infrastructure-compliance-auditor

Infrastructure Compliance Auditor

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "infrastructure-compliance-auditor" with this command: npx skills add borghei/claude-skills/borghei-claude-skills-infrastructure-compliance-auditor

Infrastructure Compliance Auditor

Cross-cutting infrastructure security audit across ALL compliance frameworks. Replaces manual Vanta-style checks with deterministic, repeatable, evidence-generating infrastructure audits covering cloud, DNS, TLS, endpoints, access control, network, containers, CI/CD, secrets, logging, and physical security.

Table of Contents

  • Trigger Phrases

  • Quick Start

  • Tools

  • Audit Domains

    1. Cloud Infrastructure Security
    1. DNS Security
    1. TLS/SSL Security
    1. Endpoint Security
    1. Access Control and Authentication
    1. Network Security
    1. Container and Kubernetes Security
    1. CI/CD Pipeline Security
    1. Secrets Management
    1. Logging and Monitoring
    1. Physical Security
    1. Compliance Framework Mapping

  • Workflows

  • Reference Guides

  • Validation Checkpoints

  • Scoring Methodology

Trigger Phrases

Use this skill when you hear:

  • "infrastructure audit"

  • "cloud security audit"

  • "infrastructure compliance"

  • "DNS security audit"

  • "TLS audit"

  • "endpoint security"

  • "access control audit"

  • "network security assessment"

  • "infrastructure security"

  • "cloud compliance"

  • "Vanta alternative"

  • "compliance automation"

  • "security posture assessment"

  • "hardware security keys"

  • "YubiKey compliance"

Quick Start

Run Full Infrastructure Audit

python scripts/infra_audit_runner.py --config infrastructure.json --output audit_report.json

Audit DNS Security for a Domain

python scripts/dns_security_checker.py --domain example.com --output dns_report.json

Audit Access Controls

python scripts/access_control_auditor.py --config access_controls.json --output access_report.json

Generate Compliance-Mapped Report

python scripts/infra_audit_runner.py --config infrastructure.json --frameworks soc2,iso27001,hipaa --format markdown --output compliance_report.md

Tools

Tool Purpose Input

infra_audit_runner.py

Full infrastructure audit across all 11 domains JSON config describing infrastructure

dns_security_checker.py

DNS-specific security audit (SPF, DKIM, DMARC, DNSSEC, CAA, MTA-STS) Domain name

access_control_auditor.py

Access control, MFA, SSO, PAM, RBAC audit JSON config describing access controls

Audit Domains

  1. Cloud Infrastructure Security

AWS Security Audit Checklist

IAM Policies and Roles

Check ID Control Severity Frameworks

AWS-IAM-001 Root account has MFA enabled (hardware MFA preferred) Critical SOC 2 CC6.1, ISO 27001 A.9.2.1, PCI-DSS 8.3, NIST CSF PR.AC-1, HIPAA 164.312(d), FedRAMP AC-2

AWS-IAM-002 Root account has no access keys Critical SOC 2 CC6.1, ISO 27001 A.9.2.3, PCI-DSS 2.1, NIST CSF PR.AC-4

AWS-IAM-003 No IAM policies with "Effect": "Allow", "Action": "", "Resource": ""

Critical SOC 2 CC6.3, ISO 27001 A.9.4.1, PCI-DSS 7.1, NIST CSF PR.AC-4

AWS-IAM-004 All IAM users have MFA enabled High SOC 2 CC6.1, ISO 27001 A.9.4.2, PCI-DSS 8.3, HIPAA 164.312(d)

AWS-IAM-005 IAM password policy enforces minimum 14 characters Medium SOC 2 CC6.1, ISO 27001 A.9.4.3, PCI-DSS 8.2.3, NIST CSF PR.AC-1

AWS-IAM-006 IAM roles use external ID for cross-account access Medium SOC 2 CC6.3, ISO 27001 A.9.2.1

AWS-IAM-007 Unused IAM credentials (>90 days) are disabled Medium SOC 2 CC6.2, ISO 27001 A.9.2.6, PCI-DSS 8.1.4

AWS-IAM-008 IAM Access Analyzer is enabled in all regions Medium SOC 2 CC6.1, ISO 27001 A.9.2.5

AWS-IAM-009 No inline IAM policies (use managed policies) Low ISO 27001 A.9.2.2

AWS-IAM-010 IAM policy conditions restrict by source IP or VPC where possible Low SOC 2 CC6.6, NIST CSF PR.AC-3

S3 Bucket Security

Check ID Control Severity Frameworks

AWS-S3-001 S3 Block Public Access enabled at account level Critical SOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.3, HIPAA 164.312(e)(1), GDPR Art.32

AWS-S3-002 No S3 buckets with public ACLs or policies Critical SOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.3, HIPAA 164.312(e)(1)

AWS-S3-003 Server-side encryption enabled (SSE-S3 minimum, SSE-KMS preferred) High SOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 3.4, HIPAA 164.312(a)(2)(iv), GDPR Art.32

AWS-S3-004 Versioning enabled on critical data buckets Medium SOC 2 CC6.7, ISO 27001 A.12.3.1

AWS-S3-005 Access logging enabled for all buckets Medium SOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.2

AWS-S3-006 Lifecycle policies configured for log retention Low SOC 2 CC7.2, ISO 27001 A.12.4.1

AWS-S3-007 MFA Delete enabled for critical buckets Medium SOC 2 CC6.7, ISO 27001 A.12.3.1

AWS-S3-008 S3 Object Lock enabled for compliance data (WORM) Medium SEC Rule 17a-4, HIPAA 164.312(c)(1)

VPC Configuration

Check ID Control Severity Frameworks

AWS-VPC-001 VPC Flow Logs enabled for all VPCs High SOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.2, NIST CSF DE.CM-1

AWS-VPC-002 Default security group restricts all inbound/outbound High SOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.2

AWS-VPC-003 No security groups allow 0.0.0.0/0 on SSH (22) or RDP (3389) Critical SOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.3, NIST CSF PR.AC-5

AWS-VPC-004 Private subnets used for databases and application tiers High SOC 2 CC6.6, ISO 27001 A.13.1.3, PCI-DSS 1.3

AWS-VPC-005 NACLs configured as additional defense layer Medium SOC 2 CC6.6, PCI-DSS 1.2

AWS-VPC-006 VPC endpoints used for AWS service access (avoid public internet) Medium SOC 2 CC6.6, ISO 27001 A.13.1.1

AWS-VPC-007 Transit Gateway or VPC Peering uses non-overlapping CIDRs Low ISO 27001 A.13.1.1

RDS Security

Check ID Control Severity Frameworks

AWS-RDS-001 Encryption at rest enabled (KMS) High SOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 3.4, HIPAA 164.312(a)(2)(iv)

AWS-RDS-002 SSL/TLS connections enforced (rds.force_ssl = 1 ) High SOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 4.1

AWS-RDS-003 Automated backups enabled with minimum 7-day retention Medium SOC 2 CC6.7, ISO 27001 A.12.3.1, HIPAA 164.308(a)(7)(ii)(A)

AWS-RDS-004 Multi-AZ deployment for production databases Medium SOC 2 A1.2, ISO 27001 A.17.1.1

AWS-RDS-005 Database instances not publicly accessible Critical SOC 2 CC6.6, PCI-DSS 1.3

AWS-RDS-006 Enhanced monitoring enabled Low SOC 2 CC7.2, ISO 27001 A.12.4.1

AWS-RDS-007 Deletion protection enabled for production instances Medium SOC 2 CC6.7

CloudTrail and Monitoring

Check ID Control Severity Frameworks

AWS-CT-001 CloudTrail enabled in all regions Critical SOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.1, HIPAA 164.312(b), NIST CSF DE.CM-1, FedRAMP AU-2

AWS-CT-002 CloudTrail log file validation enabled High SOC 2 CC7.2, ISO 27001 A.12.4.3, PCI-DSS 10.5

AWS-CT-003 CloudTrail logs delivered to S3 with encryption High SOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.5

AWS-CT-004 CloudTrail integrated with CloudWatch Logs Medium SOC 2 CC7.2, ISO 27001 A.12.4.1

AWS-CT-005 GuardDuty enabled in all regions High SOC 2 CC7.2, NIST CSF DE.CM-1

AWS-CT-006 Security Hub enabled with CIS AWS Foundations Benchmark Medium SOC 2 CC7.2, NIST CSF DE.CM-1

AWS-CT-007 AWS Config enabled with required rules High SOC 2 CC7.2, ISO 27001 A.12.4.1, NIST CSF DE.CM-1, FedRAMP CM-8

KMS and Encryption

Check ID Control Severity Frameworks

AWS-KMS-001 Customer-managed KMS keys used for sensitive data High SOC 2 CC6.7, ISO 27001 A.10.1.2, PCI-DSS 3.5

AWS-KMS-002 KMS key rotation enabled (annual automatic rotation) Medium SOC 2 CC6.7, ISO 27001 A.10.1.2, PCI-DSS 3.6.4

AWS-KMS-003 KMS key policies follow least privilege Medium SOC 2 CC6.3, ISO 27001 A.10.1.2

AWS-KMS-004 KMS keys have alias and description for identification Low ISO 27001 A.10.1.2

Lambda and Serverless Security

Check ID Control Severity Frameworks

AWS-LAM-001 Lambda functions use IAM roles with least privilege High SOC 2 CC6.3, ISO 27001 A.9.4.1

AWS-LAM-002 Lambda functions do not store secrets in environment variables (use Secrets Manager) High SOC 2 CC6.7, PCI-DSS 3.4

AWS-LAM-003 Lambda functions deployed in VPC when accessing private resources Medium SOC 2 CC6.6, ISO 27001 A.13.1.1

AWS-LAM-004 Lambda function code is signed Medium SOC 2 CC7.1

AWS-LAM-005 Dead letter queues configured for async invocations Low SOC 2 A1.2

EKS/ECS Container Security

Check ID Control Severity Frameworks

AWS-EKS-001 EKS cluster endpoint not publicly accessible (or restricted by CIDR) High SOC 2 CC6.6, ISO 27001 A.13.1.1

AWS-EKS-002 EKS control plane logging enabled (api, audit, authenticator) High SOC 2 CC7.2, ISO 27001 A.12.4.1

AWS-EKS-003 EKS managed node groups use latest AMI Medium SOC 2 CC7.1

AWS-EKS-004 ECS tasks use awsvpc networking mode Medium SOC 2 CC6.6

AWS-EKS-005 ECR image scanning enabled on push High SOC 2 CC7.1, NIST CSF PR.IP-12

Azure Security Audit Checklist

Azure AD / Entra ID

Check ID Control Severity Frameworks

AZ-AD-001 Global Administrator accounts have MFA enforced Critical SOC 2 CC6.1, ISO 27001 A.9.2.1, PCI-DSS 8.3

AZ-AD-002 Maximum 5 Global Administrator accounts High SOC 2 CC6.1, ISO 27001 A.9.2.3

AZ-AD-003 Conditional Access Policies configured High SOC 2 CC6.1, ISO 27001 A.9.4.2

AZ-AD-004 Security Defaults enabled (if no Conditional Access) High SOC 2 CC6.1

AZ-AD-005 Privileged Identity Management (PIM) enabled for admin roles High SOC 2 CC6.1, ISO 27001 A.9.2.3

AZ-AD-006 Guest user access restricted Medium SOC 2 CC6.1, ISO 27001 A.9.2.2

AZ-AD-007 Sign-in risk policy configured (requires P2) Medium SOC 2 CC6.1

Azure Network Security

Check ID Control Severity Frameworks

AZ-NET-001 NSG rules follow least privilege (no allow-all inbound) High SOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.2

AZ-NET-002 Azure Firewall or third-party NVA deployed Medium SOC 2 CC6.6, PCI-DSS 1.1

AZ-NET-003 DDoS Protection Standard enabled for public IPs Medium SOC 2 A1.2, ISO 27001 A.13.1.1

AZ-NET-004 Private endpoints used for PaaS services Medium SOC 2 CC6.6, ISO 27001 A.13.1.1

AZ-NET-005 Network Watcher enabled in all regions Medium SOC 2 CC7.2, ISO 27001 A.12.4.1

Azure Key Vault

Check ID Control Severity Frameworks

AZ-KV-001 Key Vault uses RBAC (not legacy access policies) High SOC 2 CC6.3, ISO 27001 A.10.1.2

AZ-KV-002 Soft delete and purge protection enabled High SOC 2 CC6.7, ISO 27001 A.10.1.2

AZ-KV-003 Key Vault diagnostic logging enabled Medium SOC 2 CC7.2, ISO 27001 A.12.4.1

AZ-KV-004 Key rotation policy configured Medium SOC 2 CC6.7, PCI-DSS 3.6.4

AZ-KV-005 Key Vault firewall enabled (restrict to VNet/IP) Medium SOC 2 CC6.6, ISO 27001 A.13.1.1

Azure Monitoring

Check ID Control Severity Frameworks

AZ-MON-001 Azure Monitor activity log alerts configured High SOC 2 CC7.2, ISO 27001 A.12.4.1

AZ-MON-002 Microsoft Sentinel (SIEM) deployed Medium SOC 2 CC7.2, NIST CSF DE.AE-2

AZ-MON-003 Diagnostic settings enabled for all resources Medium SOC 2 CC7.2, ISO 27001 A.12.4.1

AZ-MON-004 Azure Policy assignments enforcing compliance High SOC 2 CC7.1, ISO 27001 A.18.2.2

AZ-MON-005 Microsoft Defender for Cloud enabled (all plans) High SOC 2 CC7.2, NIST CSF DE.CM-1

Azure Storage Security

Check ID Control Severity Frameworks

AZ-ST-001 Storage accounts require HTTPS transfer High SOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 4.1

AZ-ST-002 Storage account public access disabled Critical SOC 2 CC6.6, ISO 27001 A.13.1.1

AZ-ST-003 Storage accounts use customer-managed keys Medium SOC 2 CC6.7, PCI-DSS 3.5

AZ-ST-004 Shared Access Signatures (SAS) use short expiry Medium SOC 2 CC6.1, ISO 27001 A.9.4.2

AKS Security

Check ID Control Severity Frameworks

AZ-AKS-001 AKS uses managed identity (not service principal) High SOC 2 CC6.1, ISO 27001 A.9.4.1

AZ-AKS-002 Azure Policy for AKS enabled Medium SOC 2 CC7.1

AZ-AKS-003 AKS API server authorized IP ranges configured High SOC 2 CC6.6, ISO 27001 A.13.1.1

AZ-AKS-004 AKS uses Azure CNI (not kubenet) for network policies Medium SOC 2 CC6.6

GCP Security Audit Checklist

GCP IAM and Service Accounts

Check ID Control Severity Frameworks

GCP-IAM-001 Organization-level IAM policies use groups, not individual users High SOC 2 CC6.1, ISO 27001 A.9.2.2

GCP-IAM-002 Service accounts do not have Owner/Editor roles Critical SOC 2 CC6.3, ISO 27001 A.9.4.1

GCP-IAM-003 User-managed service account keys rotate every 90 days High SOC 2 CC6.1, PCI-DSS 3.6.4

GCP-IAM-004 Domain-restricted sharing enabled via Organization Policy Medium SOC 2 CC6.1, ISO 27001 A.9.2.2

GCP-IAM-005 Workload Identity used for GKE (no service account keys) High SOC 2 CC6.1, ISO 27001 A.9.4.1

GCP VPC and Network

Check ID Control Severity Frameworks

GCP-VPC-001 VPC Service Controls configured for sensitive projects High SOC 2 CC6.6, ISO 27001 A.13.1.3

GCP-VPC-002 Cloud Armor WAF rules protect public-facing services High SOC 2 CC6.6, ISO 27001 A.13.1.1

GCP-VPC-003 VPC Flow Logs enabled for all subnets High SOC 2 CC7.2, ISO 27001 A.12.4.1

GCP-VPC-004 Private Google Access enabled for private subnets Medium SOC 2 CC6.6

GCP-VPC-005 Firewall rules do not allow 0.0.0.0/0 on SSH/RDP Critical SOC 2 CC6.6, PCI-DSS 1.3

GCP Security Services

Check ID Control Severity Frameworks

GCP-SEC-001 Security Command Center (SCC) enabled (Premium) High SOC 2 CC7.2, NIST CSF DE.CM-1

GCP-SEC-002 Cloud KMS keys have rotation scheduled Medium SOC 2 CC6.7, PCI-DSS 3.6.4

GCP-SEC-003 Cloud Audit Logs enabled for all services High SOC 2 CC7.2, ISO 27001 A.12.4.1

GCP-SEC-004 Binary Authorization enabled for GKE Medium SOC 2 CC7.1

GCP-SEC-005 Organization Policy Service enforces constraints High SOC 2 CC7.1, ISO 27001 A.18.2.2

GKE Security

Check ID Control Severity Frameworks

GCP-GKE-001 GKE uses private cluster (no public endpoint) or authorized networks High SOC 2 CC6.6, ISO 27001 A.13.1.1

GCP-GKE-002 GKE Shielded Nodes enabled Medium SOC 2 CC6.7

GCP-GKE-003 GKE node auto-upgrade enabled Medium SOC 2 CC7.1, NIST CSF PR.IP-12

GCP-GKE-004 GKE workload identity enabled (no node service account keys) High SOC 2 CC6.1

GCP-GKE-005 Container-Optimized OS used for nodes Medium SOC 2 CC7.1

  1. DNS Security

Email Authentication Chain

SPF, DKIM, and DMARC form a layered email authentication system. ALL three must be configured correctly for effective protection against spoofing and phishing.

SPF (Sender Policy Framework)

Check ID Control Severity Frameworks

DNS-SPF-001 SPF record exists for primary domain High SOC 2 CC6.6, ISO 27001 A.13.2.1, NIST CSF PR.AC-3

DNS-SPF-002 SPF record uses -all (hard fail) not ~all (soft fail) High SOC 2 CC6.6, ISO 27001 A.13.2.1

DNS-SPF-003 SPF record has fewer than 10 DNS lookups (RFC 7208 limit) Medium SOC 2 CC6.6

DNS-SPF-004 SPF record does not use +all (permits all senders) Critical SOC 2 CC6.6, ISO 27001 A.13.2.1

DNS-SPF-005 Non-sending domains have v=spf1 -all to prevent spoofing Medium ISO 27001 A.13.2.1

DNS-SPF-006 SPF record avoids deprecated PTR mechanism Low RFC 7208

DNS-SPF-007 SPF flattening used if approaching lookup limit Low Best practice

SPF syntax reference:

v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.0/24 -all

Key rules:

  • Maximum 10 DNS lookups (include, a, mx, ptr, exists, redirect each count as 1)

  • ip4 and ip6 mechanisms do NOT count toward the 10-lookup limit

  • Nested includes count toward the limit

  • Record must be a single TXT record (no multiple SPF records)

  • Maximum 255 characters per DNS string (use string concatenation for longer records)

DKIM (DomainKeys Identified Mail)

Check ID Control Severity Frameworks

DNS-DKIM-001 DKIM record exists for all sending domains High SOC 2 CC6.6, ISO 27001 A.13.2.1

DNS-DKIM-002 DKIM key is minimum 2048-bit RSA High SOC 2 CC6.7, ISO 27001 A.10.1.1

DNS-DKIM-003 DKIM keys rotate every 6-12 months Medium SOC 2 CC6.7, ISO 27001 A.10.1.2

DNS-DKIM-004 Multiple DKIM selectors for different sending services Low Best practice

DNS-DKIM-005 DKIM testing mode (t=y ) removed for production domains Medium SOC 2 CC6.6

DKIM record format:

selector._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

Check ID Control Severity Frameworks

DNS-DMARC-001 DMARC record exists at _dmarc.example.com

High SOC 2 CC6.6, ISO 27001 A.13.2.1, NIST CSF PR.AC-3

DNS-DMARC-002 DMARC policy is p=reject (maximum enforcement) High SOC 2 CC6.6, ISO 27001 A.13.2.1

DNS-DMARC-003 DMARC rua (aggregate reporting) tag configured Medium SOC 2 CC7.2, ISO 27001 A.12.4.1

DNS-DMARC-004 DMARC ruf (forensic reporting) tag configured Low SOC 2 CC7.2

DNS-DMARC-005 DMARC subdomain policy sp=reject configured Medium ISO 27001 A.13.2.1

DNS-DMARC-006 DMARC alignment modes — adkim=s and aspf=s (strict) preferred Medium SOC 2 CC6.6

DNS-DMARC-007 DMARC pct=100 (applies to all messages) Medium SOC 2 CC6.6

DMARC record format:

_dmarc.example.com IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:dmarc-agg@example.com; ruf=mailto:dmarc-forensic@example.com; pct=100"

DMARC rollout strategy (avoid disrupting legitimate email):

  • p=none; rua=mailto:... — Monitor for 2-4 weeks

  • p=quarantine; pct=10 — Quarantine 10% of failing messages

  • p=quarantine; pct=50 — Increase gradually

  • p=quarantine; pct=100 — Full quarantine

  • p=reject; pct=100 — Full enforcement

DNSSEC

Check ID Control Severity Frameworks

DNS-SEC-001 DNSSEC signing enabled for domain High SOC 2 CC6.6, ISO 27001 A.13.1.1, NIST CSF PR.DS-2

DNS-SEC-002 DS record published in parent zone High SOC 2 CC6.6, ISO 27001 A.13.1.1

DNS-SEC-003 DNSSEC algorithm is ECDSAP256SHA256 (13) or newer Medium SOC 2 CC6.7

DNS-SEC-004 DNSSEC key rotation schedule documented Medium SOC 2 CC6.7, ISO 27001 A.10.1.2

CAA (Certificate Authority Authorization)

Check ID Control Severity Frameworks

DNS-CAA-001 CAA record exists restricting certificate issuance High SOC 2 CC6.7, ISO 27001 A.10.1.2

DNS-CAA-002 CAA iodef tag configured for certificate issuance notifications Medium SOC 2 CC7.2

DNS-CAA-003 Only authorized CAs listed in CAA record High SOC 2 CC6.7

CAA record format:

example.com IN CAA 0 issue "letsencrypt.org" example.com IN CAA 0 issue "digicert.com" example.com IN CAA 0 issuewild "letsencrypt.org" example.com IN CAA 0 iodef "mailto:security@example.com"

MTA-STS and TLS-RPT

Check ID Control Severity Frameworks

DNS-MTA-001 MTA-STS policy published at /.well-known/mta-sts.txt

Medium ISO 27001 A.13.2.1

DNS-MTA-002 MTA-STS DNS record _mta-sts.example.com exists Medium ISO 27001 A.13.2.1

DNS-MTA-003 MTA-STS mode is enforce (not testing or none ) Medium ISO 27001 A.13.2.1

DNS-MTA-004 TLS-RPT record _smtp._tls.example.com configured Low ISO 27001 A.12.4.1

MTA-STS policy (at https://mta-sts.example.com/.well-known/mta-sts.txt ):

version: STSv1 mode: enforce mx: mail.example.com mx: *.example.com max_age: 604800

Domain Security

Check ID Control Severity Frameworks

DNS-DOM-001 Registrar lock enabled (clientTransferProhibited) High SOC 2 CC6.7, ISO 27001 A.13.1.1

DNS-DOM-002 WHOIS privacy enabled Low GDPR Art.5

DNS-DOM-003 2FA enabled on domain registrar account Critical SOC 2 CC6.1, ISO 27001 A.9.4.2

DNS-DOM-004 Domain expiration monitored (>60 days before expiry) Medium SOC 2 A1.2

DNS-DOM-005 Subdomain inventory maintained (prevent subdomain takeover) High SOC 2 CC6.6, ISO 27001 A.13.1.1

DNS-DOM-006 Dangling DNS records (CNAME to deprovisioned services) monitored High SOC 2 CC6.6

DNS-DOM-007 DNS monitoring alerts configured for unauthorized changes Medium SOC 2 CC7.2, ISO 27001 A.12.4.1

  1. TLS/SSL Security

Certificate Management

Check ID Control Severity Frameworks

TLS-CERT-001 Certificates issued by trusted CA (not self-signed for public services) High SOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 4.1

TLS-CERT-002 Automated certificate renewal via ACME (Let's Encrypt, ZeroSSL) Medium SOC 2 CC6.7

TLS-CERT-003 Certificate expiration monitored (alert at 30, 14, 7 days) High SOC 2 A1.2, ISO 27001 A.10.1.2

TLS-CERT-004 Certificate Transparency (CT) log monitoring enabled Medium SOC 2 CC7.2

TLS-CERT-005 No wildcard certificates for high-security domains Medium SOC 2 CC6.7, PCI-DSS 4.1

TLS-CERT-006 Certificate validity period 90 days maximum (Let's Encrypt standard) Low Best practice

TLS-CERT-007 OCSP stapling enabled Medium SOC 2 CC6.7

TLS-CERT-008 Certificate pinning only for mobile apps (not web — risk of bricking) Info Best practice

Protocol and Cipher Configuration

Check ID Control Severity Frameworks

TLS-PROTO-001 TLS 1.2 minimum (TLS 1.0 and 1.1 disabled) Critical SOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 4.1, NIST CSF PR.DS-2, HIPAA 164.312(e)(1)

TLS-PROTO-002 TLS 1.3 preferred where supported Medium SOC 2 CC6.7, NIST CSF PR.DS-2

TLS-PROTO-003 SSL 2.0 and 3.0 disabled Critical PCI-DSS 4.1, NIST CSF PR.DS-2

TLS-CIPHER-001 Forward secrecy enabled (ECDHE or DHE key exchange) High SOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 4.1

TLS-CIPHER-002 AEAD cipher suites only (GCM, ChaCha20-Poly1305) High SOC 2 CC6.7, PCI-DSS 4.1

TLS-CIPHER-003 No RC4, 3DES, DES, NULL, or EXPORT ciphers Critical PCI-DSS 4.1, NIST CSF PR.DS-2

TLS-CIPHER-004 No CBC mode ciphers (BEAST/POODLE vulnerability) High PCI-DSS 4.1

TLS-CIPHER-005 RSA key exchange disabled (no forward secrecy) Medium SOC 2 CC6.7

Recommended TLS 1.2 cipher suites (in order):

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

TLS 1.3 cipher suites (always use all three):

TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256

HTTP Security Headers

Check ID Control Severity Frameworks

TLS-HSTS-001 HSTS enabled with max-age

= 31536000 (1 year) High SOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 4.1, NIST CSF PR.DS-2

TLS-HSTS-002 HSTS includeSubDomains directive set High SOC 2 CC6.7

TLS-HSTS-003 HSTS preload submitted to hstspreload.org Medium SOC 2 CC6.7

TLS-HSTS-004 HTTP to HTTPS redirect configured (301 permanent) High SOC 2 CC6.7, PCI-DSS 4.1

Internal TLS

Check ID Control Severity Frameworks

TLS-INT-001 mTLS configured for service-to-service communication High SOC 2 CC6.7, ISO 27001 A.13.1.1, PCI-DSS 4.1 (if CDE)

TLS-INT-002 Internal PKI with short-lived certificates (24h-7d) Medium SOC 2 CC6.7, ISO 27001 A.10.1.2

TLS-INT-003 Service mesh (Istio/Linkerd) manages mTLS transparently Medium SOC 2 CC6.7

TLS-INT-004 Database connections use TLS High SOC 2 CC6.7, PCI-DSS 4.1, HIPAA 164.312(e)(1)

  1. Endpoint Security

Mobile Device Management (MDM)

Check ID Control Severity Frameworks

EP-MDM-001 MDM solution deployed (Jamf, Intune, Kandji) High SOC 2 CC6.7, ISO 27001 A.6.2.1, HIPAA 164.310(d)(1), NIST CSF PR.AC-3

EP-MDM-002 All corporate devices enrolled in MDM High SOC 2 CC6.7, ISO 27001 A.6.2.1

EP-MDM-003 MDM compliance policies enforced (auto-remediate non-compliant devices) Medium SOC 2 CC6.7

EP-MDM-004 MDM reports integrated into security dashboard Low SOC 2 CC7.2

Disk Encryption

Check ID Control Severity Frameworks

EP-ENC-001 Full disk encryption enabled on all endpoints (FileVault/BitLocker/LUKS) Critical SOC 2 CC6.7, ISO 27001 A.10.1.1, PCI-DSS 3.4, HIPAA 164.312(a)(2)(iv), GDPR Art.32, NIST CSF PR.DS-1

EP-ENC-002 Encryption recovery keys escrowed in MDM or central key management High SOC 2 CC6.7, ISO 27001 A.10.1.2

EP-ENC-003 Encryption status verified on every endpoint via MDM Medium SOC 2 CC6.7

EP-ENC-004 Mobile devices have device encryption enabled High SOC 2 CC6.7, HIPAA 164.312(a)(2)(iv)

Antivirus and EDR

Check ID Control Severity Frameworks

EP-AV-001 EDR solution deployed on all endpoints (CrowdStrike, SentinelOne, Defender for Endpoint) High SOC 2 CC6.8, ISO 27001 A.12.2.1, PCI-DSS 5.1, HIPAA 164.308(a)(5)(ii)(B), NIST CSF DE.CM-4

EP-AV-002 Real-time protection enabled and cannot be disabled by users High SOC 2 CC6.8, PCI-DSS 5.1

EP-AV-003 Definitions updated automatically (maximum 24h staleness) Medium SOC 2 CC6.8, PCI-DSS 5.2

EP-AV-004 EDR telemetry centralized for threat hunting Medium SOC 2 CC7.2, NIST CSF DE.AE-2

EP-AV-005 Automatic quarantine/isolation for critical threats Medium SOC 2 CC6.8, NIST CSF RS.MI-1

OS Patch Management

Check ID Control Severity Frameworks

EP-PATCH-001 Critical patches applied within 24 hours Critical SOC 2 CC7.1, ISO 27001 A.12.6.1, PCI-DSS 6.2, NIST CSF PR.IP-12

EP-PATCH-002 High patches applied within 72 hours High SOC 2 CC7.1, ISO 27001 A.12.6.1, PCI-DSS 6.2

EP-PATCH-003 Medium patches applied within 7 days Medium SOC 2 CC7.1, ISO 27001 A.12.6.1

EP-PATCH-004 Low patches applied within 30 days Low SOC 2 CC7.1, ISO 27001 A.12.6.1

EP-PATCH-005 Patch compliance reported weekly Medium SOC 2 CC7.1, ISO 27001 A.12.6.1

EP-PATCH-006 Emergency patch process documented and tested Medium SOC 2 CC7.1, NIST CSF RS.MI-3

Additional Endpoint Controls

Check ID Control Severity Frameworks

EP-LOCK-001 Screen lock after 5 minutes of inactivity Medium SOC 2 CC6.1, ISO 27001 A.11.2.8, PCI-DSS 8.1.8, HIPAA 164.310(b)

EP-USB-001 USB storage devices blocked or controlled via MDM Medium SOC 2 CC6.7, ISO 27001 A.8.3.1, PCI-DSS 9.7

EP-BRW-001 Browser extension allow-listing enforced Medium SOC 2 CC6.8, ISO 27001 A.12.2.1

EP-BRW-002 Safe browsing / web filtering enabled Low SOC 2 CC6.8, ISO 27001 A.13.1.1

EP-WIPE-001 Remote wipe capability verified for all corporate devices High SOC 2 CC6.7, ISO 27001 A.6.2.1, HIPAA 164.310(d)(2)(iii)

EP-BYOD-001 BYOD policy documented and enforced via MDM container Medium SOC 2 CC6.7, ISO 27001 A.6.2.1, GDPR Art.32

EP-FW-001 Host-based firewall enabled on all endpoints Medium SOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.4

  1. Access Control and Authentication

Identity Provider (IdP) Configuration

Check ID Control Severity Frameworks

AC-IDP-001 Centralized IdP deployed (Okta, Azure AD/Entra ID, Google Workspace) High SOC 2 CC6.1, ISO 27001 A.9.2.1, PCI-DSS 8.1, HIPAA 164.312(d), NIST CSF PR.AC-1, FedRAMP AC-2

AC-IDP-002 All applications integrated with IdP via SSO High SOC 2 CC6.1, ISO 27001 A.9.4.2

AC-IDP-003 IdP has admin MFA enforced (hardware key required for admin) Critical SOC 2 CC6.1, ISO 27001 A.9.4.2, PCI-DSS 8.3

AC-IDP-004 IdP audit logs exported to SIEM Medium SOC 2 CC7.2, ISO 27001 A.12.4.1

Single Sign-On (SSO)

Check ID Control Severity Frameworks

AC-SSO-001 SSO implemented via SAML 2.0 or OIDC (no password-based SSO) High SOC 2 CC6.1, ISO 27001 A.9.4.2, NIST CSF PR.AC-1

AC-SSO-002 SSO session timeout configured (maximum 8 hours) Medium SOC 2 CC6.1, ISO 27001 A.9.4.2, PCI-DSS 8.1.8

AC-SSO-003 SSO enforced (local authentication disabled where possible) High SOC 2 CC6.1, ISO 27001 A.9.4.2

AC-SSO-004 SCIM provisioning enabled for automated user lifecycle High SOC 2 CC6.2, ISO 27001 A.9.2.1, NIST CSF PR.AC-1

AC-SSO-005 Deprovisioning triggers immediate SSO session revocation High SOC 2 CC6.2, ISO 27001 A.9.2.6

Multi-Factor Authentication (MFA)

Check ID Control Severity Frameworks

AC-MFA-001 MFA enforced for ALL user accounts (no exceptions) Critical SOC 2 CC6.1, ISO 27001 A.9.4.2, PCI-DSS 8.3, HIPAA 164.312(d), NIST CSF PR.AC-7, GDPR Art.32, NIS2 Art.21, DORA Art.9, FedRAMP IA-2

AC-MFA-002 Phishing-resistant MFA (FIDO2/WebAuthn) required for privileged accounts Critical SOC 2 CC6.1, ISO 27001 A.9.4.2, NIST CSF PR.AC-7, FedRAMP IA-2(6)

AC-MFA-003 SMS-based MFA prohibited (SIM swap vulnerability) High SOC 2 CC6.1, NIST CSF PR.AC-7

AC-MFA-004 TOTP (time-based one-time password) accepted as minimum MFA Medium SOC 2 CC6.1

AC-MFA-005 Hardware security keys (YubiKey 5 Series, Bio Series) deployed for all admins High SOC 2 CC6.1, ISO 27001 A.9.4.2, NIST CSF PR.AC-7

AC-MFA-006 MFA recovery process documented (not bypass, requires identity verification) Medium SOC 2 CC6.1, ISO 27001 A.9.2.4

AC-MFA-007 MFA enrollment status reported (100% coverage target) Medium SOC 2 CC6.1

Hardware Security Key (YubiKey) Implementation:

Enrollment process:

  • User registers primary YubiKey to IdP (Okta, Azure AD, Google Workspace)

  • User registers backup YubiKey (stored in secure location)

  • IdP policy updated to require FIDO2/WebAuthn for user

  • TOTP/push fallback disabled for privileged accounts

YubiKey policy requirements:

  • Each user has minimum 2 registered keys (primary + backup)

  • Backup key stored in secure, documented location

  • PIN configured on YubiKey (FIDO2 user verification)

  • Touch required for every authentication

  • Bio Series (fingerprint) preferred for shared workstations

  • Inventory of all issued keys maintained

  • Lost key process: immediate revocation, identity reverification, new key issuance

IdP-specific configuration:

  • Okta: Enroll YubiKey via FIDO2 (WebAuthn) factor, set Authentication Policy to require phishing-resistant MFA

  • Azure AD/Entra ID: Configure FIDO2 security key in Authentication Methods, create Conditional Access policy requiring authentication strength "Phishing-resistant MFA"

  • Google Workspace: Enroll security key in 2-Step Verification, enable Advanced Protection Program for admins

Privileged Access Management (PAM)

Check ID Control Severity Frameworks

AC-PAM-001 Just-in-time (JIT) access implemented for privileged roles High SOC 2 CC6.1, ISO 27001 A.9.2.3, PCI-DSS 7.1, NIST CSF PR.AC-4

AC-PAM-002 Privileged access requests require approval workflow High SOC 2 CC6.1, ISO 27001 A.9.2.3

AC-PAM-003 Privileged session time-limited (maximum 4 hours, re-approval needed) Medium SOC 2 CC6.1, ISO 27001 A.9.2.3

AC-PAM-004 Privileged sessions recorded (screen recording or command logging) High SOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.2

AC-PAM-005 Break-glass procedure documented and tested quarterly Medium SOC 2 CC6.1, ISO 27001 A.9.2.3, NIST CSF PR.AC-4

AC-PAM-006 Privileged account inventory maintained and reviewed quarterly High SOC 2 CC6.2, ISO 27001 A.9.2.5, PCI-DSS 7.1

AC-PAM-007 Standing privileged access eliminated (no permanent admin accounts) High SOC 2 CC6.1, ISO 27001 A.9.2.3, NIST CSF PR.AC-4

Role-Based Access Control (RBAC)

Check ID Control Severity Frameworks

AC-RBAC-001 RBAC model documented with role definitions and permissions High SOC 2 CC6.3, ISO 27001 A.9.2.2, PCI-DSS 7.1, HIPAA 164.312(a)(1), NIST CSF PR.AC-4

AC-RBAC-002 Role assignments reviewed quarterly (access recertification) High SOC 2 CC6.2, ISO 27001 A.9.2.5, PCI-DSS 7.1.1

AC-RBAC-003 Separation of duties enforced (no single user has conflicting roles) High SOC 2 CC6.3, ISO 27001 A.6.1.2, PCI-DSS 6.4.2

AC-RBAC-004 Default deny — users get minimum necessary permissions High SOC 2 CC6.3, ISO 27001 A.9.4.1

AC-RBAC-005 Role changes logged and auditable Medium SOC 2 CC7.2, ISO 27001 A.12.4.1

Service Account and API Key Governance

Check ID Control Severity Frameworks

AC-SVC-001 No shared credentials for service accounts Critical SOC 2 CC6.1, ISO 27001 A.9.2.4, PCI-DSS 8.5

AC-SVC-002 Service account permissions follow least privilege High SOC 2 CC6.3, ISO 27001 A.9.4.1

AC-SVC-003 Service account credentials rotate every 90 days maximum High SOC 2 CC6.1, ISO 27001 A.9.2.4, PCI-DSS 8.2.4

AC-SVC-004 Service account inventory maintained with owner assignment High SOC 2 CC6.2, ISO 27001 A.9.2.5

AC-SVC-005 API keys scoped to minimum required permissions High SOC 2 CC6.3, ISO 27001 A.9.4.1

AC-SVC-006 API keys have expiration dates (maximum 1 year) Medium SOC 2 CC6.1, ISO 27001 A.9.2.4

AC-SVC-007 API key usage monitored and anomalous access alerted Medium SOC 2 CC7.2, ISO 27001 A.12.4.1

SSH Key Management

Check ID Control Severity Frameworks

AC-SSH-001 ED25519 keys required (or RSA >= 4096 bit) High SOC 2 CC6.7, ISO 27001 A.10.1.1

AC-SSH-002 SSH certificate-based authentication for infrastructure Medium SOC 2 CC6.7, ISO 27001 A.9.4.2

AC-SSH-003 SSH key passphrase required Medium SOC 2 CC6.1, ISO 27001 A.9.4.2

AC-SSH-004 SSH key inventory maintained with owner assignment Medium SOC 2 CC6.2, ISO 27001 A.9.2.5

AC-SSH-005 SSH keys rotate annually at minimum Medium SOC 2 CC6.1, PCI-DSS 3.6.4

AC-SSH-006 Root SSH login disabled High SOC 2 CC6.1, ISO 27001 A.9.4.2, PCI-DSS 2.1

AC-SSH-007 SSH password authentication disabled (key-only) High SOC 2 CC6.1, ISO 27001 A.9.4.2

Zero Trust Architecture

Check ID Control Severity Frameworks

AC-ZT-001 Identity-based access (verify user, device, and context) High SOC 2 CC6.1, ISO 27001 A.9.4.2, NIST CSF PR.AC-4

AC-ZT-002 Device posture checked before granting access High SOC 2 CC6.1, ISO 27001 A.6.2.1

AC-ZT-003 Network location is not trusted (no implicit trust for internal network) High SOC 2 CC6.6, ISO 27001 A.13.1.1, NIST CSF PR.AC-5

AC-ZT-004 Continuous verification (re-authenticate for sensitive operations) Medium SOC 2 CC6.1, NIST CSF PR.AC-7

AC-ZT-005 Microsegmentation between services Medium SOC 2 CC6.6, ISO 27001 A.13.1.3, PCI-DSS 1.2

  1. Network Security

Firewall Configuration

Check ID Control Severity Frameworks

NET-FW-001 Default deny policy (deny all, allow by exception) Critical SOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.2, NIST CSF PR.AC-5

NET-FW-002 Egress filtering enabled (restrict outbound traffic) High SOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 1.3

NET-FW-003 Firewall rules reviewed quarterly Medium SOC 2 CC6.6, PCI-DSS 1.1.7

NET-FW-004 Firewall rule documentation (business justification for each rule) Medium SOC 2 CC6.6, PCI-DSS 1.1.6

NET-FW-005 No "any/any" rules in firewall ruleset Critical SOC 2 CC6.6, PCI-DSS 1.2

NET-FW-006 Firewall change management process documented Medium SOC 2 CC6.6, PCI-DSS 1.1.1

Network Segmentation

Check ID Control Severity Frameworks

NET-SEG-001 Network segmentation isolates sensitive environments (production, staging, dev) High SOC 2 CC6.6, ISO 27001 A.13.1.3, PCI-DSS 1.2, HIPAA 164.312(e)(1)

NET-SEG-002 Cardholder Data Environment (CDE) segmented from general network Critical PCI-DSS 1.3

NET-SEG-003 Database tier isolated from public-facing tier High SOC 2 CC6.6, ISO 27001 A.13.1.3, PCI-DSS 1.3

NET-SEG-004 Microsegmentation for East-West traffic Medium SOC 2 CC6.6, ISO 27001 A.13.1.3, NIST CSF PR.AC-5

NET-SEG-005 Management network separated from production High SOC 2 CC6.6, PCI-DSS 1.2

NET-SEG-006 Guest WiFi isolated from corporate network Medium SOC 2 CC6.6, ISO 27001 A.13.1.3

Web Application Firewall (WAF)

Check ID Control Severity Frameworks

NET-WAF-001 WAF deployed for all public-facing web applications High SOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 6.6, NIST CSF PR.IP-1

NET-WAF-002 OWASP Top 10 rules enabled High SOC 2 CC6.6, PCI-DSS 6.6

NET-WAF-003 Rate limiting configured Medium SOC 2 CC6.6, ISO 27001 A.13.1.1

NET-WAF-004 WAF in blocking mode (not just detection) High SOC 2 CC6.6, PCI-DSS 6.6

NET-WAF-005 WAF rules regularly updated Medium SOC 2 CC6.6, PCI-DSS 6.6

NET-WAF-006 Custom rules for application-specific attack patterns Low SOC 2 CC6.6

DDoS Protection

Check ID Control Severity Frameworks

NET-DDOS-001 DDoS protection enabled (Cloudflare, AWS Shield, Azure DDoS Protection) High SOC 2 A1.2, ISO 27001 A.13.1.1, NIST CSF PR.DS-4

NET-DDOS-002 Layer 7 DDoS protection configured Medium SOC 2 A1.2, ISO 27001 A.13.1.1

NET-DDOS-003 DDoS response plan documented Medium SOC 2 A1.2, ISO 27001 A.16.1.1, NIST CSF RS.RP-1

NET-DDOS-004 DDoS alert thresholds configured Medium SOC 2 A1.2, ISO 27001 A.12.4.1

VPN Configuration

Check ID Control Severity Frameworks

NET-VPN-001 VPN uses WireGuard or IPSec (no PPTP or L2TP without IPSec) High SOC 2 CC6.7, ISO 27001 A.13.1.1, PCI-DSS 4.1, NIST CSF PR.DS-2

NET-VPN-002 Split tunneling disabled for compliance environments Medium SOC 2 CC6.7, PCI-DSS 1.4

NET-VPN-003 VPN requires MFA for connection High SOC 2 CC6.1, ISO 27001 A.9.4.2, PCI-DSS 8.3

NET-VPN-004 VPN access logged and monitored Medium SOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.2

NET-VPN-005 VPN being replaced or augmented by ZTNA (Zero Trust Network Access) Info NIST CSF PR.AC-5

Intrusion Detection/Prevention

Check ID Control Severity Frameworks

NET-IDS-001 IDS/IPS deployed at network perimeter High SOC 2 CC6.6, ISO 27001 A.13.1.1, PCI-DSS 11.4, NIST CSF DE.CM-1, HIPAA 164.312(e)(1)

NET-IDS-002 IDS/IPS signatures updated regularly Medium SOC 2 CC6.6, PCI-DSS 11.4

NET-IDS-003 IDS alerts integrated with SIEM Medium SOC 2 CC7.2, ISO 27001 A.12.4.1

NET-IDS-004 Network traffic monitoring for anomalies Medium SOC 2 CC7.2, NIST CSF DE.AE-1

  1. Container and Kubernetes Security

Base Image Security

Check ID Control Severity Frameworks

K8S-IMG-001 Base images from trusted registries only (verified publishers) High SOC 2 CC7.1, ISO 27001 A.14.2.7, NIST CSF PR.IP-12

K8S-IMG-002 Minimal base images (distroless, Alpine, scratch) Medium SOC 2 CC7.1, ISO 27001 A.14.2.7

K8S-IMG-003 No running as root in containers (USER directive in Dockerfile) High SOC 2 CC6.1, ISO 27001 A.9.4.1, PCI-DSS 2.1

K8S-IMG-004 Container images scanned for vulnerabilities (Trivy, Snyk, Grype) High SOC 2 CC7.1, ISO 27001 A.12.6.1, PCI-DSS 6.2, NIST CSF DE.CM-8

K8S-IMG-005 No secrets baked into container images Critical SOC 2 CC6.7, PCI-DSS 3.4

K8S-IMG-006 Images tagged with specific version/digest (no latest tag) Medium SOC 2 CC7.1

K8S-IMG-007 Image signing verified before deployment (cosign, Notary) High SOC 2 CC7.1, NIST CSF PR.IP-1

Container Runtime Security

Check ID Control Severity Frameworks

K8S-RT-001 Seccomp profiles applied (runtime default minimum) Medium SOC 2 CC6.6, ISO 27001 A.13.1.1

K8S-RT-002 AppArmor/SELinux profiles applied Medium SOC 2 CC6.6, ISO 27001 A.13.1.1

K8S-RT-003 Read-only root filesystem for containers Medium SOC 2 CC6.7, ISO 27001 A.12.4.3

K8S-RT-004 No privileged containers Critical SOC 2 CC6.1, ISO 27001 A.9.4.1, PCI-DSS 2.1

K8S-RT-005 No host PID/network/IPC namespace sharing High SOC 2 CC6.6, ISO 27001 A.13.1.3

K8S-RT-006 Resource limits set (CPU, memory) to prevent resource abuse Medium SOC 2 A1.2, ISO 27001 A.12.1.3

Kubernetes Cluster Security

Check ID Control Severity Frameworks

K8S-RBAC-001 RBAC enabled with least-privilege role bindings High SOC 2 CC6.3, ISO 27001 A.9.4.1, PCI-DSS 7.1

K8S-RBAC-002 No cluster-admin bindings for application workloads Critical SOC 2 CC6.3, ISO 27001 A.9.4.1

K8S-RBAC-003 Default ServiceAccount token automounting disabled Medium SOC 2 CC6.1

K8S-NET-001 Network Policies defined for all namespaces High SOC 2 CC6.6, ISO 27001 A.13.1.3, PCI-DSS 1.2

K8S-NET-002 Default deny network policy in place High SOC 2 CC6.6, PCI-DSS 1.2

K8S-POD-001 Pod Security Standards enforced (restricted profile) High SOC 2 CC6.6, ISO 27001 A.14.2.7

K8S-SEC-001 External Secrets Operator or Sealed Secrets for secret management High SOC 2 CC6.7, PCI-DSS 3.4

K8S-SEC-002 Etcd encrypted at rest High SOC 2 CC6.7, ISO 27001 A.10.1.1

K8S-ADM-001 Admission controllers configured (OPA Gatekeeper or Kyverno) High SOC 2 CC7.1, ISO 27001 A.14.2.7

K8S-ADM-002 Image pull policy set to Always for production Medium SOC 2 CC7.1

K8S-MESH-001 Service mesh deployed for mTLS between services (Istio, Linkerd) Medium SOC 2 CC6.7, ISO 27001 A.13.1.1

K8S-REG-001 Private container registry with authentication High SOC 2 CC6.6, ISO 27001 A.13.1.1

K8S-REG-002 Registry vulnerability scanning enabled Medium SOC 2 CC7.1

K8S-REG-003 Image retention policies configured Low SOC 2 CC6.7

  1. CI/CD Pipeline Security

Source Code Management

Check ID Control Severity Frameworks

CICD-SCM-001 Branch protection on main/production branches (required reviews) High SOC 2 CC7.1, ISO 27001 A.14.2.2, PCI-DSS 6.4.2, NIST CSF PR.IP-1

CICD-SCM-002 Minimum 2 approvals for production branch merges Medium SOC 2 CC7.1, ISO 27001 A.14.2.2, PCI-DSS 6.4.2

CICD-SCM-003 Status checks required before merge Medium SOC 2 CC7.1, ISO 27001 A.14.2.2

CICD-SCM-004 Signed commits enforced (GPG or SSH signing) Medium SOC 2 CC7.1, ISO 27001 A.14.2.2

CICD-SCM-005 Force push to protected branches prohibited High SOC 2 CC7.1, ISO 27001 A.14.2.2

CICD-SCM-006 Repository access follows least privilege High SOC 2 CC6.3, ISO 27001 A.9.4.1

CICD-SCM-007 Code owners configured for critical paths Medium SOC 2 CC7.1

Security Scanning

Check ID Control Severity Frameworks

CICD-SCAN-001 Secret scanning enabled in all repositories Critical SOC 2 CC6.7, ISO 27001 A.9.4.3, PCI-DSS 3.4

CICD-SCAN-002 Pre-commit hooks prevent secret commits (gitleaks, truffleHog) High SOC 2 CC6.7, PCI-DSS 3.4

CICD-SCAN-003 Dependency scanning automated (Dependabot, Snyk, Renovate) High SOC 2 CC7.1, ISO 27001 A.12.6.1, PCI-DSS 6.2, NIST CSF PR.IP-12

CICD-SCAN-004 SAST in CI pipeline (Semgrep, SonarQube, CodeQL) High SOC 2 CC7.1, ISO 27001 A.14.2.8, PCI-DSS 6.3.2, NIST CSF PR.IP-1

CICD-SCAN-005 DAST for staging/pre-production (OWASP ZAP, Burp Suite) Medium SOC 2 CC7.1, ISO 27001 A.14.2.8, PCI-DSS 6.6

CICD-SCAN-006 SCA (Software Composition Analysis) for license compliance Medium SOC 2 CC7.1, ISO 27001 A.18.1.2

CICD-SCAN-007 Container image scanning in CI pipeline High SOC 2 CC7.1, ISO 27001 A.12.6.1, PCI-DSS 6.2

CICD-SCAN-008 Infrastructure as Code scanning (tfsec, checkov, KICS) High SOC 2 CC7.1, ISO 27001 A.14.2.8

Supply Chain Security

Check ID Control Severity Frameworks

CICD-SC-001 SBOM generated for all releases (CycloneDX or SPDX format) High SOC 2 CC7.1, NIST CSF PR.IP-1, NIS2 Art.21

CICD-SC-002 Artifact signing for all builds (Sigstore/cosign) High SOC 2 CC7.1, NIST CSF PR.IP-1

CICD-SC-003 Dependency pinning (lock files committed, hash verification) Medium SOC 2 CC7.1, ISO 27001 A.14.2.7

CICD-SC-004 Third-party dependency review process Medium SOC 2 CC7.1, ISO 27001 A.15.1.1

CICD-SC-005 CI/CD pipeline hardened (no arbitrary code execution from PRs) High SOC 2 CC7.1, ISO 27001 A.14.2.7

Deployment Security

Check ID Control Severity Frameworks

CICD-DEP-001 Deployment approval gates for production High SOC 2 CC7.1, ISO 27001 A.14.2.2, PCI-DSS 6.4.5

CICD-DEP-002 Production deployments audited (who, what, when) High SOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.2

CICD-DEP-003 Rollback capability tested and documented Medium SOC 2 A1.2, ISO 27001 A.14.2.2

CICD-DEP-004 Deployment credentials managed via secrets manager (not pipeline env vars) High SOC 2 CC6.7, PCI-DSS 3.4

CICD-DEP-005 CI/CD service accounts have minimum required permissions High SOC 2 CC6.3, ISO 27001 A.9.4.1

CICD-DEP-006 Immutable build artifacts (reproducible builds preferred) Medium SOC 2 CC7.1

  1. Secrets Management

Secrets Management Solutions

Check ID Control Severity Frameworks

SEC-MGR-001 Centralized secrets manager deployed (Vault, AWS SM, Azure KV, GCP SM) High SOC 2 CC6.7, ISO 27001 A.10.1.2, PCI-DSS 3.5, HIPAA 164.312(a)(2)(iv), NIST CSF PR.DS-1

SEC-MGR-002 Secrets manager has HA/DR configuration Medium SOC 2 A1.2, ISO 27001 A.17.1.1

SEC-MGR-003 Secrets access audited (who accessed what secret, when) High SOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.2

SEC-MGR-004 Dynamic secrets used where possible (database credentials on demand) Medium SOC 2 CC6.7, ISO 27001 A.9.4.2

Secret Rotation

Check ID Control Severity Frameworks

SEC-ROT-001 Database credentials rotate every 90 days maximum High SOC 2 CC6.1, ISO 27001 A.9.2.4, PCI-DSS 8.2.4

SEC-ROT-002 API keys rotate every 90 days maximum High SOC 2 CC6.1, ISO 27001 A.9.2.4

SEC-ROT-003 Service account passwords rotate every 90 days maximum High SOC 2 CC6.1, ISO 27001 A.9.2.4, PCI-DSS 8.2.4

SEC-ROT-004 TLS private keys rotate annually at minimum Medium SOC 2 CC6.7, ISO 27001 A.10.1.2

SEC-ROT-005 Encryption keys rotate annually (auto-rotation preferred) Medium SOC 2 CC6.7, PCI-DSS 3.6.4

SEC-ROT-006 Rotation is automated (no manual credential changes) Medium SOC 2 CC6.1

Code and Repository Security

Check ID Control Severity Frameworks

SEC-CODE-001 No secrets in source code (scan entire git history) Critical SOC 2 CC6.7, ISO 27001 A.9.4.3, PCI-DSS 3.4

SEC-CODE-002 .env files in .gitignore

High SOC 2 CC6.7, PCI-DSS 3.4

SEC-CODE-003 Pre-commit hooks block secret commits (gitleaks) High SOC 2 CC6.7, PCI-DSS 3.4

SEC-CODE-004 GitHub/GitLab secret scanning alerts enabled and triaged High SOC 2 CC6.7, PCI-DSS 3.4

SEC-CODE-005 Historical leaked secrets rotated (not just removed from code) Critical SOC 2 CC6.7

SEC-CODE-006 Environment-specific secrets never shared between environments Medium SOC 2 CC6.7, PCI-DSS 3.4

Hardware Security Modules (HSM)

Check ID Control Severity Frameworks

SEC-HSM-001 HSM (CloudHSM, Azure Dedicated HSM) used for root CA keys High SOC 2 CC6.7, ISO 27001 A.10.1.2, PCI-DSS 3.5, FedRAMP SC-12

SEC-HSM-002 HSM used for payment processing keys Critical PCI-DSS 3.5

SEC-HSM-003 HSM firmware kept current Medium SOC 2 CC7.1, PCI-DSS 3.5

SEC-HSM-004 HSM access restricted to authorized personnel only High SOC 2 CC6.1, PCI-DSS 3.5

  1. Logging and Monitoring

Centralized Logging

Check ID Control Severity Frameworks

LOG-CEN-001 All systems forward logs to centralized platform (ELK, Splunk, Datadog) High SOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.5.3, HIPAA 164.312(b), NIST CSF DE.CM-1, FedRAMP AU-6

LOG-CEN-002 Log collection covers: authentication, authorization, data access, system changes High SOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.2

LOG-CEN-003 Logs include: timestamp, source, user, action, result, source IP High SOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.3

LOG-CEN-004 Log shipping uses TLS encryption Medium SOC 2 CC6.7, PCI-DSS 10.5

LOG-CEN-005 Log source time synchronized via NTP (max 1 second drift) Medium SOC 2 CC7.2, PCI-DSS 10.4

SIEM

Check ID Control Severity Frameworks

LOG-SIEM-001 SIEM deployed with correlation rules High SOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.6, NIST CSF DE.AE-2, NIS2 Art.21

LOG-SIEM-002 SIEM detection rules cover MITRE ATT&CK framework Medium NIST CSF DE.AE-2

LOG-SIEM-003 SIEM alerts have defined response procedures Medium SOC 2 CC7.3, ISO 27001 A.16.1.1, NIST CSF RS.RP-1

LOG-SIEM-004 SIEM tuned to reduce false positives (<10% false positive rate) Low SOC 2 CC7.2

Retention and Integrity

Check ID Control Severity Frameworks

LOG-RET-001 Log retention minimum 1 year (365 days) High SOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.7, HIPAA 164.312(b)

LOG-RET-002 Logs immutable (write-once, no modification or deletion) High SOC 2 CC7.2, ISO 27001 A.12.4.3, PCI-DSS 10.5

LOG-RET-003 Log backup and disaster recovery tested Medium SOC 2 A1.2, ISO 27001 A.12.3.1

LOG-RET-004 PCI-DSS environments retain logs for minimum 1 year, 3 months immediately available High PCI-DSS 10.7

LOG-RET-005 HIPAA environments retain logs for minimum 6 years High HIPAA 164.530(j)(2)

Alerting and Detection

Check ID Control Severity Frameworks

LOG-ALERT-001 Alerts for: failed auth attempts (>5 in 5 min), privilege escalation, data exfiltration patterns High SOC 2 CC7.2, ISO 27001 A.12.4.1, PCI-DSS 10.6, NIST CSF DE.CM-1

LOG-ALERT-002 Alert escalation matrix documented (L1 -> L2 -> L3 -> management) Medium SOC 2 CC7.3, ISO 27001 A.16.1.1

LOG-ALERT-003 On-call rotation for security alerts (24/7 coverage) Medium SOC 2 CC7.3, ISO 27001 A.16.1.1

LOG-ALERT-004 Mean time to acknowledge (MTTA) < 15 minutes for critical alerts Medium SOC 2 CC7.3

LOG-ALERT-005 Anomaly detection enabled (UEBA — User and Entity Behavior Analytics) Medium SOC 2 CC7.2, NIST CSF DE.AE-1

LOG-ALERT-006 File integrity monitoring (FIM) deployed for critical files High SOC 2 CC7.2, ISO 27001 A.12.4.3, PCI-DSS 11.5

  1. Physical Security

Data Center Security

Check ID Control Severity Frameworks

PHYS-DC-001 Cloud provider SOC 2 Type II report obtained and reviewed annually High SOC 2 CC6.4, ISO 27001 A.11.1.1, PCI-DSS 9.1

PHYS-DC-002 Data center physical access restricted to authorized personnel High SOC 2 CC6.4, ISO 27001 A.11.1.2, PCI-DSS 9.1

PHYS-DC-003 24/7 video surveillance at data center Medium SOC 2 CC6.4, ISO 27001 A.11.1.2, PCI-DSS 9.1

PHYS-DC-004 Visitor access logged and escorted Medium SOC 2 CC6.4, ISO 27001 A.11.1.2, PCI-DSS 9.4

PHYS-DC-005 Environmental controls (fire suppression, HVAC, UPS) Medium SOC 2 A1.2, ISO 27001 A.11.1.4, PCI-DSS 9.1

Office Security

Check ID Control Severity Frameworks

PHYS-OFF-001 Badge access for office entry Medium SOC 2 CC6.4, ISO 27001 A.11.1.2

PHYS-OFF-002 Visitor management system (sign-in, badge, escort) Low SOC 2 CC6.4, ISO 27001 A.11.1.2

PHYS-OFF-003 Clean desk policy documented and enforced Low SOC 2 CC6.4, ISO 27001 A.11.2.9

PHYS-OFF-004 Server/network rooms locked with restricted access Medium SOC 2 CC6.4, ISO 27001 A.11.1.2, PCI-DSS 9.1

Media Disposal

Check ID Control Severity Frameworks

PHYS-DISP-001 Media disposal follows NIST 800-88 guidelines (clear, purge, destroy) High SOC 2 CC6.5, ISO 27001 A.8.3.2, PCI-DSS 9.8, HIPAA 164.310(d)(2)(i), NIST CSF PR.IP-6

PHYS-DISP-002 Certificate of destruction obtained for physical media High SOC 2 CC6.5, ISO 27001 A.8.3.2, PCI-DSS 9.8

PHYS-DISP-003 Disposal vendor contracted with background checks Medium SOC 2 CC6.5, ISO 27001 A.8.3.2

PHYS-DISP-004 Electronic media cryptographically erased before disposal High SOC 2 CC6.5, PCI-DSS 9.8, HIPAA 164.310(d)(2)(i)

  1. Compliance Framework Mapping

Each control in this audit maps to one or more compliance frameworks. The mapping enables organizations pursuing multiple certifications to satisfy overlapping requirements with single implementations.

Supported Frameworks:

Framework Abbreviation Focus Area

SOC 2 Type II SOC 2 Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy)

ISO 27001:2022 ISO 27001 Information Security Management System (Annex A controls)

HIPAA HIPAA Healthcare data protection (Security Rule, Privacy Rule)

GDPR GDPR EU data protection and privacy

PCI-DSS v4.0 PCI-DSS Payment card data security

NIS2 Directive NIS2 EU network and information security (critical infrastructure)

DORA DORA EU Digital Operational Resilience Act (financial services)

NIST CSF 2.0 NIST CSF Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover)

FedRAMP FedRAMP US federal cloud security (based on NIST 800-53)

CCPA/CPRA CCPA California consumer privacy

Framework Coverage Summary:

Audit Domain SOC 2 ISO 27001 HIPAA GDPR PCI-DSS NIS2 DORA NIST CSF FedRAMP CCPA

Cloud Infrastructure CC6.1-CC6.7 A.9, A.10, A.12, A.13 164.312 Art.32 1-4, 7-8, 10 Art.21 Art.9 PR.AC, PR.DS, DE.CM AC, SC, AU 1798.150

DNS Security CC6.6 A.13.1, A.13.2

Art.21

PR.AC, PR.DS

TLS/SSL CC6.7 A.10.1, A.13.1 164.312(e) Art.32 4.1 Art.21 Art.9 PR.DS-2 SC-8, SC-13

Endpoint Security CC6.7-CC6.8 A.6.2, A.8.3, A.10.1, A.11.2, A.12.2, A.12.6 164.310, 164.312 Art.32 1.4, 3.4, 5.1-5.4, 6.2 Art.21 Art.9 PR.AC, PR.DS, PR.IP, DE.CM

Access Control CC6.1-CC6.3 A.9.1-A.9.4 164.312(a)(d) Art.32 7.1-8.3 Art.21 Art.9 PR.AC AC, IA 1798.150

Network Security CC6.6, A1.2 A.13.1 164.312(e) Art.32 1.1-1.3, 6.6, 11.4 Art.21 Art.9 PR.AC-5, DE.CM-1 SC, SI

Container/K8s CC6.1-CC7.1 A.9.4, A.13.1, A.14.2

1.2, 2.1, 6.2, 7.1 Art.21

PR.AC, PR.IP

CI/CD Pipeline CC7.1-CC7.2 A.14.2

6.2-6.6 Art.21 Art.9 PR.IP-1, PR.IP-12 SA, SI

Secrets Management CC6.7 A.9.4, A.10.1 164.312(a) Art.32 3.4-3.6, 8.2 Art.21 Art.9 PR.DS-1 SC-12, SC-28

Logging/Monitoring CC7.2-CC7.3 A.12.4 164.312(b) Art.32 10.1-10.7, 11.5 Art.21 Art.9 DE.AE, DE.CM AU

Physical Security CC6.4-CC6.5 A.8.3, A.11.1, A.11.2 164.310 Art.32 9.1-9.8 Art.21

PR.IP-6 PE

Multi-Framework Evidence Strategy:

For each control, collect evidence once and map to all applicable frameworks:

  • Policy Document — Covers SOC 2, ISO 27001, HIPAA, GDPR (one policy, multiple mappings)

  • Technical Configuration — Screenshot/export showing control is active (maps to all technical frameworks)

  • Audit Log — Proves ongoing compliance (SOC 2, PCI-DSS, HIPAA all require audit trails)

  • Review Record — Quarterly review minutes satisfy multiple framework requirements simultaneously

Workflows

Workflow 1: Full Infrastructure Audit

  1. Prepare inventory → Document all cloud accounts, domains, endpoints, services
  2. Run infra_audit_runner.py → Generate findings across all 11 domains
  3. Triage findings → Prioritize Critical > High > Medium > Low
  4. Map to frameworks → Identify which framework requirements are met/unmet
  5. Create remediation plan → Assign owners, set deadlines by severity SLA
  6. Execute remediation → Fix Critical within 24h, High within 72h
  7. Re-audit → Verify fixes, update compliance evidence
  8. Generate report → Executive summary + detailed findings + evidence

Severity SLAs:

Severity Remediation Deadline Re-audit Deadline

Critical 24 hours 48 hours

High 72 hours 7 days

Medium 7 days 14 days

Low 30 days 45 days

Info No deadline Next audit cycle

Workflow 2: DNS Security Assessment

  1. Enumerate domains → Primary + all subdomains
  2. Run dns_security_checker.py → Check SPF, DKIM, DMARC, DNSSEC, CAA, MTA-STS
  3. Validate email chain → SPF → DKIM → DMARC alignment
  4. Check domain security → Registrar lock, 2FA, WHOIS, expiration
  5. Subdomain audit → Check for dangling CNAME records (takeover risk)
  6. Generate DNS report → Findings + remediation DNS records

Workflow 3: Access Control Review

  1. Export IdP configuration → Users, groups, roles, policies
  2. Run access_control_auditor.py → Check MFA, SSO, RBAC, PAM, service accounts
  3. Verify MFA coverage → Must be 100%, flag any exceptions
  4. Review privileged access → Who has admin? Is JIT in place?
  5. Check service accounts → Rotation, ownership, permissions
  6. Access recertification → Verify all access is current and justified
  7. Generate access report → Gaps + remediation steps

Workflow 4: Continuous Compliance Monitoring

  1. Schedule automated scans → Weekly infra audit, daily DNS check
  2. Track compliance score trends → Score per domain over time
  3. Alert on regressions → Score drop or new Critical finding triggers alert
  4. Quarterly full audit → Manual review + automated scan
  5. Annual certification preparation → Compile evidence for auditors

Reference Guides

Guide Location Coverage

Cloud Security Baseline references/cloud-security-baseline.md

AWS, Azure, GCP CIS Benchmarks

Access Control Standards references/access-control-standards.md

MFA, SSO, PAM, Zero Trust, YubiKey

Compliance Framework Mapping references/compliance-framework-mapping.md

Control-to-framework master mapping

Validation Checkpoints

Pre-Audit Validation

  • Infrastructure inventory is complete and current

  • All cloud accounts identified and accessible

  • Domain list verified (primary + all active subdomains)

  • Endpoint MDM reports available

  • IdP configuration export available

  • Previous audit findings reviewed

Post-Audit Validation

  • All 11 domains audited with no skipped checks

  • Every finding has severity, framework mapping, and remediation

  • Critical and High findings have assigned owners

  • Compliance score calculated per domain and overall

  • Executive summary prepared

  • Evidence package compiled for applicable frameworks

  • Remediation deadlines set per severity SLA

Scoring Methodology

Each audit domain is scored 0-100 based on the controls assessed:

Score Calculation:

Domain Score = (Passed Controls * Weight) / (Total Controls * Weight) * 100

Weights by severity: Critical = 10 High = 5 Medium = 2 Low = 1 Info = 0 (informational, not scored)

Overall Score:

Overall Score = Weighted Average of Domain Scores

Domain Weights: Cloud Infrastructure: 15% Access Control: 15% Network Security: 12% Secrets Management: 10% Logging/Monitoring: 10% CI/CD Pipeline: 8% Container/K8s: 8% Endpoint Security: 7% TLS/SSL: 5% DNS Security: 5% Physical Security: 5%

Score Interpretation:

Score Range Rating Meaning

90-100 Excellent Audit-ready, minimal findings

80-89 Good Minor gaps, mostly compliant

70-79 Fair Notable gaps, remediation needed before audit

60-69 Poor Significant compliance gaps

Below 60 Critical Major overhaul required, not audit-ready

Last Updated: March 2026 Version: 1.0.0 Total Controls: 250+ across 11 audit domains Frameworks Covered: SOC 2, ISO 27001, HIPAA, GDPR, PCI-DSS, NIS2, DORA, NIST CSF, FedRAMP, CCPA

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

senior-security

No summary provided by upstream source.

Repository SourceNeeds Review
73-borghei
Security

information-security-manager-iso27001

No summary provided by upstream source.

Repository SourceNeeds Review
46-borghei
Security

isms-audit-expert

No summary provided by upstream source.

Repository SourceNeeds Review
45-borghei
Security

qms-audit-expert

No summary provided by upstream source.

Repository SourceNeeds Review
44-borghei