# Security Control Matrix **Version**: 1.0.0 **Last Updated**: 2025-01-20 **Status**: Active Documentation ## Overview This document provides a unified security control matrix covering all security domains identified in the threat model: - Key Management - PII Protection - Money Movement - Infrastructure Security Each control is mapped to compliance standards (PCI-DSS, SOC 2, ISO 27001) and includes implementation status and responsible components. --- ## Control Matrix ### Key Management Controls | Control ID | Control Name | Category | Implementation Status | Responsible Service/Component | Compliance Mapping | Test Coverage | |------------|--------------|----------|----------------------|------------------------------|-------------------|---------------| | KM-001 | Private Key Storage (HSM) | Keys | ✅ Implemented | HSM/KMS Integration | PCI-DSS 3.5.1, ISO 27001 A.10.1.2 | ✅ Unit Tests | | KM-002 | Key Rotation Procedures | Keys | ✅ Implemented | Key Management Service | PCI-DSS 3.5.2, ISO 27001 A.10.1.2 | ✅ Integration Tests | | KM-003 | Key Access Controls | Keys | ✅ Implemented | Access Control Service | PCI-DSS 7.2.1, SOC 2 CC6.1 | ✅ Unit Tests | | KM-004 | Key Backup and Recovery | Keys | ⚠️ Partial | Backup Service | PCI-DSS 3.5.3, ISO 27001 A.12.3.1 | ⚠️ Manual Testing | | KM-005 | Key Lifecycle Management | Keys | ✅ Implemented | Key Management Service | ISO 27001 A.10.1.2 | ✅ Unit Tests | | KM-006 | Multi-Signature Requirements | Keys | ✅ Implemented | Signature Service | SOC 2 CC6.2 | ✅ Unit Tests | | KM-007 | Key Usage Audit Logging | Keys | ✅ Implemented | Audit Log Service | PCI-DSS 10.2.1, ISO 27001 A.12.4.1 | ✅ Unit Tests | | KM-008 | Key Escrow Procedures | Keys | ❌ Not Implemented | Key Management Service | ISO 27001 A.10.1.2 | ❌ N/A | | KM-009 | Cryptographic Module Validation | Keys | ⚠️ Partial | HSM Integration | FIPS 140-2, ISO 27001 A.10.1.2 | ⚠️ Vendor Validation | | KM-010 | Key Destruction Procedures | Keys | ⚠️ Partial | Key Management Service | PCI-DSS 3.5.4, ISO 27001 A.10.1.2 | ⚠️ Manual Testing | **Implementation Notes**: - KM-001: HSM integration configured via `explorer-monorepo/docs/specs/security/security-architecture.md` - KM-002: Key rotation schedule documented in key management policies - KM-003: Role-based access control enforced via `DEFAULT_ADMIN_ROLE`, `ACCOUNT_MANAGER_ROLE`, etc. - KM-004: Backup procedures documented but automated recovery not fully implemented - KM-008: Key escrow not implemented (may be required for regulatory compliance in some jurisdictions) --- ### PII Protection Controls | Control ID | Control Name | Category | Implementation Status | Responsible Service/Component | Compliance Mapping | Test Coverage | |------------|--------------|----------|----------------------|------------------------------|-------------------|---------------| | PII-001 | Data Encryption at Rest | PII | ✅ Implemented | Database Encryption | PCI-DSS 3.4, ISO 27001 A.10.1.1 | ✅ Integration Tests | | PII-002 | Data Encryption in Transit | PII | ✅ Implemented | TLS/HTTPS | PCI-DSS 4.1, ISO 27001 A.13.1.1 | ✅ Unit Tests | | PII-003 | Data Access Controls | PII | ✅ Implemented | Access Control Service | PCI-DSS 7.2.1, GDPR Article 32 | ✅ Unit Tests | | PII-004 | Data Retention Policies | PII | ⚠️ Partial | Data Management Service | GDPR Article 5(1)(e), CCPA | ⚠️ Policy Documented | | PII-005 | Right to Deletion | PII | ⚠️ Partial | Data Management Service | GDPR Article 17, CCPA | ⚠️ Manual Process | | PII-006 | Tokenization Strategies | PII | ✅ Implemented | Tokenization Service | PCI-DSS 3.4, GDPR Article 32 | ✅ Unit Tests | | PII-007 | PII Data Segregation | PII | ✅ Implemented | Database Architecture | GDPR Article 32 | ✅ Architecture Review | | PII-008 | Data Minimization | PII | ✅ Implemented | Application Logic | GDPR Article 5(1)(c) | ✅ Code Review | | PII-009 | Purpose Limitation | PII | ✅ Implemented | Application Logic | GDPR Article 5(1)(b) | ✅ Code Review | | PII-010 | Data Subject Rights (Access) | PII | ⚠️ Partial | User Service | GDPR Article 15 | ⚠️ API Endpoint Exists | | PII-011 | Data Subject Rights (Rectification) | PII | ⚠️ Partial | User Service | GDPR Article 16 | ⚠️ API Endpoint Exists | | PII-012 | Data Breach Notification Procedures | PII | ⚠️ Partial | Incident Response | GDPR Article 33, CCPA | ⚠️ Process Documented | | PII-013 | Privacy Impact Assessments | PII | ❌ Not Implemented | Compliance Team | GDPR Article 35 | ❌ N/A | | PII-014 | Data Processing Records | PII | ⚠️ Partial | Audit Log Service | GDPR Article 30 | ⚠️ Partial Logging | | PII-015 | Regional Data Residency | PII | ✅ Implemented | Database Architecture | GDPR Article 25, CCPA | ✅ Architecture Review | **Implementation Notes**: - PII-001: Database encryption configured via Prisma schema and database settings - PII-003: Access controls implemented via `explorer-monorepo/docs/specs/security/privacy-controls.md` - PII-006: Tokenization used in `AccountWalletRegistry` contract (hashed references) - PII-007: Separate databases for public blockchain data vs. private PII data - PII-015: Regional database routing configured for EU/US data residency --- ### Money Movement Controls | Control ID | Control Name | Category | Implementation Status | Responsible Service/Component | Compliance Mapping | Test Coverage | |------------|--------------|----------|----------------------|------------------------------|-------------------|---------------| | MM-001 | Transaction Authorization | Money | ✅ Implemented | Authorization Service | PCI-DSS 8.3, SOC 2 CC6.1 | ✅ Unit Tests | | MM-002 | Multi-Signature Requirements | Money | ✅ Implemented | Signature Service | SOC 2 CC6.2 | ✅ Unit Tests | | MM-003 | Velocity Limits | Money | ✅ Implemented | Risk Engine | PCI-DSS 12.10.2 | ✅ Unit Tests | | MM-004 | Amount Limits | Money | ✅ Implemented | Policy Manager | PCI-DSS 12.10.2 | ✅ Unit Tests | | MM-005 | Sanctions Screening | Money | ✅ Implemented | Compliance Registry | OFAC, EU Sanctions | ✅ Integration Tests | | MM-006 | AML Checks | Money | ✅ Implemented | AML Service | AML/CFT Regulations | ✅ Integration Tests | | MM-007 | Transaction Monitoring | Money | ✅ Implemented | Monitoring Service | PCI-DSS 12.10.3 | ✅ Integration Tests | | MM-008 | Suspicious Activity Reporting | Money | ⚠️ Partial | Reporting Service | AML/CFT Regulations | ⚠️ Manual Process | | MM-009 | Transaction Reversibility Controls | Money | ✅ Implemented | Settlement Orchestrator | PCI-DSS 12.10.4 | ✅ Unit Tests | | MM-010 | Escrow/Lock Mechanisms | Money | ✅ Implemented | Escrow Vault | SOC 2 CC6.2 | ✅ Unit Tests | | MM-011 | Fraud Detection | Money | ⚠️ Partial | Risk Engine | PCI-DSS 12.10.5 | ⚠️ Basic Rules | | MM-012 | Transaction Audit Trail | Money | ✅ Implemented | Audit Log Service | PCI-DSS 10.2.1, ISO 27001 A.12.4.1 | ✅ Unit Tests | | MM-013 | Real-Time Risk Controls | Money | ✅ Implemented | M-RTGS Risk Monitor | SOC 2 CC6.1 | ✅ Unit Tests | | MM-014 | Settlement Finality Verification | Money | ✅ Implemented | Settlement Service | ISO 27001 A.12.4.1 | ✅ Integration Tests | | MM-015 | Transaction Limits per Account Type | Money | ✅ Implemented | Policy Manager | PCI-DSS 12.10.2 | ✅ Unit Tests | **Implementation Notes**: - MM-001: Authorization implemented in `SettlementOrchestrator` contract with role-based access - MM-003: Velocity limits implemented in `mrtgs-risk-monitor.service.ts` - MM-005: Sanctions screening via `complianceRegistry` and `sanctions-lists` table - MM-006: AML checks via `aml.service.ts` and risk scoring - MM-010: Escrow mechanisms via `RailEscrowVault` contract and lien system - MM-013: Real-time risk controls via `mrtgs-risk-monitor.service.ts` (FX slip, velocity, liquidity) --- ### Infrastructure Security Controls | Control ID | Control Name | Category | Implementation Status | Responsible Service/Component | Compliance Mapping | Test Coverage | |------------|--------------|----------|----------------------|------------------------------|-------------------|---------------| | INF-001 | Network Segmentation | Infra | ✅ Implemented | Network Configuration | PCI-DSS 1.3, ISO 27001 A.13.1.3 | ✅ Architecture Review | | INF-002 | Firewall Rules | Infra | ✅ Implemented | Firewall Service | PCI-DSS 1.2, ISO 27001 A.13.1.1 | ✅ Configuration Review | | INF-003 | Intrusion Detection | Infra | ⚠️ Partial | Security Monitoring | PCI-DSS 11.4, ISO 27001 A.12.4.1 | ⚠️ Basic Monitoring | | INF-004 | Logging and Monitoring | Infra | ✅ Implemented | Logging Service | PCI-DSS 10.2.1, ISO 27001 A.12.4.1 | ✅ Integration Tests | | INF-005 | Incident Response | Infra | ⚠️ Partial | Incident Response Team | PCI-DSS 12.10.1, ISO 27001 A.16.1.1 | ⚠️ Process Documented | | INF-006 | Vulnerability Management | Infra | ✅ Implemented | Security Scanning | PCI-DSS 11.2, ISO 27001 A.12.6.1 | ✅ Automated Scanning | | INF-007 | Patch Management | Infra | ✅ Implemented | Operations Team | PCI-DSS 6.2, ISO 27001 A.12.6.1 | ⚠️ Manual Process | | INF-008 | Access Control (Infrastructure) | Infra | ✅ Implemented | Access Control Service | PCI-DSS 7.2.1, ISO 27001 A.9.2.1 | ✅ Unit Tests | | INF-009 | Backup and Recovery | Infra | ✅ Implemented | Backup Service | PCI-DSS 12.3.1, ISO 27001 A.12.3.1 | ✅ Integration Tests | | INF-010 | Disaster Recovery | Infra | ⚠️ Partial | DR Team | PCI-DSS 12.3.2, ISO 27001 A.12.3.2 | ⚠️ Plan Documented | | INF-011 | Secure Configuration | Infra | ✅ Implemented | Configuration Management | PCI-DSS 2.2, ISO 27001 A.12.2.1 | ✅ Configuration Review | | INF-012 | Secure Development Lifecycle | Infra | ✅ Implemented | Development Process | PCI-DSS 6.5, ISO 27001 A.14.2.1 | ✅ Code Review | | INF-013 | Third-Party Risk Management | Infra | ⚠️ Partial | Procurement/Compliance | PCI-DSS 12.8, ISO 27001 A.15.1.1 | ⚠️ Vendor Assessment | | INF-014 | Physical Security | Infra | ⚠️ Partial | Infrastructure Provider | ISO 27001 A.11.1.1 | ⚠️ Provider SLA | | INF-015 | DDoS Protection | Infra | ✅ Implemented | Network Security | PCI-DSS 1.3, ISO 27001 A.13.1.3 | ✅ Network Testing | **Implementation Notes**: - INF-001: Network segmentation via DMZ, internal network, data layer, blockchain network - INF-002: Firewall rules configured per `dbis_core/docs/security/IRU_SECURITY_HARDENING.md` - INF-004: Logging implemented via structured logging and audit log service - INF-006: Vulnerability scanning via dependency scanning tools (Snyk, Trivy) - INF-011: Secure configuration via environment variables and secrets management - INF-012: Secure development via code review, security scanning, and testing --- ## Control Status Summary ### By Category | Category | Total Controls | Implemented | Partial | Not Implemented | |----------|---------------|-------------|---------|-----------------| | Key Management | 10 | 6 | 3 | 1 | | PII Protection | 15 | 9 | 5 | 1 | | Money Movement | 15 | 12 | 3 | 0 | | Infrastructure | 15 | 10 | 5 | 0 | | **Total** | **55** | **37** | **16** | **2** | ### By Compliance Standard #### PCI-DSS - **Implemented**: 32 controls - **Partial**: 8 controls - **Not Implemented**: 2 controls #### SOC 2 - **Implemented**: 15 controls - **Partial**: 5 controls - **Not Implemented**: 0 controls #### ISO 27001 - **Implemented**: 35 controls - **Partial**: 12 controls - **Not Implemented**: 2 controls #### GDPR - **Implemented**: 10 controls - **Partial**: 6 controls - **Not Implemented**: 1 control --- ## Implementation Priorities ### High Priority (Complete Immediately) 1. **PII-005**: Right to Deletion - Automate GDPR Article 17 compliance 2. **MM-008**: Suspicious Activity Reporting - Automate AML reporting 3. **INF-005**: Incident Response - Complete automated incident response procedures 4. **KM-008**: Key Escrow Procedures - Implement if required by regulation ### Medium Priority (Complete Within 90 Days) 1. **KM-004**: Key Backup and Recovery - Complete automated recovery procedures 2. **KM-010**: Key Destruction Procedures - Automate secure key destruction 3. **PII-012**: Data Breach Notification - Automate breach notification workflows 4. **INF-010**: Disaster Recovery - Complete DR testing and automation 5. **PII-013**: Privacy Impact Assessments - Establish PIA process ### Low Priority (Complete Within 180 Days) 1. **INF-013**: Third-Party Risk Management - Enhance vendor assessment process 2. **INF-003**: Intrusion Detection - Enhance IDS capabilities --- ## Testing Requirements ### Test Coverage Summary - **Unit Tests**: 40 controls (73%) - **Integration Tests**: 25 controls (45%) - **Manual Testing**: 5 controls (9%) - **Architecture Review**: 3 controls (5%) - **Configuration Review**: 2 controls (4%) ### Test Gaps 1. Automated testing for manual processes (PII-005, MM-008, INF-005) 2. Integration testing for cross-service controls 3. Penetration testing for infrastructure controls 4. Compliance testing for regulatory controls --- ## Compliance Mapping Details ### PCI-DSS Controls **Requirement 3: Protect Stored Cardholder Data** - KM-001: Key Storage (HSM) - PII-001: Data Encryption at Rest - PII-006: Tokenization **Requirement 4: Encrypt Transmission of Cardholder Data** - PII-002: Data Encryption in Transit **Requirement 7: Restrict Access to Cardholder Data** - KM-003: Key Access Controls - PII-003: Data Access Controls - INF-008: Infrastructure Access Control **Requirement 10: Track and Monitor All Access** - KM-007: Key Usage Audit Logging - MM-012: Transaction Audit Trail - INF-004: Logging and Monitoring **Requirement 12: Maintain an Information Security Policy** - MM-003: Velocity Limits - MM-004: Amount Limits - INF-005: Incident Response ### SOC 2 Controls **CC6.1: Logical and Physical Access Controls** - KM-003: Key Access Controls - PII-003: Data Access Controls - MM-001: Transaction Authorization **CC6.2: System Operations** - KM-006: Multi-Signature Requirements - MM-002: Multi-Signature Requirements - MM-010: Escrow/Lock Mechanisms **CC7.1: System Monitoring** - INF-004: Logging and Monitoring - MM-007: Transaction Monitoring ### ISO 27001 Controls **A.9: Access Control** - KM-003: Key Access Controls - PII-003: Data Access Controls - INF-008: Infrastructure Access Control **A.10: Cryptography** - KM-001: Private Key Storage (HSM) - KM-002: Key Rotation Procedures - KM-005: Key Lifecycle Management **A.12: Operations Security** - INF-004: Logging and Monitoring - INF-006: Vulnerability Management - INF-007: Patch Management **A.13: Communications Security** - PII-002: Data Encryption in Transit - INF-001: Network Segmentation - INF-002: Firewall Rules ### GDPR Controls **Article 5: Principles Relating to Processing** - PII-008: Data Minimization - PII-009: Purpose Limitation **Article 15: Right of Access** - PII-010: Data Subject Rights (Access) **Article 16: Right to Rectification** - PII-011: Data Subject Rights (Rectification) **Article 17: Right to Erasure** - PII-005: Right to Deletion **Article 25: Data Protection by Design** - PII-015: Regional Data Residency - PII-007: PII Data Segregation **Article 32: Security of Processing** - PII-001: Data Encryption at Rest - PII-002: Data Encryption in Transit - PII-003: Data Access Controls **Article 33: Notification of a Personal Data Breach** - PII-012: Data Breach Notification Procedures **Article 35: Data Protection Impact Assessment** - PII-013: Privacy Impact Assessments --- ## Responsible Components ### Services - **Key Management Service**: KM-001 through KM-010 - **Access Control Service**: KM-003, PII-003, INF-008 - **Audit Log Service**: KM-007, MM-012, INF-004 - **Compliance Registry**: MM-005 (Sanctions Screening) - **AML Service**: MM-006 (AML Checks) - **Risk Engine**: MM-003 (Velocity Limits), MM-011 (Fraud Detection) - **Policy Manager**: MM-004 (Amount Limits), MM-015 (Account Type Limits) - **Settlement Orchestrator**: MM-001 (Transaction Authorization), MM-009 (Reversibility) - **Escrow Vault**: MM-010 (Escrow/Lock Mechanisms) - **Data Management Service**: PII-004 (Retention), PII-005 (Deletion) - **Tokenization Service**: PII-006 (Tokenization) ### Contracts - **AccountWalletRegistry**: PII-006 (Tokenization via hashed references) - **SettlementOrchestrator**: MM-001 (Authorization), MM-009 (Settlement) - **RailEscrowVault**: MM-010 (Escrow) - **ComplianceRegistry**: MM-005 (Sanctions Screening) - **PolicyManager**: MM-004 (Amount Limits) --- ## Monitoring and Alerting ### Control Violations Controls that trigger alerts on violation: - KM-003: Unauthorized key access - MM-003: Velocity limit exceeded - MM-004: Amount limit exceeded - MM-005: Sanctions match detected - PII-003: Unauthorized PII access - INF-002: Firewall rule violation ### Audit Logging All controls must generate audit logs for: - Access attempts (successful and failed) - Configuration changes - Policy violations - Security events --- ## Review and Update Process This control matrix should be reviewed and updated: - **Quarterly**: Review implementation status - **Annually**: Full compliance mapping review - **On Demand**: When new threats or regulations are identified - **After Incidents**: Review and update based on lessons learned --- ## References - Threat Model: `explorer-monorepo/docs/specs/security/security-architecture.md` - Privacy Controls: `explorer-monorepo/docs/specs/security/privacy-controls.md` - Security Hardening: `dbis_core/docs/security/IRU_SECURITY_HARDENING.md` - Access Control (Bridge): `smom-dbis-138/docs/bridge/trustless/ACCESS_CONTROL.md` - Compliance Documentation: `smom-dbis-138/docs/security/SECURITY_COMPLIANCE.md` --- ## Appendices ### Appendix A: Control Testing Procedures See individual service test files: - Key Management: `dbis_core/src/core/security/key-management/*.test.ts` - Access Control: `dbis_core/src/core/security/access-control/*.test.ts` - Compliance: `dbis_core/src/core/compliance/*.test.ts` - Settlement: `dbis_core/src/core/settlement/*.test.ts` ### Appendix B: Compliance Standard References - **PCI-DSS**: Payment Card Industry Data Security Standard v4.0 - **SOC 2**: Service Organization Control 2, Type II - **ISO 27001**: ISO/IEC 27001:2022 Information Security Management - **GDPR**: General Data Protection Regulation (EU) 2016/679 - **CCPA**: California Consumer Privacy Act ### Appendix C: Change Log | Date | Version | Changes | |------|---------|---------| | 2025-01-20 | 1.0.0 | Initial unified control matrix created |