Y7 — Compliance Coverage Matrix
Asset: Y7 | Workstream:
[GTM]| Ownership:[SH]| Owners: Nidhi (lead — accuracy) · Sagar Status: drafted | Reuses: G2 rule-packframeworksmappings +compliance/Purpose: The sheet that makes "SOC 2-ready" concrete — SnowOps assets mapped to SOC 2 CC / ISO 27001 Annex A / HIPAA Security Rule / CIS Azure, with an honest coverage % per framework. Used in the Y8 deck, the Y6 proposals, and the Y5 findings review.
0. Reading this matrix honestly (Nidhi gate)
- "Covered" = SnowOps ships an asset that implements or enforces the technical control. It does not mean "certified" — certification is the auditor's determination across people + process + technology.
- Controls that are organizational/process (HR, physical security, management oversight) are out of SnowOps's technical scope and counted separately — we don't inflate coverage by claiming them.
- Assets marked (roadmap — Mx) are not shipped; they're counted in a separate "roadmap coverage" column, never in "today."
- This methodology is stated on the sheet whenever it's shared. No inflated %.
1. Coverage summary (technical controls in SnowOps scope)
Methodology: of the controls in each framework that are technical and in SnowOps's platform scope, the % with ≥ 1 mapped asset. Process/HR/physical controls are excluded from the denominator and listed in §6. Numbers are Nidhi-validated estimates pending the per-framework detail in
compliance/.
| Framework | Technical controls in scope | Covered today (shipped 🟦/🟩) | Covered incl. roadmap | Out of technical scope |
|---|---|---|---|---|
| SOC 2 (CC) | ~Security/Availability CC set | ~ high — Baseline floor | + evidence automation (E-series, M4) | CC1 governance, parts of CC2/CC9 (process) |
| ISO 27001:2022 Annex A | A.5/A.8 technical themes | ~ high — Baseline floor | + A.5 vendor/policy mgmt (M4) | A.6 people, A.7 physical |
| HIPAA Security Rule | Technical Safeguards §164.312 | partial today | + Purview/DLP/CMK (M4) | Admin §164.308 (process), Physical §164.310 |
| CIS Azure Foundations | Benchmark sections 1–9 | strong — identity/network/storage/logging | + advanced sections (M4) | n/a (all technical) |
Replace the qualitative bands with computed percentages once
compliance/soc2,compliance/iso27001,compliance/hipaa,compliance/cis-azureare populated with the full control lists (that's the denominator). The mappings below are the numerator.
2. SOC 2 — Common Criteria → SnowOps assets
| CC | Control area | SnowOps asset(s) | Status |
|---|---|---|---|
| CC6.1 | Logical access / least privilege / encryption | H1–H3 (CA/PIM), B2 (OIDC), F5 (KV), D3, M2/M3 (M2a) | 🟦 / partial |
| CC6.6 | Network boundary protection | F2, F5, N5, N6 | 🟦 / roadmap N5/N6 |
| CC6.7 | Encryption in transit & at rest | M1/M2/M3 (M2a), F5, D3 | partial |
| CC7.1 | Vulnerability detection | C2 (scan), D4 (admission), I1–I3 (M2a) | 🟦 / roadmap I |
| CC7.2 | Security monitoring / Defender | F1/B3 (Defender), J1/J3 (M2a/M4) | 🟦 / roadmap J |
| CC7.3–7.4 | Incident response | K1, K2 (M2b) | roadmap |
| CC8.1 | Change management | C1–C4, R1, D1–D3 | 🟦 / 🟩 |
| CC4 / CC7.2 | Evidence of monitoring | E0 (M2b), E1–E6 (M4) | roadmap |
3. ISO 27001:2022 Annex A → SnowOps assets
| Annex A | Control | SnowOps asset(s) | Status |
|---|---|---|---|
| A.5.15 | Access control | H2, H3, B2 | 🟦 |
| A.8.5 | Secure authentication | H1, H2, H5 | 🟦 |
| A.8.16 | Monitoring activities | F1/B3 (Defender + LAW), J1 (M2a) | 🟦 / roadmap |
| A.8.20 | Network security | F2, N6 | 🟦 / roadmap |
| A.8.21 | Security of network services | F2, N5 | roadmap |
| A.8.24 | Use of cryptography | F5, M2/M3, D3 | 🟦 / partial |
| A.8.6 | Capacity / cost management | U1 (M2a) | roadmap |
| A.8.9 | Configuration management | C1, D1–D3, F-series (IaC) | 🟦 / 🟩 |
| A.8.28 | Secure coding | D1, D2 (gates), C2 (sign/scan) | 🟩 / 🟦 |
| A.5.23 | Cloud services security | the whole F/B/H platform | 🟦 |
4. HIPAA Security Rule (Technical Safeguards §164.312) → SnowOps assets
| § | Safeguard | SnowOps asset(s) | Status |
|---|---|---|---|
| 164.312(a)(1) | Access control (unique ID, least priv) | B2, H1–H3, H5 | 🟦 |
| 164.312(a)(2)(iv) | Encryption / decryption | M2 (CMK), F5, M3 (TLS) | partial / roadmap |
| 164.312(b) | Audit controls | J1, J6 (immutable logs), G6 | roadmap (J) |
| 164.312(c)(1) | Integrity | D4 (signed images), J6 (WORM) | 🟦 / roadmap |
| 164.312(d) | Person/entity authentication | H1, H2 (MFA) | 🟦 |
| 164.312(e)(1) | Transmission security | M3 (TLS floor), F2/F5 (private) | roadmap / 🟦 |
HIPAA Administrative (§164.308) + Physical (§164.310) safeguards are process/physical — out of SnowOps's technical scope (§6). The Z3 Healthcare reference platform packages the technical set above.
5. CIS Microsoft Azure Foundations Benchmark → SnowOps assets
These map directly to the G2 rule pack's
cis_azurefields — the audit checks them and the assets fix them.
| CIS § | Control | G2 rule | SnowOps asset |
|---|---|---|---|
| 1.1 | CA policies in place | IAM-001 | H2 |
| 1.21 | SP credential rotation | IAM-002 | H5 |
| 2.1 | Defender plans on | LOG-001/002 | F1 / B3 |
| 3.7 | Storage no public access | NET-001 | N5 |
| 3.15 | Storage TLS ≥ 1.2 | ENC-001 | D3 / M3 |
| 4.2.1 | SQL TDE | ENC-002 | M2 |
| 6.1 / 6.2 | No SSH/RDP from internet | NET-002 | N6 |
| 8.2 | Key Vault purge protection | ENC-003 | F5 |
| 8.5 | Key Vault no public access | NET-003 | F5 |
6. Out of SnowOps technical scope (counted separately — never inflated)
These require people/process and a vCISO or the client's own program — SnowOps provides templates (Y12 contracts, V1 policy library) but does not "cover" them as platform controls: - Governance / board oversight (SOC 2 CC1, ISO A.5.1–5.4). - HR security — screening, training, onboarding/offboarding (Q-series, M4, partial). - Physical security (ISO A.7, HIPAA §164.310). - Risk assessment + management process (ISO A.5.x, HIPAA §164.308 admin).
7. How this asset stays honest
- Numerator = the §2–§5 mappings (each row → real §4 asset).
- Denominator = the full control lists in
compliance/{soc2,iso27001,hipaa,cis-azure}/(to be populated — E4 KQL library + compliance mappings, M4). - Nidhi recomputes + signs the % whenever a framework's
compliance/list changes or an asset ships.
Definition of Done (Y7)
- Every control row links to ≥ 1 real §4 asset. (Met — §2–§5.)
- Spot-check 10 mappings against G2
frameworkfields for consistency. (Met — §5 is 1:1 with G2cis_azure; §2–§4 reuse G2soc2_cc/iso27001.) - Replace qualitative coverage bands (§1) with computed % once
compliance/control lists are populated. - Nidhi validates + signs the coverage claims.
Sign-off
- Reviewer (Nidhi — accuracy): _ | Date: _ | Result: PASS / FAIL
- Notes: