Skip to content

Security Compliance#

IT Common Platform users are responsible for meeting the ITSO application software security standards, which includes CIS IG2 compliance. The ITCP helps you to meet certain requirements. Please note that none of these items are completely covered by the ITCP. You will need to review each requirement and make sure that you are in compliance.

  • 16.1 - Establish and Maintain a Secure Application Development Process

    We help you to identify security vulnerabilities and misconfigurations in your images and dependencies through Trivy scans in our CI pipeline templates and scanning of active workloads. You can find more information in our Trivy documentation.

  • 16.4 - Establish and Manage an Inventory of Third-Party Software Components

    Trivy generates SBOMs for all running workloads. You can access them using the kubectl CLI or use a custom CI pipeline based on our building blocks to generate SBOMs before deploying. You can find more documentation here.

  • 16.6 - Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities

    Trivy categorizes known vulnerabilities by criticality. It also links to the CVE so that you can find more information about the vulnerability.

  • 16.7 - Use Standard Hardening Configuration Templates for Application Infrastructure

    The underlying Kubernetes infrastructure and ITCP provided services are hardened and meet CIS benchmark standards. We require that pods are run with a restricted Pod Security Policy.

  • 16.8 - Separate Production and Non-Production Systems

    Users are free to create as many tenants as needed to separate production and non-production workloads. We have three tiers for development, pre-production, and production. Users can request tenants for the pre-production and production clusters.

  • 16.9 - Apply Secure Design Principles in Application Architectures

    We minimize the application infrastructure attack surface by running vetted and up to date components. Our Gatekeeper and Landlord policies along with required GitOps create an environment that is architecturally more secure.

  • 16.11 - Leverage Vetted Modules or Services for Application Security Components

    The ITCP provides the following vetted modules and services: