Skip to main content

Compliance Frameworks

AIPTx maps security findings to major compliance frameworks, helping you demonstrate security posture for audits and certifications.

Supported Frameworks

SOC 2

Service Organization Control 2 - Trust Service Criteria

ISO 27001

International information security standard

PCI DSS

Payment Card Industry Data Security Standard

HIPAA

Health Insurance Portability and Accountability Act

GDPR

General Data Protection Regulation

NIST

National Institute of Standards and Technology

SOC 2 Mapping

Trust Service Criteria Coverage

CriteriaCategoryAIPTx Coverage
CC6.1SecurityAccess control testing
CC6.2SecurityAuthentication testing
CC6.3SecurityAuthorization testing
CC6.6SecurityEncryption validation
CC6.7SecurityVulnerability management
CC7.1SecurityConfiguration analysis
CC7.2SecurityChange management

Example Report Section

SOC 2 Control Assessment

CC6.1 - Logical Access Security
Status: ⚠️ Gaps Identified

Findings:
- IDOR vulnerability allows unauthorized data access (Finding #12)
- Missing MFA on admin accounts (Finding #8)

Evidence:
- 3 access control vulnerabilities identified
- 2 authentication weaknesses found

Remediation Required:
1. Implement proper authorization checks
2. Enable MFA for all privileged accounts

PCI DSS Mapping

Requirements Coverage

RequirementDescriptionAIPTx Tests
6.5.1Injection flawsSQL, NoSQL, Command injection
6.5.2Buffer overflowsMemory safety testing
6.5.3Insecure cryptoEncryption analysis
6.5.4Insecure communicationsTLS/SSL validation
6.5.5Improper error handlingError message analysis
6.5.6Vulnerability identificationCVE scanning
6.5.7XSS vulnerabilitiesCross-site scripting tests
6.5.8Access controlAuthorization testing
6.5.9CSRF vulnerabilitiesCSRF protection analysis
6.5.10Authentication flawsAuth mechanism testing

Compliance Report

PCI DSS v4.0 Compliance Assessment

Requirement 6: Develop and Maintain Secure Systems

6.5.1 - Injection Vulnerabilities
Status: ❌ Non-Compliant
Findings: 2 SQL injection vulnerabilities identified
- Finding #5: SQL Injection in search API (Critical)
- Finding #7: SQL Injection in report filter (High)
Action Required: Implement parameterized queries

6.5.7 - Cross-Site Scripting
Status: ⚠️ Partially Compliant
Findings: 1 stored XSS vulnerability
- Finding #12: Stored XSS in comments (High)
Action Required: Implement output encoding

ISO 27001 Mapping

Annex A Controls

ControlDescriptionAssessment
A.9.1Access control policy✅ Compliant
A.9.2User access management⚠️ Gaps found
A.9.4System access control❌ Non-compliant
A.10.1Cryptographic controls✅ Compliant
A.12.6Vulnerability management✅ Compliant
A.14.1Security requirements⚠️ Gaps found
A.14.2Security in development⚠️ Gaps found

HIPAA Mapping

Security Rule Requirements

SpecificationTypeAIPTx Assessment
Access ControlRequiredAuthorization testing
Audit ControlsRequiredLogging analysis
IntegrityRequiredData protection testing
AuthenticationRequiredAuth mechanism review
Transmission SecurityRequiredEncryption validation

PHI Protection Assessment

HIPAA Security Assessment

§164.312(a)(1) - Access Control
Status: ⚠️ Gaps Identified

Findings affecting PHI access:
- IDOR in patient records API (Critical)
- Missing session timeout on EHR portal (Medium)
- Weak password policy (Medium)

Risk to ePHI: HIGH
Recommended Actions:
1. Implement proper access controls on patient data endpoints
2. Add session timeout after 15 minutes of inactivity
3. Enforce strong password requirements

GDPR Mapping

Article Requirements

ArticleRequirementAIPTx Testing
Art. 25Data protection by designSecurity architecture review
Art. 32Security of processingVulnerability assessment
Art. 33Breach notificationIncident response capability
Art. 35Impact assessmentRisk analysis

Data Protection Assessment

GDPR Compliance Assessment

Article 32 - Security of Processing

(a) Encryption of personal data
Status: ✅ Compliant
- TLS 1.3 in use for data in transit
- AES-256 encryption for data at rest

(b) Confidentiality and integrity
Status: ⚠️ Gaps Identified
- 2 access control vulnerabilities found
- 1 data exposure risk identified

(d) Regular testing and assessment
Status: ✅ Compliant
- Automated security scanning in place
- Quarterly penetration testing scheduled

NIST Cybersecurity Framework

Function Mapping

FunctionCategoryAIPTx Coverage
IdentifyAsset ManagementDiscovery and enumeration
ProtectAccess ControlAuthorization testing
ProtectData SecurityEncryption validation
DetectSecurity MonitoringVulnerability detection
RespondAnalysisFinding prioritization

Generating Compliance Reports

Single Framework

aiptx report generate \
  --scan-id scan_abc123 \
  --template compliance \
  --compliance soc2

Multiple Frameworks

aiptx report generate \
  --scan-id scan_abc123 \
  --template compliance \
  --compliance soc2,pci,hipaa

Configuration File

report:
  template: compliance
  compliance_frameworks:
    - soc2
    - pci_dss_v4
    - iso27001
  include_evidence: true
  include_remediation: true
  executive_summary: true

Audit Evidence

Evidence Package

AIPTx can generate an evidence package for auditors: 
aiptx report evidence --scan-id scan_abc123 --framework soc2
Includes:
  • Scan configuration and scope
  • Complete findings with timestamps
  • Proof of concept evidence
  • Remediation tracking
  • Historical trend data

Continuous Compliance

Track compliance status over time: 
Compliance Trend (Last 6 Months)

SOC 2 CC6.1 (Access Control):
Jan: 85% → Feb: 87% → Mar: 92% → Apr: 95% → May: 98% → Jun: 99%

PCI DSS 6.5 (Secure Development):
Jan: 78% → Feb: 82% → Mar: 85% → Apr: 90% → May: 93% → Jun: 96%