SID-OPS-11 — Data Leakage Prevention — Infrastructure Controls
| Property | Value |
|---|---|
| Owner | operator |
| Category | technical |
| CSF Function | protect |
| Group | Operational Controls |
Description
The operator MUST implement infrastructure-level controls to prevent unintended data leakage from the wallet deployment environment.
Implementation requirements: (1) Network egress control: deploy egress filtering on all production hosts. Only explicitly allowlisted destinations (Siros Foundation endpoints, trust list registries, biometric API, ACME CA) may receive outbound traffic. All other egress MUST be denied by default (Kubernetes NetworkPolicy / firewall ruleset). (2) Cloud storage access control: any object storage (S3, GCS, Azure Blob) used for backups, logs, or assets MUST have: - Block Public Access enabled - Bucket policies reviewed and access scoped to named service accounts only - Access logging enabled (3) Email and collaboration DLP: configure DLP rules in the operator's email/collaboration platform to detect and alert on outbound transmission of credential data, PII, or key material patterns (e.g. JWT-like strings, PEM blocks). (4) Log and monitoring pipeline: ensure the SIEM pipeline (SID-OPS-06) does not exfiltrate PII — log shipping destinations MUST be encrypted in transit and access-controlled. (5) Backup data: backup archives MUST be encrypted (SID-OPS-10) and stored only in operator-controlled locations. (6) Annual review: DLP ruleset and egress allowlist reviewed and updated at least annually and after any architecture change.
Note: Platform provides application-layer controls (SID-HARD-01 error sanitization, SID-HARD-05 CSP, SID-PRIV-01 minimal disclosure). This control covers the infrastructure envelope around those controls.
Review criteria: egress allowlist and NetworkPolicy/firewall config, cloud storage ACL audit, DLP policy documentation, backup access control evidence.
Components
- Reverse Proxy / TLS
- PostgreSQL Database
Source References
Framework Requirements
ISO 27001 Annex A: A.8.12