO 27001 A.12.4.1
AWS-EKS-003EKS managed node groups use latest AMIMediumSOC 2 CC7.1
AWS-EKS-004ECS tasks use awsvpc networking modeMediumSOC 2 CC6.6
AWS-EKS-005ECR image scanning enabled on pushHighSOC 2 CC7.1, NIST CSF PR.IP-12
  • 基础设施资产清单完整且最新
  • 所有云账户已识别且可访问
  • 域名列表已验证(主域名 + 所有活跃子域名)
  • 端点MDM报告可用
  • 身份提供商配置导出可用
  • 已审查之前的审计结果

Azure Security Audit Checklist

审计后验证

Azure AD / Entra ID
Check IDControlSeverityFrameworks
AZ-AD-001Global Administrator accounts have MFA enforcedCriticalSOC 2 CC6.1, ISO 27001 A.9.2.1, PCI-DSS 8.3
AZ-AD-002Maximum 5 Global Administrator accountsHighSOC 2 CC6.1, ISO 27001 A.9.2.3
AZ-AD-003Conditional Access Policies configuredHighSOC 2 CC6.1, ISO 27001 A.9.4.2
AZ-AD-004Security Defaults enabled (if no Conditional Access)HighSOC 2 CC6.1
AZ-AD-005Privileged Identity Management (PIM) enabled for admin rolesHighSOC 2 CC6.1, ISO 27001 A.9.2.3
AZ-AD-006Guest user access restrictedMediumSOC 2 CC6.1, ISO 27001 A.9.2.2
AZ-AD-007Sign-in risk policy configured (requires P2)MediumSOC 2 CC6.1
Azure Network Security
Check IDControlSeverityFrameworks
AZ-NET-001NSG rules follow least privilege (no allow-all inbound)HighSOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.2
AZ-NET-002Azure Firewall or third-party NVA deployedMediumSOC 2 CC6.6, PCI-DSS 1.1
AZ-NET-003DDoS Protection Standard enabled for public IPsMediumSOC 2 A1.2, ISO 27001 A.13.1.1
AZ-NET-004Private endpoints used for PaaS servicesMediumSOC 2 CC6.6, ISO 27001 A.13.1.1
AZ-NET-005Network Watcher enabled in all regionsMediumSOC 2 CC7.2, ISO 27001 A.12.4.1
Azure Key Vault
Check IDControlSeverityFrameworks
AZ-KV-001Key Vault uses RBAC (not legacy access policies)HighSOC 2 CC6.3, ISO 27001 A.10.1.2
AZ-KV-002Soft delete and purge protection enabledHighSOC 2 CC6.7, ISO 27001 A.10.1.2
AZ-KV-003Key Vault diagnostic logging enabledMediumSOC 2 CC7.2, ISO 27001 A.12.4.1
AZ-KV-004Key rotation policy configuredMediumSOC 2 CC6.7, PCI-DSS 3.6.4
AZ-KV-005Key Vault firewall enabled (restrict to VNet/IP)MediumSOC 2 CC6.6, ISO 27001 A.13.1.1
Azure Monitoring
Check IDControlSeverityFrameworks
AZ-MON-001Azure Monitor activity log alerts configuredHighSOC 2 CC7.2, ISO 27001 A.12.4.1
AZ-MON-002Microsoft Sentinel (SIEM) deployedMediumSOC 2 CC7.2, NIST CSF DE.AE-2
AZ-MON-003Diagnostic settings enabled for all resourcesMediumSOC 2 CC7.2, ISO 27001 A.12.4.1
AZ-MON-004Azure Policy assignments enforcing complianceHighSOC 2 CC7.1, ISO 27001 A.18.2.2
AZ-MON-005Microsoft Defender for Cloud enabled (all plans)HighSOC 2 CC7.2, NIST CSF DE.CM-1
Azure Storage Security
Check IDControlSeverityFrameworks
AZ-ST-001Storage accounts require HTTPS transferHighSOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 4.1
AZ-ST-002Storage account public access disabledCriticalSOC 2 CC6.6, ISO 27001 A.13.1.1
AZ-ST-003Storage accounts use customer-managed keysMediumSOC 2 CC6.7, PCI-DSS 3.5
AZ-ST-004Shared Access Signatures (SAS) use short expiryMediumSOC 2 CC6.1, ISO 27001 A.9.4.2
AKS Security
Check IDControlSeverityFrameworks
AZ-AKS-001AKS uses managed identity (not service principal)HighSOC 2 CC6.1, ISO 27001 A.9.4.1
AZ-AKS-002Azure Policy for AKS enabledMediumSOC 2 CC7.1
AZ-AKS-003AKS API server authorized IP ranges configuredHighSOC 2 CC6.6, ISO 27001 A.13.1.1
AZ-AKS-004AKS uses Azure CNI (not kubenet) for network policiesMediumSOC 2 CC6.6
  • 所有11个领域已审计,无跳过的检查项
  • 每个审计结果都包含严重程度、框架映射和修复措施
  • Critical和High审计结果已分配责任人
  • 已计算各领域和整体合规分数
  • 已准备执行摘要
  • 已为适用框架整理证据包
  • 已按严重程度SLA设置修复截止日期

GCP Security Audit Checklist

评分方法

GCP IAM and Service Accounts
Check IDControlSeverityFrameworks
GCP-IAM-001Organization-level IAM policies use groups, not individual usersHighSOC 2 CC6.1, ISO 27001 A.9.2.2
GCP-IAM-002Service accounts do not have Owner/Editor rolesCriticalSOC 2 CC6.3, ISO 27001 A.9.4.1
GCP-IAM-003User-managed service account keys rotate every 90 daysHighSOC 2 CC6.1, PCI-DSS 3.6.4
GCP-IAM-004Domain-restricted sharing enabled via Organization PolicyMediumSOC 2 CC6.1, ISO 27001 A.9.2.2
GCP-IAM-005Workload Identity used for GKE (no service account keys)HighSOC 2 CC6.1, ISO 27001 A.9.4.1
GCP VPC and Network
Check IDControlSeverityFrameworks
GCP-VPC-001VPC Service Controls configured for sensitive projectsHighSOC 2 CC6.6, ISO 27001 A.13.1.3
GCP-VPC-002Cloud Armor WAF rules protect public-facing servicesHighSOC 2 CC6.6, ISO 27001 A.13.1.1
GCP-VPC-003VPC Flow Logs enabled for all subnetsHighSOC 2 CC7.2, ISO 27001 A.12.4.1
GCP-VPC-004Private Google Access enabled for private subnetsMediumSOC 2 CC6.6
GCP-VPC-005Firewall rules do not allow 0.0.0.0/0 on SSH/RDPCriticalSOC 2 CC6.6, PCI-DSS 1.3
GCP Security Services
Check IDControlSeverityFrameworks
GCP-SEC-001Security Command Center (SCC) enabled (Premium)HighSOC 2 CC7.2, NIST CSF DE.CM-1
GCP-SEC-002Cloud KMS keys have rotation scheduledMediumSOC 2 CC6.7, PCI-DSS 3.6.4
GCP-SEC-003Cloud Audit Logs enabled for all servicesHighSOC 2 CC7.2, ISO 27001 A.12.4.1
GCP-SEC-004Binary Authorization enabled for GKEMediumSOC 2 CC7.1
GCP-SEC-005Organization Policy Service enforces constraintsHighSOC 2 CC7.1, ISO 27001 A.18.2.2
GKE Security
Check IDControlSeverityFrameworks
GCP-GKE-001GKE uses private cluster (no public endpoint) or authorized networksHighSOC 2 CC6.6, ISO 27001 A.13.1.1
GCP-GKE-002GKE Shielded Nodes enabledMediumSOC 2 CC6.7
GCP-GKE-003GKE node auto-upgrade enabledMediumSOC 2 CC7.1, NIST CSF PR.IP-12
GCP-GKE-004GKE workload identity enabled (no node service account keys)HighSOC 2 CC6.1
GCP-GKE-005Container-Optimized OS used for nodesMediumSOC 2 CC7.1
每个审计领域根据评估的控制措施以0-100分评分:
分数计算:
领域分数 = (通过的控制措施 * 权重) / (总控制措施 * 权重) * 100

按严重程度加权:
  Critical = 10
  High = 5
  Medium = 2
  Low = 1
  Info = 0(仅信息性,不参与评分)
整体分数:
整体分数 = 领域分数的加权平均值

领域权重:
  云基础设施: 15%
  访问控制: 15%
  网络安全: 12%
  密钥管理: 10%
  日志与监控: 10%
  CI/CD流水线: 8%
  容器/K8s: 8%
  端点安全: 7%
  TLS/SSL: 5%
  DNS安全: 5%
  物理安全: 5%
分数解读:
分数范围评级含义
90-100优秀可直接用于审计,极少审计结果
80-89良好微小差距,基本合规
70-79一般明显差距,审计前需修复
60-69较差重大合规差距
低于60危急需要全面整改,不满足审计要求
最后更新: 2026年3月 版本: 1.0.0 总控制措施数: 250+,覆盖11个审计领域 支持的框架: SOC 2、ISO 27001、HIPAA、GDPR、PCI-DSS、NIS2、DORA、NIST CSF、FedRAMP、CCPA

2. DNS Security

Email Authentication Chain

SPF, DKIM, and DMARC form a layered email authentication system. ALL three must be configured correctly for effective protection against spoofing and phishing.
SPF (Sender Policy Framework)
Check IDControlSeverityFrameworks
DNS-SPF-001SPF record exists for primary domainHighSOC 2 CC6.6, ISO 27001 A.13.2.1, NIST CSF PR.AC-3
DNS-SPF-002SPF record uses 
-all
(hard fail) not 
~all
(soft fail)		HighSOC 2 CC6.6, ISO 27001 A.13.2.1
DNS-SPF-003SPF record has fewer than 10 DNS lookups (RFC 7208 limit)MediumSOC 2 CC6.6
DNS-SPF-004SPF record does not use 
+all
(permits all senders)		CriticalSOC 2 CC6.6, ISO 27001 A.13.2.1
DNS-SPF-005Non-sending domains have 
v=spf1 -all
to prevent spoofing		MediumISO 27001 A.13.2.1
DNS-SPF-006SPF record avoids deprecated PTR mechanismLowRFC 7208
DNS-SPF-007SPF flattening used if approaching lookup limitLowBest practice
SPF syntax reference:
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.0/24 -all
Key rules:
  • Maximum 10 DNS lookups (include, a, mx, ptr, exists, redirect each count as 1)
  • ip4
    and 
    ip6
    mechanisms do NOT count toward the 10-lookup limit
  • Nested includes count toward the limit
  • Record must be a single TXT record (no multiple SPF records)
  • Maximum 255 characters per DNS string (use string concatenation for longer records)
DKIM (DomainKeys Identified Mail)
Check IDControlSeverityFrameworks
DNS-DKIM-001DKIM record exists for all sending domainsHighSOC 2 CC6.6, ISO 27001 A.13.2.1
DNS-DKIM-002DKIM key is minimum 2048-bit RSAHighSOC 2 CC6.7, ISO 27001 A.10.1.1
DNS-DKIM-003DKIM keys rotate every 6-12 monthsMediumSOC 2 CC6.7, ISO 27001 A.10.1.2
DNS-DKIM-004Multiple DKIM selectors for different sending servicesLowBest practice
DNS-DKIM-005DKIM testing mode (
t=y
) removed for production domains		MediumSOC 2 CC6.6
DKIM record format:
selector._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
Check IDControlSeverityFrameworks
DNS-DMARC-001DMARC record exists at 
_dmarc.example.com
HighSOC 2 CC6.6, ISO 27001 A.13.2.1, NIST CSF PR.AC-3
DNS-DMARC-002DMARC policy is 
p=reject
(maximum enforcement)		HighSOC 2 CC6.6, ISO 27001 A.13.2.1
DNS-DMARC-003DMARC 
rua
(aggregate reporting) tag configured		MediumSOC 2 CC7.2, ISO 27001 A.12.4.1
DNS-DMARC-004DMARC 
ruf
(forensic reporting) tag configured		LowSOC 2 CC7.2
DNS-DMARC-005DMARC subdomain policy 
sp=reject
configured		MediumISO 27001 A.13.2.1
DNS-DMARC-006DMARC alignment modes — 
adkim=s
and 
aspf=s
(strict) preferred		MediumSOC 2 CC6.6
DNS-DMARC-007DMARC 
pct=100
(applies to all messages)		MediumSOC 2 CC6.6
DMARC record format:
_dmarc.example.com IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:dmarc-agg@example.com; ruf=mailto:dmarc-forensic@example.com; pct=100"
DMARC rollout strategy (avoid disrupting legitimate email):
  1. p=none; rua=mailto:...
    — Monitor for 2-4 weeks
  2. p=quarantine; pct=10
    — Quarantine 10% of failing messages
  3. p=quarantine; pct=50
    — Increase gradually
  4. p=quarantine; pct=100
    — Full quarantine
  5. p=reject; pct=100
    — Full enforcement
DNSSEC
Check IDControlSeverityFrameworks
DNS-SEC-001DNSSEC signing enabled for domainHighSOC 2 CC6.6, ISO 27001 A.13.1.1, NIST CSF PR.DS-2
DNS-SEC-002DS record published in parent zoneHighSOC 2 CC6.6, ISO 27001 A.13.1.1
DNS-SEC-003DNSSEC algorithm is ECDSAP256SHA256 (13) or newerMediumSOC 2 CC6.7
DNS-SEC-004DNSSEC key rotation schedule documentedMediumSOC 2 CC6.7, ISO 27001 A.10.1.2
CAA (Certificate Authority Authorization)
Check IDControlSeverityFrameworks
DNS-CAA-001CAA record exists restricting certificate issuanceHighSOC 2 CC6.7, ISO 27001 A.10.1.2
DNS-CAA-002CAA 
iodef
tag configured for certificate issuance notifications		MediumSOC 2 CC7.2
DNS-CAA-003Only authorized CAs listed in CAA recordHighSOC 2 CC6.7
CAA record format:
example.com IN CAA 0 issue "letsencrypt.org"
example.com IN CAA 0 issue "digicert.com"
example.com IN CAA 0 issuewild "letsencrypt.org"
example.com IN CAA 0 iodef "mailto:security@example.com"
MTA-STS and TLS-RPT
Check IDControlSeverityFrameworks
DNS-MTA-001MTA-STS policy published at 
/.well-known/mta-sts.txt
MediumISO 27001 A.13.2.1
DNS-MTA-002MTA-STS DNS record 
_mta-sts.example.com
exists		MediumISO 27001 A.13.2.1
DNS-MTA-003MTA-STS mode is 
enforce
(not 
testing
or 
none
)		MediumISO 27001 A.13.2.1
DNS-MTA-004TLS-RPT record 
_smtp._tls.example.com
configured		LowISO 27001 A.12.4.1
MTA-STS policy (at 
https://mta-sts.example.com/.well-known/mta-sts.txt
):
version: STSv1
mode: enforce
mx: mail.example.com
mx: *.example.com
max_age: 604800
Domain Security
Check IDControlSeverityFrameworks
DNS-DOM-001Registrar lock enabled (clientTransferProhibited)HighSOC 2 CC6.7, ISO 27001 A.13.1.1
DNS-DOM-002WHOIS privacy enabledLowGDPR Art.5
DNS-DOM-0032FA enabled on domain registrar accountCriticalSOC 2 CC6.1, ISO 27001 A.9.4.2
DNS-DOM-004Domain expiration monitored (>60 days before expiry)MediumSOC 2 A1.2
DNS-DOM-005Subdomain inventory maintained (prevent subdomain takeover)HighSOC 2 CC6.6, ISO 27001 A.13.1.1
DNS-DOM-006Dangling DNS records (CNAME to deprovisioned services) monitoredHighSOC 2 CC6.6
DNS-DOM-007DNS monitoring alerts configured for unauthorized changesMediumSOC 2 CC7.2, ISO 27001 A.12.4.1

3. TLS/SSL Security

Certificate Management

Check IDControlSeverityFrameworks
TLS-CERT-001Certificates issued by trusted CA (not self-signed for public services)HighSOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 4.1
TLS-CERT-002Automated certificate renewal via ACME (Let's Encrypt, ZeroSSL)MediumSOC 2 CC6.7
TLS-CERT-003Certificate expiration monitored (alert at 30, 14, 7 days)HighSOC 2 A1.2, ISO 27001 A.10.1.2
TLS-CERT-004Certificate Transparency (CT) log monitoring enabledMediumSOC 2 CC7.2
TLS-CERT-005No wildcard certificates for high-security domainsMediumSOC 2 CC6.7, PCI-DSS 4.1
TLS-CERT-006Certificate validity period 90 days maximum (Let's Encrypt standard)LowBest practice
TLS-CERT-007OCSP stapling enabledMediumSOC 2 CC6.7
TLS-CERT-008Certificate pinning only for mobile apps (not web — risk of bricking)InfoBest practice

Protocol and Cipher Configuration

Check IDControlSeverityFrameworks
TLS-PROTO-001TLS 1.2 minimum (TLS 1.0 and 1.1 disabled)CriticalSOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 4.1, NIST CSF PR.DS-2, HIPAA 164.312(e)(1)
TLS-PROTO-002TLS 1.3 preferred where supportedMediumSOC 2 CC6.7, NIST CSF PR.DS-2
TLS-PROTO-003SSL 2.0 and 3.0 disabledCriticalPCI-DSS 4.1, NIST CSF PR.DS-2
TLS-CIPHER-001Forward secrecy enabled (ECDHE or DHE key exchange)HighSOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 4.1
TLS-CIPHER-002AEAD cipher suites only (GCM, ChaCha20-Poly1305)HighSOC 2 CC6.7, PCI-DSS 4.1
TLS-CIPHER-003No RC4, 3DES, DES, NULL, or EXPORT ciphersCriticalPCI-DSS 4.1, NIST CSF PR.DS-2
TLS-CIPHER-004No CBC mode ciphers (BEAST/POODLE vulnerability)HighPCI-DSS 4.1
TLS-CIPHER-005RSA key exchange disabled (no forward secrecy)MediumSOC 2 CC6.7
Recommended TLS 1.2 cipher suites (in order):
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS 1.3 cipher suites (always use all three):
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

HTTP Security Headers

Check IDControlSeverityFrameworks
TLS-HSTS-001HSTS enabled with 
max-age
>= 31536000 (1 year)		HighSOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 4.1, NIST CSF PR.DS-2
TLS-HSTS-002HSTS 
includeSubDomains
directive set		HighSOC 2 CC6.7
TLS-HSTS-003HSTS preload submitted to hstspreload.orgMediumSOC 2 CC6.7
TLS-HSTS-004HTTP to HTTPS redirect configured (301 permanent)HighSOC 2 CC6.7, PCI-DSS 4.1

Internal TLS

Check IDControlSeverityFrameworks
TLS-INT-001mTLS configured for service-to-service communicationHighSOC 2 CC6.7, ISO 27001 A.13.1.1, PCI-DSS 4.1 (if CDE)
TLS-INT-002Internal PKI with short-lived certificates (24h-7d)MediumSOC 2 CC6.7, ISO 27001 A.10.1.2
TLS-INT-003Service mesh (Istio/Linkerd) manages mTLS transparentlyMediumSOC 2 CC6.7
TLS-INT-004Database connections use TLSHighSOC 2 CC6.7, PCI-DSS 4.1, HIPAA 164.312(e)(1)

4. Endpoint Security

Mobile Device Management (MDM)

Check IDControlSeverityFrameworks
EP-MDM-001MDM solution deployed (Jamf, Intune, Kandji)HighSOC 2 CC6.7, ISO 27001 A.6.2.1, HIPAA 164.310(d)(1), NIST CSF PR.AC-3
EP-MDM-002All corporate devices enrolled in MDMHighSOC 2 CC6.7, ISO 27001 A.6.2.1
EP-MDM-003MDM compliance policies enforced (auto-remediate non-compliant devices)MediumSOC 2 CC6.7
EP-MDM-004MDM reports integrated into security dashboardLowSOC 2 CC7.2

Disk Encryption

Check IDControlSeverityFrameworks
EP-ENC-001Full disk encryption enabled on all endpoints (FileVault/BitLocker/LUKS)CriticalSOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 3.4, HIPAA 164.312(a)(2)(iv), GDPR Art.32, NIST CSF PR.DS-1
EP-ENC-002Encryption recovery keys escrowed in MDM or central key managementHighSOC 2 CC6.7, ISO 27001 A.10.1.2
EP-ENC-003Encryption status verified on every endpoint via MDMMediumSOC 2 CC6.7
EP-ENC-004Mobile devices have device encryption enabledHighSOC 2 CC6.7, HIPAA 164.312(a)(2)(iv)

Antivirus and EDR

Check IDControlSeverityFrameworks
EP-AV-001EDR solution deployed on all endpoints (CrowdStrike, SentinelOne, Defender for Endpoint)HighSOC 2 CC6.8, ISO 27001 A.12.2.1, PCI-DSS 5.1, HIPAA 164.308(a)(5)(ii)(B), NIST CSF DE.CM-4
EP-AV-002Real-time protection enabled and cannot be disabled by usersHighSOC 2 CC6.8, PCI-DSS 5.1
EP-AV-003Definitions updated automatically (maximum 24h staleness)MediumSOC 2 CC6.8, PCI-DSS 5.2
EP-AV-004EDR telemetry centralized for threat huntingMediumSOC 2 CC7.2, NIST CSF DE.AE-2
EP-AV-005Automatic quarantine/isolation for critical threatsMediumSOC 2 CC6.8, NIST CSF RS.MI-1

OS Patch Management

Check IDControlSeverityFrameworks
EP-PATCH-001Critical patches applied within 24 hoursCriticalSOC 2 CC7.1, ISO 27001 A.12.6.1, PCI-DSS 6.2, NIST CSF PR.IP-12
EP-PATCH-002High patches applied within 72 hoursHighSOC 2 CC7.1, ISO 27001 A.12.6.1, PCI-DSS 6.2
EP-PATCH-003Medium patches applied within 7 daysMediumSOC 2 CC7.1, ISO 27001 A.12.6.1
EP-PATCH-004Low patches applied within 30 daysLowSOC 2 CC7.1, ISO 27001 A.12.6.1
EP-PATCH-005Patch compliance reported weeklyMediumSOC 2 CC7.1, ISO 27001 A.12.6.1
EP-PATCH-006Emergency patch process documented and testedMediumSOC 2 CC7.1, NIST CSF RS.MI-3

Additional Endpoint Controls

Check IDControlSeverityFrameworks
EP-LOCK-001Screen lock after 5 minutes of inactivityMediumSOC 2 CC6.1, ISO 27001 A.11.2.8, PCI-DSS 8.1.8, HIPAA 164.310(b)
EP-USB-001USB storage devices blocked or controlled via MDMMediumSOC 2 CC6.7, ISO 27001 A.8.3.1, PCI-DSS 9.7
EP-BRW-001Browser extension allow-listing enforcedMediumSOC 2 CC6.8, ISO 27001 A.12.2.1
EP-BRW-002Safe browsing / web filtering enabledLowSOC 2 CC6.8, ISO 27001 A.13.1.1
EP-WIPE-001Remote wipe capability verified for all corporate devicesHighSOC 2 CC6.7, ISO 27001 A.6.2.1, HIPAA 164.310(d)(2)(iii)
EP-BYOD-001BYOD policy documented and enforced via MDM containerMediumSOC 2 CC6.7, ISO 27001 A.6.2.1, GDPR Art.32
EP-FW-001Host-based firewall enabled on all endpointsMediumSOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.4

5. Access Control and Authentication

Identity Provider (IdP) Configuration

Check IDControlSeverityFrameworks
AC-IDP-001Centralized IdP deployed (Okta, Azure AD/Entra ID, Google Workspace)HighSOC 2 CC6.1, ISO 27001 A.9.2.1, PCI-DSS 8.1, HIPAA 164.312(d), NIST CSF PR.AC-1, FedRAMP AC-2
AC-IDP-002All applications integrated with IdP via SSOHighSOC 2 CC6.1, ISO 27001 A.9.4.2
AC-IDP-003IdP has admin MFA enforced (hardware key required for admin)CriticalSOC 2 CC6.1, ISO 27001 A.9.4.2, PCI-DSS 8.3
AC-IDP-004IdP audit logs exported to SIEMMediumSOC 2 CC7.2, ISO 27001 A.12.4.1

Single Sign-On (SSO)

Check IDControlSeverityFrameworks
AC-SSO-001SSO implemented via SAML 2.0 or OIDC (no password-based SSO)HighSOC 2 CC6.1, ISO 27001 A.9.4.2, NIST CSF PR.AC-1
AC-SSO-002SSO session timeout configured (maximum 8 hours)MediumSOC 2 CC6.1, ISO 27001 A.9.4.2, PCI-DSS 8.1.8
AC-SSO-003SSO enforced (local authentication disabled where possible)HighSOC 2 CC6.1, ISO 27001 A.9.4.2
AC-SSO-004SCIM provisioning enabled for automated user lifecycleHighSOC 2 CC6.2, ISO 27001 A.9.2.1, NIST CSF PR.AC-1
AC-SSO-005Deprovisioning triggers immediate SSO session revocationHighSOC 2 CC6.2, ISO 27001 A.9.2.6

Multi-Factor Authentication (MFA)

Check IDControlSeverityFrameworks
AC-MFA-001MFA enforced for ALL user accounts (no exceptions)CriticalSOC 2 CC6.1, ISO 27001 A.9.4.2, PCI-DSS 8.3, HIPAA 164.312(d), NIST CSF PR.AC-7, GDPR Art.32, NIS2 Art.21, DORA Art.9, FedRAMP IA-2
AC-MFA-002Phishing-resistant MFA (FIDO2/WebAuthn) required for privileged accountsCriticalSOC 2 CC6.1, ISO 27001 A.9.4.2, NIST CSF PR.AC-7, FedRAMP IA-2(6)
AC-MFA-003SMS-based MFA prohibited (SIM swap vulnerability)HighSOC 2 CC6.1, NIST CSF PR.AC-7
AC-MFA-004TOTP (time-based one-time password) accepted as minimum MFAMediumSOC 2 CC6.1
AC-MFA-005Hardware security keys (YubiKey 5 Series, Bio Series) deployed for all adminsHighSOC 2 CC6.1, ISO 27001 A.9.4.2, NIST CSF PR.AC-7
AC-MFA-006MFA recovery process documented (not bypass, requires identity verification)MediumSOC 2 CC6.1, ISO 27001 A.9.2.4
AC-MFA-007MFA enrollment status reported (100% coverage target)MediumSOC 2 CC6.1
Hardware Security Key (YubiKey) Implementation:
Enrollment process:
  1. User registers primary YubiKey to IdP (Okta, Azure AD, Google Workspace)
  2. User registers backup YubiKey (stored in secure location)
  3. IdP policy updated to require FIDO2/WebAuthn for user
  4. TOTP/push fallback disabled for privileged accounts
YubiKey policy requirements:
  • Each user has minimum 2 registered keys (primary + backup)
  • Backup key stored in secure, documented location
  • PIN configured on YubiKey (FIDO2 user verification)
  • Touch required for every authentication
  • Bio Series (fingerprint) preferred for shared workstations
  • Inventory of all issued keys maintained
  • Lost key process: immediate revocation, identity reverification, new key issuance
IdP-specific configuration:
  • Okta: Enroll YubiKey via FIDO2 (WebAuthn) factor, set Authentication Policy to require phishing-resistant MFA
  • Azure AD/Entra ID: Configure FIDO2 security key in Authentication Methods, create Conditional Access policy requiring authentication strength "Phishing-resistant MFA"
  • Google Workspace: Enroll security key in 2-Step Verification, enable Advanced Protection Program for admins

Privileged Access Management (PAM)

Check IDControlSeverityFrameworks
AC-PAM-001Just-in-time (JIT) access implemented for privileged rolesHighSOC 2 CC6.1, ISO 27001 A.9.2.3, PCI-DSS 7.1, NIST CSF PR.AC-4
AC-PAM-002Privileged access requests require approval workflowHighSOC 2 CC6.1, ISO 27001 A.9.2.3
AC-PAM-003Privileged session time-limited (maximum 4 hours, re-approval needed)MediumSOC 2 CC6.1, ISO 27001 A.9.2.3
AC-PAM-004Privileged sessions recorded (screen recording or command logging)HighSOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.2
AC-PAM-005Break-glass procedure documented and tested quarterlyMediumSOC 2 CC6.1, ISO 27001 A.9.2.3, NIST CSF PR.AC-4
AC-PAM-006Privileged account inventory maintained and reviewed quarterlyHighSOC 2 CC6.2, ISO 27001 A.9.2.5, PCI-DSS 7.1
AC-PAM-007Standing privileged access eliminated (no permanent admin accounts)HighSOC 2 CC6.1, ISO 27001 A.9.2.3, NIST CSF PR.AC-4

Role-Based Access Control (RBAC)

Check IDControlSeverityFrameworks
AC-RBAC-001RBAC model documented with role definitions and permissionsHighSOC 2 CC6.3, ISO 27001 A.9.2.2, PCI-DSS 7.1, HIPAA 164.312(a)(1), NIST CSF PR.AC-4
AC-RBAC-002Role assignments reviewed quarterly (access recertification)HighSOC 2 CC6.2, ISO 27001 A.9.2.5, PCI-DSS 7.1.1
AC-RBAC-003Separation of duties enforced (no single user has conflicting roles)HighSOC 2 CC6.3, ISO 27001 A.6.1.2, PCI-DSS 6.4.2
AC-RBAC-004Default deny — users get minimum necessary permissionsHighSOC 2 CC6.3, ISO 27001 A.9.4.1
AC-RBAC-005Role changes logged and auditableMediumSOC 2 CC7.2, ISO 27001 A.12.4.1

Service Account and API Key Governance

Check IDControlSeverityFrameworks
AC-SVC-001No shared credentials for service accountsCriticalSOC 2 CC6.1, ISO 27001 A.9.2.4, PCI-DSS 8.5
AC-SVC-002Service account permissions follow least privilegeHighSOC 2 CC6.3, ISO 27001 A.9.4.1
AC-SVC-003Service account credentials rotate every 90 days maximumHighSOC 2 CC6.1, ISO 27001 A.9.2.4, PCI-DSS 8.2.4
AC-SVC-004Service account inventory maintained with owner assignmentHighSOC 2 CC6.2, ISO 27001 A.9.2.5
AC-SVC-005API keys scoped to minimum required permissionsHighSOC 2 CC6.3, ISO 27001 A.9.4.1
AC-SVC-006API keys have expiration dates (maximum 1 year)MediumSOC 2 CC6.1, ISO 27001 A.9.2.4
AC-SVC-007API key usage monitored and anomalous access alertedMediumSOC 2 CC7.2, ISO 27001 A.12.4.1

SSH Key Management

Check IDControlSeverityFrameworks
AC-SSH-001ED25519 keys required (or RSA >= 4096 bit)HighSOC 2 CC6.7, ISO 27001 A.10.1.1
AC-SSH-002SSH certificate-based authentication for infrastructureMediumSOC 2 CC6.7, ISO 27001 A.9.4.2
AC-SSH-003SSH key passphrase requiredMediumSOC 2 CC6.1, ISO 27001 A.9.4.2
AC-SSH-004SSH key inventory maintained with owner assignmentMediumSOC 2 CC6.2, ISO 27001 A.9.2.5
AC-SSH-005SSH keys rotate annually at minimumMediumSOC 2 CC6.1, PCI-DSS 3.6.4
AC-SSH-006Root SSH login disabledHighSOC 2 CC6.1, ISO 27001 A.9.4.2, PCI-DSS 2.1
AC-SSH-007SSH password authentication disabled (key-only)HighSOC 2 CC6.1, ISO 27001 A.9.4.2

Zero Trust Architecture

Check IDControlSeverityFrameworks
AC-ZT-001Identity-based access (verify user, device, and context)HighSOC 2 CC6.1, ISO 27001 A.9.4.2, NIST CSF PR.AC-4
AC-ZT-002Device posture checked before granting accessHighSOC 2 CC6.1, ISO 27001 A.6.2.1
AC-ZT-003Network location is not trusted (no implicit trust for internal network)HighSOC 2 CC6.6, ISO 27001 A.13.1.1, NIST CSF PR.AC-5
AC-ZT-004Continuous verification (re-authenticate for sensitive operations)MediumSOC 2 CC6.1, NIST CSF PR.AC-7
AC-ZT-005Microsegmentation between servicesMediumSOC 2 CC6.6, ISO 27001 A.13.1.3, PCI-DSS 1.2

6. Network Security

Firewall Configuration

Check IDControlSeverityFrameworks
NET-FW-001Default deny policy (deny all, allow by exception)CriticalSOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.2, NIST CSF PR.AC-5
NET-FW-002Egress filtering enabled (restrict outbound traffic)HighSOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.3
NET-FW-003Firewall rules reviewed quarterlyMediumSOC 2 CC6.6, PCI-DSS 1.1.7
NET-FW-004Firewall rule documentation (business justification for each rule)MediumSOC 2 CC6.6, PCI-DSS 1.1.6
NET-FW-005No "any/any" rules in firewall rulesetCriticalSOC 2 CC6.6, PCI-DSS 1.2
NET-FW-006Firewall change management process documentedMediumSOC 2 CC6.6, PCI-DSS 1.1.1

Network Segmentation

Check IDControlSeverityFrameworks
NET-SEG-001Network segmentation isolates sensitive environments (production, staging, dev)HighSOC 2 CC6.6, ISO 27001 A.13.1.3, PCI-DSS 1.2, HIPAA 164.312(e)(1)
NET-SEG-002Cardholder Data Environment (CDE) segmented from general networkCriticalPCI-DSS 1.3
NET-SEG-003Database tier isolated from public-facing tierHighSOC 2 CC6.6, ISO 27001 A.13.1.3, PCI-DSS 1.3
NET-SEG-004Microsegmentation for East-West trafficMediumSOC 2 CC6.6, ISO 27001 A.13.1.3, NIST CSF PR.AC-5
NET-SEG-005Management network separated from productionHighSOC 2 CC6.6, PCI-DSS 1.2
NET-SEG-006Guest WiFi isolated from corporate networkMediumSOC 2 CC6.6, ISO 27001 A.13.1.3

Web Application Firewall (WAF)

Check IDControlSeverityFrameworks
NET-WAF-001WAF deployed for all public-facing web applicationsHighSOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 6.6, NIST CSF PR.IP-1
NET-WAF-002OWASP Top 10 rules enabledHighSOC 2 CC6.6, PCI-DSS 6.6
NET-WAF-003Rate limiting configuredMediumSOC 2 CC6.6, ISO 27001 A.13.1.1
NET-WAF-004WAF in blocking mode (not just detection)HighSOC 2 CC6.6, PCI-DSS 6.6
NET-WAF-005WAF rules regularly updatedMediumSOC 2 CC6.6, PCI-DSS 6.6
NET-WAF-006Custom rules for application-specific attack patternsLowSOC 2 CC6.6

DDoS Protection

Check IDControlSeverityFrameworks
NET-DDOS-001DDoS protection enabled (Cloudflare, AWS Shield, Azure DDoS Protection)HighSOC 2 A1.2, ISO 27001 A.13.1.1, NIST CSF PR.DS-4
NET-DDOS-002Layer 7 DDoS protection configuredMediumSOC 2 A1.2, ISO 27001 A.13.1.1
NET-DDOS-003DDoS response plan documentedMediumSOC 2 A1.2, ISO 27001 A.16.1.1, NIST CSF RS.RP-1
NET-DDOS-004DDoS alert thresholds configuredMediumSOC 2 A1.2, ISO 27001 A.12.4.1

VPN Configuration

Check IDControlSeverityFrameworks
NET-VPN-001VPN uses WireGuard or IPSec (no PPTP or L2TP without IPSec)HighSOC 2 CC6.7, ISO 27001 A.13.1.1, PCI-DSS 4.1, NIST CSF PR.DS-2
NET-VPN-002Split tunneling disabled for compliance environmentsMediumSOC 2 CC6.7, PCI-DSS 1.4
NET-VPN-003VPN requires MFA for connectionHighSOC 2 CC6.1, ISO 27001 A.9.4.2, PCI-DSS 8.3
NET-VPN-004VPN access logged and monitoredMediumSOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.2
NET-VPN-005VPN being replaced or augmented by ZTNA (Zero Trust Network Access)InfoNIST CSF PR.AC-5

Intrusion Detection/Prevention

Check IDControlSeverityFrameworks
NET-IDS-001IDS/IPS deployed at network perimeterHighSOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 11.4, NIST CSF DE.CM-1, HIPAA 164.312(e)(1)
NET-IDS-002IDS/IPS signatures updated regularlyMediumSOC 2 CC6.6, PCI-DSS 11.4
NET-IDS-003IDS alerts integrated with SIEMMediumSOC 2 CC7.2, ISO 27001 A.12.4.1
NET-IDS-004Network traffic monitoring for anomaliesMediumSOC 2 CC7.2, NIST CSF DE.AE-1

7. Container and Kubernetes Security

Base Image Security

Check IDControlSeverityFrameworks
K8S-IMG-001Base images from trusted registries only (verified publishers)HighSOC 2 CC7.1, ISO 27001 A.14.2.7, NIST CSF PR.IP-12
K8S-IMG-002Minimal base images (distroless, Alpine, scratch)MediumSOC 2 CC7.1, ISO 27001 A.14.2.7
K8S-IMG-003No running as root in containers (USER directive in Dockerfile)HighSOC 2 CC6.1, ISO 27001 A.9.4.1, PCI-DSS 2.1
K8S-IMG-004Container images scanned for vulnerabilities (Trivy, Snyk, Grype)HighSOC 2 CC7.1, ISO 27001 A.12.6.1, PCI-DSS 6.2, NIST CSF DE.CM-8
K8S-IMG-005No secrets baked into container imagesCriticalSOC 2 CC6.7, PCI-DSS 3.4
K8S-IMG-006Images tagged with specific version/digest (no 
latest
tag)		MediumSOC 2 CC7.1
K8S-IMG-007Image signing verified before deployment (cosign, Notary)HighSOC 2 CC7.1, NIST CSF PR.IP-1

Container Runtime Security

Check IDControlSeverityFrameworks
K8S-RT-001Seccomp profiles applied (runtime default minimum)MediumSOC 2 CC6.6, ISO 27001 A.13.1.1
K8S-RT-002AppArmor/SELinux profiles appliedMediumSOC 2 CC6.6, ISO 27001 A.13.1.1
K8S-RT-003Read-only root filesystem for containersMediumSOC 2 CC6.7, ISO 27001 A.12.4.3
K8S-RT-004No privileged containersCriticalSOC 2 CC6.1, ISO 27001 A.9.4.1, PCI-DSS 2.1
K8S-RT-005No host PID/network/IPC namespace sharingHighSOC 2 CC6.6, ISO 27001 A.13.1.3
K8S-RT-006Resource limits set (CPU, memory) to prevent resource abuseMediumSOC 2 A1.2, ISO 27001 A.12.1.3

Kubernetes Cluster Security

Check IDControlSeverityFrameworks
K8S-RBAC-001RBAC enabled with least-privilege role bindingsHighSOC 2 CC6.3, ISO 27001 A.9.4.1, PCI-DSS 7.1
K8S-RBAC-002No cluster-admin bindings for application workloadsCriticalSOC 2 CC6.3, ISO 27001 A.9.4.1
K8S-RBAC-003Default ServiceAccount token automounting disabledMediumSOC 2 CC6.1
K8S-NET-001Network Policies defined for all namespacesHighSOC 2 CC6.6, ISO 27001 A.13.1.3, PCI-DSS 1.2
K8S-NET-002Default deny network policy in placeHighSOC 2 CC6.6, PCI-DSS 1.2
K8S-POD-001Pod Security Standards enforced (restricted profile)HighSOC 2 CC6.6, ISO 27001 A.14.2.7
K8S-SEC-001External Secrets Operator or Sealed Secrets for secret managementHighSOC 2 CC6.7, PCI-DSS 3.4
K8S-SEC-002Etcd encrypted at restHighSOC 2 CC6.7, ISO 27001 A.10.1.1
K8S-ADM-001Admission controllers configured (OPA Gatekeeper or Kyverno)HighSOC 2 CC7.1, ISO 27001 A.14.2.7
K8S-ADM-002Image pull policy set to Always for productionMediumSOC 2 CC7.1
K8S-MESH-001Service mesh deployed for mTLS between services (Istio, Linkerd)MediumSOC 2 CC6.7, ISO 27001 A.13.1.1
K8S-REG-001Private container registry with authenticationHighSOC 2 CC6.6, ISO 27001 A.13.1.1
K8S-REG-002Registry vulnerability scanning enabledMediumSOC 2 CC7.1
K8S-REG-003Image retention policies configuredLowSOC 2 CC6.7

8. CI/CD Pipeline Security

Source Code Management

Check IDControlSeverityFrameworks
CICD-SCM-001Branch protection on main/production branches (required reviews)HighSOC 2 CC7.1, ISO 27001 A.14.2.2, PCI-DSS 6.4.2, NIST CSF PR.IP-1
CICD-SCM-002Minimum 2 approvals for production branch mergesMediumSOC 2 CC7.1, ISO 27001 A.14.2.2, PCI-DSS 6.4.2
CICD-SCM-003Status checks required before mergeMediumSOC 2 CC7.1, ISO 27001 A.14.2.2
CICD-SCM-004Signed commits enforced (GPG or SSH signing)MediumSOC 2 CC7.1, ISO 27001 A.14.2.2
CICD-SCM-005Force push to protected branches prohibitedHighSOC 2 CC7.1, ISO 27001 A.14.2.2
CICD-SCM-006Repository access follows least privilegeHighSOC 2 CC6.3, ISO 27001 A.9.4.1
CICD-SCM-007Code owners configured for critical pathsMediumSOC 2 CC7.1

Security Scanning

Check IDControlSeverityFrameworks
CICD-SCAN-001Secret scanning enabled in all repositoriesCriticalSOC 2 CC6.7, ISO 27001 A.9.4.3, PCI-DSS 3.4
CICD-SCAN-002Pre-commit hooks prevent secret commits (gitleaks, truffleHog)HighSOC 2 CC6.7, PCI-DSS 3.4
CICD-SCAN-003Dependency scanning automated (Dependabot, Snyk, Renovate)HighSOC 2 CC7.1, ISO 27001 A.12.6.1, PCI-DSS 6.2, NIST CSF PR.IP-12
CICD-SCAN-004SAST in CI pipeline (Semgrep, SonarQube, CodeQL)HighSOC 2 CC7.1, ISO 27001 A.14.2.8, PCI-DSS 6.3.2, NIST CSF PR.IP-1
CICD-SCAN-005DAST for staging/pre-production (OWASP ZAP, Burp Suite)MediumSOC 2 CC7.1, ISO 27001 A.14.2.8, PCI-DSS 6.6
CICD-SCAN-006SCA (Software Composition Analysis) for license complianceMediumSOC 2 CC7.1, ISO 27001 A.18.1.2
CICD-SCAN-007Container image scanning in CI pipelineHighSOC 2 CC7.1, ISO 27001 A.12.6.1, PCI-DSS 6.2
CICD-SCAN-008Infrastructure as Code scanning (tfsec, checkov, KICS)HighSOC 2 CC7.1, ISO 27001 A.14.2.8

Supply Chain Security

Check IDControlSeverityFrameworks
CICD-SC-001SBOM generated for all releases (CycloneDX or SPDX format)HighSOC 2 CC7.1, NIST CSF PR.IP-1, NIS2 Art.21
CICD-SC-002Artifact signing for all builds (Sigstore/cosign)HighSOC 2 CC7.1, NIST CSF PR.IP-1
CICD-SC-003Dependency pinning (lock files committed, hash verification)MediumSOC 2 CC7.1, ISO 27001 A.14.2.7
CICD-SC-004Third-party dependency review processMediumSOC 2 CC7.1, ISO 27001 A.15.1.1
CICD-SC-005CI/CD pipeline hardened (no arbitrary code execution from PRs)HighSOC 2 CC7.1, ISO 27001 A.14.2.7

Deployment Security

Check IDControlSeverityFrameworks
CICD-DEP-001Deployment approval gates for productionHighSOC 2 CC7.1, ISO 27001 A.14.2.2, PCI-DSS 6.4.5
CICD-DEP-002Production deployments audited (who, what, when)HighSOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.2
CICD-DEP-003Rollback capability tested and documentedMediumSOC 2 A1.2, ISO 27001 A.14.2.2
CICD-DEP-004Deployment credentials managed via secrets manager (not pipeline env vars)HighSOC 2 CC6.7, PCI-DSS 3.4
CICD-DEP-005CI/CD service accounts have minimum required permissionsHighSOC 2 CC6.3, ISO 27001 A.9.4.1
CICD-DEP-006Immutable build artifacts (reproducible builds preferred)MediumSOC 2 CC7.1

9. Secrets Management

Secrets Management Solutions

Check IDControlSeverityFrameworks
SEC-MGR-001Centralized secrets manager deployed (Vault, AWS SM, Azure KV, GCP SM)HighSOC 2 CC6.7, ISO 27001 A.10.1.2, PCI-DSS 3.5, HIPAA 164.312(a)(2)(iv), NIST CSF PR.DS-1
SEC-MGR-002Secrets manager has HA/DR configurationMediumSOC 2 A1.2, ISO 27001 A.17.1.1
SEC-MGR-003Secrets access audited (who accessed what secret, when)HighSOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.2
SEC-MGR-004Dynamic secrets used where possible (database credentials on demand)MediumSOC 2 CC6.7, ISO 27001 A.9.4.2

Secret Rotation

Check IDControlSeverityFrameworks
SEC-ROT-001Database credentials rotate every 90 days maximumHighSOC 2 CC6.1, ISO 27001 A.9.2.4, PCI-DSS 8.2.4
SEC-ROT-002API keys rotate every 90 days maximumHighSOC 2 CC6.1, ISO 27001 A.9.2.4
SEC-ROT-003Service account passwords rotate every 90 days maximumHighSOC 2 CC6.1, ISO 27001 A.9.2.4, PCI-DSS 8.2.4
SEC-ROT-004TLS private keys rotate annually at minimumMediumSOC 2 CC6.7, ISO 27001 A.10.1.2
SEC-ROT-005Encryption keys rotate annually (auto-rotation preferred)MediumSOC 2 CC6.7, PCI-DSS 3.6.4
SEC-ROT-006Rotation is automated (no manual credential changes)MediumSOC 2 CC6.1

Code and Repository Security

Check IDControlSeverityFrameworks
SEC-CODE-001No secrets in source code (scan entire git history)CriticalSOC 2 CC6.7, ISO 27001 A.9.4.3, PCI-DSS 3.4
SEC-CODE-002
.env
files in 
.gitignore
HighSOC 2 CC6.7, PCI-DSS 3.4
SEC-CODE-003Pre-commit hooks block secret commits (gitleaks)HighSOC 2 CC6.7, PCI-DSS 3.4
SEC-CODE-004GitHub/GitLab secret scanning alerts enabled and triagedHighSOC 2 CC6.7, PCI-DSS 3.4
SEC-CODE-005Historical leaked secrets rotated (not just removed from code)CriticalSOC 2 CC6.7
SEC-CODE-006Environment-specific secrets never shared between environmentsMediumSOC 2 CC6.7, PCI-DSS 3.4

Hardware Security Modules (HSM)

Check IDControlSeverityFrameworks
SEC-HSM-001HSM (CloudHSM, Azure Dedicated HSM) used for root CA keysHighSOC 2 CC6.7, ISO 27001 A.10.1.2, PCI-DSS 3.5, FedRAMP SC-12
SEC-HSM-002HSM used for payment processing keysCriticalPCI-DSS 3.5
SEC-HSM-003HSM firmware kept currentMediumSOC 2 CC7.1, PCI-DSS 3.5
SEC-HSM-004HSM access restricted to authorized personnel onlyHighSOC 2 CC6.1, PCI-DSS 3.5

10. Logging and Monitoring

Centralized Logging

Check IDControlSeverityFrameworks
LOG-CEN-001All systems forward logs to centralized platform (ELK, Splunk, Datadog)HighSOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.5.3, HIPAA 164.312(b), NIST CSF DE.CM-1, FedRAMP AU-6
LOG-CEN-002Log collection covers: authentication, authorization, data access, system changesHighSOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.2
LOG-CEN-003Logs include: timestamp, source, user, action, result, source IPHighSOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.3
LOG-CEN-004Log shipping uses TLS encryptionMediumSOC 2 CC6.7, PCI-DSS 10.5
LOG-CEN-005Log source time synchronized via NTP (max 1 second drift)MediumSOC 2 CC7.2, PCI-DSS 10.4

SIEM

Check IDControlSeverityFrameworks
LOG-SIEM-001SIEM deployed with correlation rulesHighSOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.6, NIST CSF DE.AE-2, NIS2 Art.21
LOG-SIEM-002SIEM detection rules cover MITRE ATT&CK frameworkMediumNIST CSF DE.AE-2
LOG-SIEM-003SIEM alerts have defined response proceduresMediumSOC 2 CC7.3, ISO 27001 A.16.1.1, NIST CSF RS.RP-1
LOG-SIEM-004SIEM tuned to reduce false positives (<10% false positive rate)LowSOC 2 CC7.2

Retention and Integrity

Check IDControlSeverityFrameworks
LOG-RET-001Log retention minimum 1 year (365 days)HighSOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.7, HIPAA 164.312(b)
LOG-RET-002Logs immutable (write-once, no modification or deletion)HighSOC 2 CC7.2, ISO 27001 A.12.4.3, PCI-DSS 10.5
LOG-RET-003Log backup and disaster recovery testedMediumSOC 2 A1.2, ISO 27001 A.12.3.1
LOG-RET-004PCI-DSS environments retain logs for minimum 1 year, 3 months immediately availableHighPCI-DSS 10.7
LOG-RET-005HIPAA environments retain logs for minimum 6 yearsHighHIPAA 164.530(j)(2)

Alerting and Detection

Check IDControlSeverityFrameworks
LOG-ALERT-001Alerts for: failed auth attempts (>5 in 5 min), privilege escalation, data exfiltration patternsHighSOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.6, NIST CSF DE.CM-1
LOG-ALERT-002Alert escalation matrix documented (L1 -> L2 -> L3 -> management)MediumSOC 2 CC7.3, ISO 27001 A.16.1.1
LOG-ALERT-003On-call rotation for security alerts (24/7 coverage)MediumSOC 2 CC7.3, ISO 27001 A.16.1.1
LOG-ALERT-004Mean time to acknowledge (MTTA) < 15 minutes for critical alertsMediumSOC 2 CC7.3
LOG-ALERT-005Anomaly detection enabled (UEBA — User and Entity Behavior Analytics)MediumSOC 2 CC7.2, NIST CSF DE.AE-1
LOG-ALERT-006File integrity monitoring (FIM) deployed for critical filesHighSOC 2 CC7.2, ISO 27001 A.12.4.3, PCI-DSS 11.5

11. Physical Security

Data Center Security

Check IDControlSeverityFrameworks
PHYS-DC-001Cloud provider SOC 2 Type II report obtained and reviewed annuallyHighSOC 2 CC6.4, ISO 27001 A.11.1.1, PCI-DSS 9.1
PHYS-DC-002Data center physical access restricted to authorized personnelHighSOC 2 CC6.4, ISO 27001 A.11.1.2, PCI-DSS 9.1
PHYS-DC-00324/7 video surveillance at data centerMediumSOC 2 CC6.4, ISO 27001 A.11.1.2, PCI-DSS 9.1
PHYS-DC-004Visitor access logged and escortedMediumSOC 2 CC6.4, ISO 27001 A.11.1.2, PCI-DSS 9.4
PHYS-DC-005Environmental controls (fire suppression, HVAC, UPS)MediumSOC 2 A1.2, ISO 27001 A.11.1.4, PCI-DSS 9.1

Office Security

Check IDControlSeverityFrameworks
PHYS-OFF-001Badge access for office entryMediumSOC 2 CC6.4, ISO 27001 A.11.1.2
PHYS-OFF-002Visitor management system (sign-in, badge, escort)LowSOC 2 CC6.4, ISO 27001 A.11.1.2
PHYS-OFF-003Clean desk policy documented and enforcedLowSOC 2 CC6.4, ISO 27001 A.11.2.9
PHYS-OFF-004Server/network rooms locked with restricted accessMediumSOC 2 CC6.4, ISO 27001 A.11.1.2, PCI-DSS 9.1

Media Disposal

Check IDControlSeverityFrameworks
PHYS-DISP-001Media disposal follows NIST 800-88 guidelines (clear, purge, destroy)HighSOC 2 CC6.5, ISO 27001 A.8.3.2, PCI-DSS 9.8, HIPAA 164.310(d)(2)(i), NIST CSF PR.IP-6
PHYS-DISP-002Certificate of destruction obtained for physical mediaHighSOC 2 CC6.5, ISO 27001 A.8.3.2, PCI-DSS 9.8
PHYS-DISP-003Disposal vendor contracted with background checksMediumSOC 2 CC6.5, ISO 27001 A.8.3.2
PHYS-DISP-004Electronic media cryptographically erased before disposalHighSOC 2 CC6.5, PCI-DSS 9.8, HIPAA 164.310(d)(2)(i)

12. Compliance Framework Mapping

Each control in this audit maps to one or more compliance frameworks. The mapping enables organizations pursuing multiple certifications to satisfy overlapping requirements with single implementations.
Supported Frameworks:
FrameworkAbbreviationFocus Area
SOC 2 Type IISOC 2Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy)
ISO 27001:2022ISO 27001Information Security Management System (Annex A controls)
HIPAAHIPAAHealthcare data protection (Security Rule, Privacy Rule)
GDPRGDPREU data protection and privacy
PCI-DSS v4.0PCI-DSSPayment card data security
NIS2 DirectiveNIS2EU network and information security (critical infrastructure)
DORADORAEU Digital Operational Resilience Act (financial services)
NIST CSF 2.0NIST CSFCybersecurity Framework (Identify, Protect, Detect, Respond, Recover)
FedRAMPFedRAMPUS federal cloud security (based on NIST 800-53)
CCPA/CPRACCPACalifornia consumer privacy
Framework Coverage Summary:
Audit DomainSOC 2ISO 27001HIPAAGDPRPCI-DSSNIS2DORANIST CSFFedRAMPCCPA
Cloud InfrastructureCC6.1-CC6.7A.9, A.10, A.12, A.13164.312Art.321-4, 7-8, 10Art.21Art.9PR.AC, PR.DS, DE.CMAC, SC, AU1798.150
DNS SecurityCC6.6A.13.1, A.13.2---Art.21-PR.AC, PR.DS--
TLS/SSLCC6.7A.10.1, A.13.1164.312(e)Art.324.1Art.21Art.9PR.DS-2SC-8, SC-13-
Endpoint SecurityCC6.7-CC6.8A.6.2, A.8.3, A.10.1, A.11.2, A.12.2, A.12.6164.310, 164.312Art.321.4, 3.4, 5.1-5.4, 6.2Art.21Art.9PR.AC, PR.DS, PR.IP, DE.CM--
Access ControlCC6.1-CC6.3A.9.1-A.9.4164.312(a)(d)Art.327.1-8.3Art.21Art.9PR.ACAC, IA1798.150
Network SecurityCC6.6, A1.2A.13.1164.312(e)Art.321.1-1.3, 6.6, 11.4Art.21Art.9PR.AC-5, DE.CM-1SC, SI-
Container/K8sCC6.1-CC7.1A.9.4, A.13.1, A.14.2--1.2, 2.1, 6.2, 7.1Art.21-PR.AC, PR.IP--
CI/CD PipelineCC7.1-CC7.2A.14.2--6.2-6.6Art.21Art.9PR.IP-1, PR.IP-12SA, SI-
Secrets ManagementCC6.7A.9.4, A.10.1164.312(a)Art.323.4-3.6, 8.2Art.21Art.9PR.DS-1SC-12, SC-28-
Logging/MonitoringCC7.2-CC7.3A.12.4164.312(b)Art.3210.1-10.7, 11.5Art.21Art.9DE.AE, DE.CMAU-
Physical SecurityCC6.4-CC6.5A.8.3, A.11.1, A.11.2164.310Art.329.1-9.8Art.21-PR.IP-6PE-
Multi-Framework Evidence Strategy:
For each control, collect evidence once and map to all applicable frameworks:
  1. Policy Document — Covers SOC 2, ISO 27001, HIPAA, GDPR (one policy, multiple mappings)
  2. Technical Configuration — Screenshot/export showing control is active (maps to all technical frameworks)
  3. Audit Log — Proves ongoing compliance (SOC 2, PCI-DSS, HIPAA all require audit trails)
  4. Review Record — Quarterly review minutes satisfy multiple framework requirements simultaneously

Workflows

Workflow 1: Full Infrastructure Audit

1. Prepare inventory → Document all cloud accounts, domains, endpoints, services
2. Run infra_audit_runner.py → Generate findings across all 11 domains
3. Triage findings → Prioritize Critical > High > Medium > Low
4. Map to frameworks → Identify which framework requirements are met/unmet
5. Create remediation plan → Assign owners, set deadlines by severity SLA
6. Execute remediation → Fix Critical within 24h, High within 72h
7. Re-audit → Verify fixes, update compliance evidence
8. Generate report → Executive summary + detailed findings + evidence
Severity SLAs:
SeverityRemediation DeadlineRe-audit Deadline
Critical24 hours48 hours
High72 hours7 days
Medium7 days14 days
Low30 days45 days
InfoNo deadlineNext audit cycle

Workflow 2: DNS Security Assessment

1. Enumerate domains → Primary + all subdomains
2. Run dns_security_checker.py → Check SPF, DKIM, DMARC, DNSSEC, CAA, MTA-STS
3. Validate email chain → SPF → DKIM → DMARC alignment
4. Check domain security → Registrar lock, 2FA, WHOIS, expiration
5. Subdomain audit → Check for dangling CNAME records (takeover risk)
6. Generate DNS report → Findings + remediation DNS records

Workflow 3: Access Control Review

1. Export IdP configuration → Users, groups, roles, policies
2. Run access_control_auditor.py → Check MFA, SSO, RBAC, PAM, service accounts
3. Verify MFA coverage → Must be 100%, flag any exceptions
4. Review privileged access → Who has admin? Is JIT in place?
5. Check service accounts → Rotation, ownership, permissions
6. Access recertification → Verify all access is current and justified
7. Generate access report → Gaps + remediation steps

Workflow 4: Continuous Compliance Monitoring

1. Schedule automated scans → Weekly infra audit, daily DNS check
2. Track compliance score trends → Score per domain over time
3. Alert on regressions → Score drop or new Critical finding triggers alert
4. Quarterly full audit → Manual review + automated scan
5. Annual certification preparation → Compile evidence for auditors

Reference Guides

GuideLocationCoverage
Cloud Security Baseline
references/cloud-security-baseline.md
AWS, Azure, GCP CIS Benchmarks
Access Control Standards
references/access-control-standards.md
MFA, SSO, PAM, Zero Trust, YubiKey
Compliance Framework Mapping
references/compliance-framework-mapping.md
Control-to-framework master mapping

Validation Checkpoints

Pre-Audit Validation

  • Infrastructure inventory is complete and current
  • All cloud accounts identified and accessible
  • Domain list verified (primary + all active subdomains)
  • Endpoint MDM reports available
  • IdP configuration export available
  • Previous audit findings reviewed

Post-Audit Validation

  • All 11 domains audited with no skipped checks
  • Every finding has severity, framework mapping, and remediation
  • Critical and High findings have assigned owners
  • Compliance score calculated per domain and overall
  • Executive summary prepared
  • Evidence package compiled for applicable frameworks
  • Remediation deadlines set per severity SLA

Scoring Methodology

Each audit domain is scored 0-100 based on the controls assessed:
Score Calculation:
Domain Score = (Passed Controls * Weight) / (Total Controls * Weight) * 100

Weights by severity:
  Critical = 10
  High = 5
  Medium = 2
  Low = 1
  Info = 0 (informational, not scored)
Overall Score:
Overall Score = Weighted Average of Domain Scores

Domain Weights:
  Cloud Infrastructure: 15%
  Access Control: 15%
  Network Security: 12%
  Secrets Management: 10%
  Logging/Monitoring: 10%
  CI/CD Pipeline: 8%
  Container/K8s: 8%
  Endpoint Security: 7%
  TLS/SSL: 5%
  DNS Security: 5%
  Physical Security: 5%
Score Interpretation:
Score RangeRatingMeaning
90-100ExcellentAudit-ready, minimal findings
80-89GoodMinor gaps, mostly compliant
70-79FairNotable gaps, remediation needed before audit
60-69PoorSignificant compliance gaps
Below 60CriticalMajor overhaul required, not audit-ready
Last Updated: March 2026 Version: 1.0.0 Total Controls: 250+ across 11 audit domains Frameworks Covered: SOC 2, ISO 27001, HIPAA, GDPR, PCI-DSS, NIS2, DORA, NIST CSF, FedRAMP, CCPA