| Control | Title | Status | Evidence |
|---|---|---|---|
| A.5.1 | Policies for information security | partial |
Gateway operates per Optimal's information security policy; tenant inherits relevant subset.
Gateway scope: Optimal policy. Customer scope: customer policy. |
| A.5.7 | Threat intelligence | implemented | GuardDuty threat detection (CloudTrail, VPC Flow, DNS). |
| A.5.15 | Access control | implemented | API key + usage plan at the edge. Admin access via cloud-native MFA. |
| A.5.23 | Information security for use of cloud services | implemented | Multi-cloud egress (Bedrock VPCE, GCP WIF, Azure API key) documented in DFD Lane D. |
| A.5.30 | ICT readiness for business continuity | implemented | Lambda regional managed multi-AZ. DDB PITR 35d. Single-AZ NAT documented as POAM. |
| A.5.31 | Legal, statutory, regulatory and contractual requirements | implemented | Per-tenant compliance artifacts emitted on demand (this service). |
| A.6.3 | Information security awareness, education and training | partial |
Optimal personnel: Optimal training. Customer personnel: customer training.
Optimal personnel: Optimal. Customer personnel: customer. |
| A.8.5 | Secure authentication | implemented |
API key validation at edge. TLS 1.2 + FIPS. PIV/IA-2(12) for personnel tracked as POAM-011.
POAM: POAM-011 |
| A.8.9 | Configuration management | implemented | Terraform-defined. AWS Config drift detection. Immutable container tags. |
| A.8.10 | Information deletion | implemented | Zero-persistence: prompt + response bodies never written. Metadata retention follows scheduled lifecycle. |
| A.8.11 | Data masking | partial |
Gateway PII detector runs inline; bodies are not persisted regardless. Customer-side masking is customer responsibility.
In-flight detection: gateway. Customer-app masking: customer. |
| A.8.12 | Data leakage prevention | implemented | Inline prompt-injection + PII detectors. Verdicts surface in response headers and audit row. |
| A.8.15 | Logging | implemented | CloudTrail 7yr + CW Logs (app 90d, access 365d). Hash-chained per-request audit. |
| A.8.20 | Networks security | implemented | VPC + private subnets + VPCEs + NACL deny-SSH/RDP + single NAT EIP. |
| A.8.24 | Use of cryptography | implemented | TLS 1.2 over FIPS 140-2 modules. CMK at rest. Cross-cloud auth via short-lived WIF tokens (no static keys). |
| A.8.25 | Secure development lifecycle | implemented | GitHub Enterprise + signed commits + branch protection. Terraform PR review. ECR scan on push. |
| A.8.28 | Secure coding | implemented | Container image scan + dependency review on every build. |