diff --git a/controls/pcidss_4_ocp4.yml b/controls/pcidss_4_ocp4.yml index b1a354bfd13..f3fa934b63a 100644 --- a/controls/pcidss_4_ocp4.yml +++ b/controls/pcidss_4_ocp4.yml @@ -1202,21 +1202,21 @@ controls: transmission over open, public networks are defined and documented. levels: - base - status: pending + status: not applicable controls: - id: 4.1.1 title: All security policies and operational procedures that are identified in Requirement 4 are Documented, Kept up to date, In use and Known to all affected parties. levels: - base - status: pending + status: not applicable - id: 4.1.2 title: Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood. levels: - base - status: pending + status: not applicable notes: |- Examine documentation and interview personnel to verify that day-to-day responsibilities for performing all the activities in Requirement 4 are documented, assigned and understood @@ -1226,7 +1226,7 @@ controls: title: PAN is protected with strong cryptography during transmission. levels: - base - status: pending + status: partial controls: - id: 4.2.1 title: Strong cryptography and security protocols are implemented as follows to safeguard @@ -1244,7 +1244,23 @@ controls: - The encryption strength is appropriate for the encryption methodology in use. levels: - base - status: pending + status: partial + notes: |- + OpenShift provides mechanisms to securely transmit PAN over open public networks, but + the application is still responsible for leveraging and implementing strong + cryptography when transmitting PAN. + rules: + - file_permissions_openshift_pki_cert_files + - tls_version_check_apiserver + - tls_version_check_masters_workers + - tls_version_check_router + - api_server_tls_cert + - api_server_tls_security_profile + - api_server_tls_cipher_suites + - ingress_controller_certificate + - ingress_controller_tls_security_profile + - kubelet_configure_tls_min_version + controls: - id: 4.2.1.1 title: An inventory of the entity's trusted keys and certificates used to protect PAN @@ -1255,7 +1271,10 @@ controls: which it will be required and must be fully considered during a PCI DSS assessment. levels: - base - status: pending + status: not applicable + notes: |- + OpenShift doesn't directly handle PANs, the management of keys and certificates + protecting them is responsibility of the payment application. - id: 4.2.1.2 title: Wireless networks transmitting PAN or connected to the CDE use industry best @@ -1264,9 +1283,9 @@ controls: Cleartext PAN cannot be read or intercepted from wireless network transmissions. levels: - base - status: pending + status: not applicable notes: |- - Wireless interfaces are disabled by 1.3.3. + OpenShift doesn't manage wireless environments nor they security configurations. - id: 4.2.2 title: PAN is secured with strong cryptography whenever it is sent via end-user messaging @@ -1282,11 +1301,10 @@ controls: from being used for cardholder data. levels: - base - status: pending + status: not applicable notes: |- - Some known insecure services and protocols are disabled by 2.2.4. - If any specific end-user messaging technology is used, it should be manually checked in - alignment to site policies. + OpenShift doesn't directly handle PANs, the application is responsible for appropriately + securing PAN. - id: '5.1' title: Processes and mechanisms for protecting all systems and networks from malicious