d-bis/dbis_core
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
dbis_core/docs/security/SECURITY_CONTROL_MATRIX.md

401 lines
18 KiB
Markdown
Raw Permalink Normal View History

chore: sync submodule state (parent ref update) Made-with: Cursor
2026-03-02 12:14:07 -08:00
# Security Control Matrix
**Version**: 1.0.0
**Last Updated**: 2025-01-20
**Status**: Active Documentation
## Overview
This document provides a unified security control matrix covering all security domains identified in the threat model:
- Key Management
- PII Protection
- Money Movement
- Infrastructure Security
Each control is mapped to compliance standards (PCI-DSS, SOC 2, ISO 27001) and includes implementation status and responsible components.
---
## Control Matrix
### Key Management Controls
| Control ID | Control Name | Category | Implementation Status | Responsible Service/Component | Compliance Mapping | Test Coverage |
|------------|--------------|----------|----------------------|------------------------------|-------------------|---------------|
| KM-001 | Private Key Storage (HSM) | Keys | ✅ Implemented | HSM/KMS Integration | PCI-DSS 3.5.1, ISO 27001 A.10.1.2 | ✅ Unit Tests |
| KM-002 | Key Rotation Procedures | Keys | ✅ Implemented | Key Management Service | PCI-DSS 3.5.2, ISO 27001 A.10.1.2 | ✅ Integration Tests |
| KM-003 | Key Access Controls | Keys | ✅ Implemented | Access Control Service | PCI-DSS 7.2.1, SOC 2 CC6.1 | ✅ Unit Tests |
| KM-004 | Key Backup and Recovery | Keys | ⚠️ Partial | Backup Service | PCI-DSS 3.5.3, ISO 27001 A.12.3.1 | ⚠️ Manual Testing |
| KM-005 | Key Lifecycle Management | Keys | ✅ Implemented | Key Management Service | ISO 27001 A.10.1.2 | ✅ Unit Tests |
| KM-006 | Multi-Signature Requirements | Keys | ✅ Implemented | Signature Service | SOC 2 CC6.2 | ✅ Unit Tests |
| KM-007 | Key Usage Audit Logging | Keys | ✅ Implemented | Audit Log Service | PCI-DSS 10.2.1, ISO 27001 A.12.4.1 | ✅ Unit Tests |
| KM-008 | Key Escrow Procedures | Keys | ❌ Not Implemented | Key Management Service | ISO 27001 A.10.1.2 | ❌ N/A |
| KM-009 | Cryptographic Module Validation | Keys | ⚠️ Partial | HSM Integration | FIPS 140-2, ISO 27001 A.10.1.2 | ⚠️ Vendor Validation |
| KM-010 | Key Destruction Procedures | Keys | ⚠️ Partial | Key Management Service | PCI-DSS 3.5.4, ISO 27001 A.10.1.2 | ⚠️ Manual Testing |
**Implementation Notes**:
- KM-001: HSM integration configured via `explorer-monorepo/docs/specs/security/security-architecture.md`
- KM-002: Key rotation schedule documented in key management policies
- KM-003: Role-based access control enforced via `DEFAULT_ADMIN_ROLE`, `ACCOUNT_MANAGER_ROLE`, etc.
- KM-004: Backup procedures documented but automated recovery not fully implemented
- KM-008: Key escrow not implemented (may be required for regulatory compliance in some jurisdictions)
---
### PII Protection Controls
| Control ID | Control Name | Category | Implementation Status | Responsible Service/Component | Compliance Mapping | Test Coverage |
|------------|--------------|----------|----------------------|------------------------------|-------------------|---------------|
| PII-001 | Data Encryption at Rest | PII | ✅ Implemented | Database Encryption | PCI-DSS 3.4, ISO 27001 A.10.1.1 | ✅ Integration Tests |
| PII-002 | Data Encryption in Transit | PII | ✅ Implemented | TLS/HTTPS | PCI-DSS 4.1, ISO 27001 A.13.1.1 | ✅ Unit Tests |
| PII-003 | Data Access Controls | PII | ✅ Implemented | Access Control Service | PCI-DSS 7.2.1, GDPR Article 32 | ✅ Unit Tests |
| PII-004 | Data Retention Policies | PII | ⚠️ Partial | Data Management Service | GDPR Article 5(1)(e), CCPA | ⚠️ Policy Documented |
| PII-005 | Right to Deletion | PII | ⚠️ Partial | Data Management Service | GDPR Article 17, CCPA | ⚠️ Manual Process |
| PII-006 | Tokenization Strategies | PII | ✅ Implemented | Tokenization Service | PCI-DSS 3.4, GDPR Article 32 | ✅ Unit Tests |
| PII-007 | PII Data Segregation | PII | ✅ Implemented | Database Architecture | GDPR Article 32 | ✅ Architecture Review |
| PII-008 | Data Minimization | PII | ✅ Implemented | Application Logic | GDPR Article 5(1)(c) | ✅ Code Review |
| PII-009 | Purpose Limitation | PII | ✅ Implemented | Application Logic | GDPR Article 5(1)(b) | ✅ Code Review |
| PII-010 | Data Subject Rights (Access) | PII | ⚠️ Partial | User Service | GDPR Article 15 | ⚠️ API Endpoint Exists |
| PII-011 | Data Subject Rights (Rectification) | PII | ⚠️ Partial | User Service | GDPR Article 16 | ⚠️ API Endpoint Exists |
| PII-012 | Data Breach Notification Procedures | PII | ⚠️ Partial | Incident Response | GDPR Article 33, CCPA | ⚠️ Process Documented |
| PII-013 | Privacy Impact Assessments | PII | ❌ Not Implemented | Compliance Team | GDPR Article 35 | ❌ N/A |
| PII-014 | Data Processing Records | PII | ⚠️ Partial | Audit Log Service | GDPR Article 30 | ⚠️ Partial Logging |
| PII-015 | Regional Data Residency | PII | ✅ Implemented | Database Architecture | GDPR Article 25, CCPA | ✅ Architecture Review |
**Implementation Notes**:
- PII-001: Database encryption configured via Prisma schema and database settings
- PII-003: Access controls implemented via `explorer-monorepo/docs/specs/security/privacy-controls.md`
- PII-006: Tokenization used in `AccountWalletRegistry` contract (hashed references)
- PII-007: Separate databases for public blockchain data vs. private PII data
- PII-015: Regional database routing configured for EU/US data residency
---
### Money Movement Controls
| Control ID | Control Name | Category | Implementation Status | Responsible Service/Component | Compliance Mapping | Test Coverage |
|------------|--------------|----------|----------------------|------------------------------|-------------------|---------------|
| MM-001 | Transaction Authorization | Money | ✅ Implemented | Authorization Service | PCI-DSS 8.3, SOC 2 CC6.1 | ✅ Unit Tests |
| MM-002 | Multi-Signature Requirements | Money | ✅ Implemented | Signature Service | SOC 2 CC6.2 | ✅ Unit Tests |
| MM-003 | Velocity Limits | Money | ✅ Implemented | Risk Engine | PCI-DSS 12.10.2 | ✅ Unit Tests |
| MM-004 | Amount Limits | Money | ✅ Implemented | Policy Manager | PCI-DSS 12.10.2 | ✅ Unit Tests |
| MM-005 | Sanctions Screening | Money | ✅ Implemented | Compliance Registry | OFAC, EU Sanctions | ✅ Integration Tests |
| MM-006 | AML Checks | Money | ✅ Implemented | AML Service | AML/CFT Regulations | ✅ Integration Tests |
| MM-007 | Transaction Monitoring | Money | ✅ Implemented | Monitoring Service | PCI-DSS 12.10.3 | ✅ Integration Tests |
| MM-008 | Suspicious Activity Reporting | Money | ⚠️ Partial | Reporting Service | AML/CFT Regulations | ⚠️ Manual Process |
| MM-009 | Transaction Reversibility Controls | Money | ✅ Implemented | Settlement Orchestrator | PCI-DSS 12.10.4 | ✅ Unit Tests |
| MM-010 | Escrow/Lock Mechanisms | Money | ✅ Implemented | Escrow Vault | SOC 2 CC6.2 | ✅ Unit Tests |
| MM-011 | Fraud Detection | Money | ⚠️ Partial | Risk Engine | PCI-DSS 12.10.5 | ⚠️ Basic Rules |
| MM-012 | Transaction Audit Trail | Money | ✅ Implemented | Audit Log Service | PCI-DSS 10.2.1, ISO 27001 A.12.4.1 | ✅ Unit Tests |
| MM-013 | Real-Time Risk Controls | Money | ✅ Implemented | M-RTGS Risk Monitor | SOC 2 CC6.1 | ✅ Unit Tests |
| MM-014 | Settlement Finality Verification | Money | ✅ Implemented | Settlement Service | ISO 27001 A.12.4.1 | ✅ Integration Tests |
| MM-015 | Transaction Limits per Account Type | Money | ✅ Implemented | Policy Manager | PCI-DSS 12.10.2 | ✅ Unit Tests |
**Implementation Notes**:
- MM-001: Authorization implemented in `SettlementOrchestrator` contract with role-based access
- MM-003: Velocity limits implemented in `mrtgs-risk-monitor.service.ts`
- MM-005: Sanctions screening via `complianceRegistry` and `sanctions-lists` table
- MM-006: AML checks via `aml.service.ts` and risk scoring
- MM-010: Escrow mechanisms via `RailEscrowVault` contract and lien system
- MM-013: Real-time risk controls via `mrtgs-risk-monitor.service.ts` (FX slip, velocity, liquidity)
---
### Infrastructure Security Controls
| Control ID | Control Name | Category | Implementation Status | Responsible Service/Component | Compliance Mapping | Test Coverage |
|------------|--------------|----------|----------------------|------------------------------|-------------------|---------------|
| INF-001 | Network Segmentation | Infra | ✅ Implemented | Network Configuration | PCI-DSS 1.3, ISO 27001 A.13.1.3 | ✅ Architecture Review |
| INF-002 | Firewall Rules | Infra | ✅ Implemented | Firewall Service | PCI-DSS 1.2, ISO 27001 A.13.1.1 | ✅ Configuration Review |
| INF-003 | Intrusion Detection | Infra | ⚠️ Partial | Security Monitoring | PCI-DSS 11.4, ISO 27001 A.12.4.1 | ⚠️ Basic Monitoring |
| INF-004 | Logging and Monitoring | Infra | ✅ Implemented | Logging Service | PCI-DSS 10.2.1, ISO 27001 A.12.4.1 | ✅ Integration Tests |
| INF-005 | Incident Response | Infra | ⚠️ Partial | Incident Response Team | PCI-DSS 12.10.1, ISO 27001 A.16.1.1 | ⚠️ Process Documented |
| INF-006 | Vulnerability Management | Infra | ✅ Implemented | Security Scanning | PCI-DSS 11.2, ISO 27001 A.12.6.1 | ✅ Automated Scanning |
| INF-007 | Patch Management | Infra | ✅ Implemented | Operations Team | PCI-DSS 6.2, ISO 27001 A.12.6.1 | ⚠️ Manual Process |
| INF-008 | Access Control (Infrastructure) | Infra | ✅ Implemented | Access Control Service | PCI-DSS 7.2.1, ISO 27001 A.9.2.1 | ✅ Unit Tests |
| INF-009 | Backup and Recovery | Infra | ✅ Implemented | Backup Service | PCI-DSS 12.3.1, ISO 27001 A.12.3.1 | ✅ Integration Tests |
| INF-010 | Disaster Recovery | Infra | ⚠️ Partial | DR Team | PCI-DSS 12.3.2, ISO 27001 A.12.3.2 | ⚠️ Plan Documented |
| INF-011 | Secure Configuration | Infra | ✅ Implemented | Configuration Management | PCI-DSS 2.2, ISO 27001 A.12.2.1 | ✅ Configuration Review |
| INF-012 | Secure Development Lifecycle | Infra | ✅ Implemented | Development Process | PCI-DSS 6.5, ISO 27001 A.14.2.1 | ✅ Code Review |
| INF-013 | Third-Party Risk Management | Infra | ⚠️ Partial | Procurement/Compliance | PCI-DSS 12.8, ISO 27001 A.15.1.1 | ⚠️ Vendor Assessment |
| INF-014 | Physical Security | Infra | ⚠️ Partial | Infrastructure Provider | ISO 27001 A.11.1.1 | ⚠️ Provider SLA |
| INF-015 | DDoS Protection | Infra | ✅ Implemented | Network Security | PCI-DSS 1.3, ISO 27001 A.13.1.3 | ✅ Network Testing |
**Implementation Notes**:
- INF-001: Network segmentation via DMZ, internal network, data layer, blockchain network
- INF-002: Firewall rules configured per `dbis_core/docs/security/IRU_SECURITY_HARDENING.md`
- INF-004: Logging implemented via structured logging and audit log service
- INF-006: Vulnerability scanning via dependency scanning tools (Snyk, Trivy)
- INF-011: Secure configuration via environment variables and secrets management
- INF-012: Secure development via code review, security scanning, and testing
---
## Control Status Summary
### By Category
| Category | Total Controls | Implemented | Partial | Not Implemented |
|----------|---------------|-------------|---------|-----------------|
| Key Management | 10 | 6 | 3 | 1 |
| PII Protection | 15 | 9 | 5 | 1 |
| Money Movement | 15 | 12 | 3 | 0 |
| Infrastructure | 15 | 10 | 5 | 0 |
| **Total** | **55** | **37** | **16** | **2** |
### By Compliance Standard
#### PCI-DSS
- **Implemented**: 32 controls
- **Partial**: 8 controls
- **Not Implemented**: 2 controls
#### SOC 2
- **Implemented**: 15 controls
- **Partial**: 5 controls
- **Not Implemented**: 0 controls
#### ISO 27001
- **Implemented**: 35 controls
- **Partial**: 12 controls
- **Not Implemented**: 2 controls
#### GDPR
- **Implemented**: 10 controls
- **Partial**: 6 controls
- **Not Implemented**: 1 control
---
## Implementation Priorities
### High Priority (Complete Immediately)
1. **PII-005**: Right to Deletion - Automate GDPR Article 17 compliance
2. **MM-008**: Suspicious Activity Reporting - Automate AML reporting
3. **INF-005**: Incident Response - Complete automated incident response procedures
4. **KM-008**: Key Escrow Procedures - Implement if required by regulation
### Medium Priority (Complete Within 90 Days)
1. **KM-004**: Key Backup and Recovery - Complete automated recovery procedures
2. **KM-010**: Key Destruction Procedures - Automate secure key destruction
3. **PII-012**: Data Breach Notification - Automate breach notification workflows
4. **INF-010**: Disaster Recovery - Complete DR testing and automation
5. **PII-013**: Privacy Impact Assessments - Establish PIA process
### Low Priority (Complete Within 180 Days)
1. **INF-013**: Third-Party Risk Management - Enhance vendor assessment process
2. **INF-003**: Intrusion Detection - Enhance IDS capabilities
---
## Testing Requirements
### Test Coverage Summary
- **Unit Tests**: 40 controls (73%)
- **Integration Tests**: 25 controls (45%)
- **Manual Testing**: 5 controls (9%)
- **Architecture Review**: 3 controls (5%)
- **Configuration Review**: 2 controls (4%)
### Test Gaps
1. Automated testing for manual processes (PII-005, MM-008, INF-005)
2. Integration testing for cross-service controls
3. Penetration testing for infrastructure controls
4. Compliance testing for regulatory controls
---
## Compliance Mapping Details
### PCI-DSS Controls
**Requirement 3: Protect Stored Cardholder Data**
- KM-001: Key Storage (HSM)
- PII-001: Data Encryption at Rest
- PII-006: Tokenization
**Requirement 4: Encrypt Transmission of Cardholder Data**
- PII-002: Data Encryption in Transit
**Requirement 7: Restrict Access to Cardholder Data**
- KM-003: Key Access Controls
- PII-003: Data Access Controls
- INF-008: Infrastructure Access Control
**Requirement 10: Track and Monitor All Access**
- KM-007: Key Usage Audit Logging
- MM-012: Transaction Audit Trail
- INF-004: Logging and Monitoring
**Requirement 12: Maintain an Information Security Policy**
- MM-003: Velocity Limits
- MM-004: Amount Limits
- INF-005: Incident Response
### SOC 2 Controls
**CC6.1: Logical and Physical Access Controls**
- KM-003: Key Access Controls
- PII-003: Data Access Controls
- MM-001: Transaction Authorization
**CC6.2: System Operations**
- KM-006: Multi-Signature Requirements
- MM-002: Multi-Signature Requirements
- MM-010: Escrow/Lock Mechanisms
**CC7.1: System Monitoring**
- INF-004: Logging and Monitoring
- MM-007: Transaction Monitoring
### ISO 27001 Controls
**A.9: Access Control**
- KM-003: Key Access Controls
- PII-003: Data Access Controls
- INF-008: Infrastructure Access Control
**A.10: Cryptography**
- KM-001: Private Key Storage (HSM)
- KM-002: Key Rotation Procedures
- KM-005: Key Lifecycle Management
**A.12: Operations Security**
- INF-004: Logging and Monitoring
- INF-006: Vulnerability Management
- INF-007: Patch Management
**A.13: Communications Security**
- PII-002: Data Encryption in Transit
- INF-001: Network Segmentation
- INF-002: Firewall Rules
### GDPR Controls
**Article 5: Principles Relating to Processing**
- PII-008: Data Minimization
- PII-009: Purpose Limitation
**Article 15: Right of Access**
- PII-010: Data Subject Rights (Access)
**Article 16: Right to Rectification**
- PII-011: Data Subject Rights (Rectification)
**Article 17: Right to Erasure**
- PII-005: Right to Deletion
**Article 25: Data Protection by Design**
- PII-015: Regional Data Residency
- PII-007: PII Data Segregation
**Article 32: Security of Processing**
- PII-001: Data Encryption at Rest
- PII-002: Data Encryption in Transit
- PII-003: Data Access Controls
**Article 33: Notification of a Personal Data Breach**
- PII-012: Data Breach Notification Procedures
**Article 35: Data Protection Impact Assessment**
- PII-013: Privacy Impact Assessments
---
## Responsible Components
### Services
- **Key Management Service**: KM-001 through KM-010
- **Access Control Service**: KM-003, PII-003, INF-008
- **Audit Log Service**: KM-007, MM-012, INF-004
- **Compliance Registry**: MM-005 (Sanctions Screening)
- **AML Service**: MM-006 (AML Checks)
- **Risk Engine**: MM-003 (Velocity Limits), MM-011 (Fraud Detection)
- **Policy Manager**: MM-004 (Amount Limits), MM-015 (Account Type Limits)
- **Settlement Orchestrator**: MM-001 (Transaction Authorization), MM-009 (Reversibility)
- **Escrow Vault**: MM-010 (Escrow/Lock Mechanisms)
- **Data Management Service**: PII-004 (Retention), PII-005 (Deletion)
- **Tokenization Service**: PII-006 (Tokenization)
### Contracts
- **AccountWalletRegistry**: PII-006 (Tokenization via hashed references)
- **SettlementOrchestrator**: MM-001 (Authorization), MM-009 (Settlement)
- **RailEscrowVault**: MM-010 (Escrow)
- **ComplianceRegistry**: MM-005 (Sanctions Screening)
- **PolicyManager**: MM-004 (Amount Limits)
---
## Monitoring and Alerting
### Control Violations
Controls that trigger alerts on violation:
- KM-003: Unauthorized key access
- MM-003: Velocity limit exceeded
- MM-004: Amount limit exceeded
- MM-005: Sanctions match detected
- PII-003: Unauthorized PII access
- INF-002: Firewall rule violation
### Audit Logging
All controls must generate audit logs for:
- Access attempts (successful and failed)
- Configuration changes
- Policy violations
- Security events
---
## Review and Update Process
This control matrix should be reviewed and updated:
- **Quarterly**: Review implementation status
- **Annually**: Full compliance mapping review
- **On Demand**: When new threats or regulations are identified
- **After Incidents**: Review and update based on lessons learned
---
## References
- Threat Model: `explorer-monorepo/docs/specs/security/security-architecture.md`
- Privacy Controls: `explorer-monorepo/docs/specs/security/privacy-controls.md`
- Security Hardening: `dbis_core/docs/security/IRU_SECURITY_HARDENING.md`
- Access Control (Bridge): `smom-dbis-138/docs/bridge/trustless/ACCESS_CONTROL.md`
- Compliance Documentation: `smom-dbis-138/docs/security/SECURITY_COMPLIANCE.md`
---
## Appendices
### Appendix A: Control Testing Procedures
See individual service test files:
- Key Management: `dbis_core/src/core/security/key-management/*.test.ts`
- Access Control: `dbis_core/src/core/security/access-control/*.test.ts`
- Compliance: `dbis_core/src/core/compliance/*.test.ts`
- Settlement: `dbis_core/src/core/settlement/*.test.ts`
### Appendix B: Compliance Standard References
- **PCI-DSS**: Payment Card Industry Data Security Standard v4.0
- **SOC 2**: Service Organization Control 2, Type II
- **ISO 27001**: ISO/IEC 27001:2022 Information Security Management
- **GDPR**: General Data Protection Regulation (EU) 2016/679
- **CCPA**: California Consumer Privacy Act
### Appendix C: Change Log
| Date | Version | Changes |
|------|---------|---------|
| 2025-01-20 | 1.0.0 | Initial unified control matrix created |
Reference in New Issue Copy Permalink