3.10 Compliance Mapping
| Field |
Value |
| Document ID |
SDWAN-SEC-3.10 |
| Version |
1.0 |
| Last Updated |
December 2025 |
| Author |
Network Architecture Team |
| Classification |
Internal Use |
1. Executive Summary
This section documents the compliance mapping between Abhavtech's SD-WAN security implementation and major regulatory frameworks. The SD-WAN deployment has been designed to meet requirements from NIST Cybersecurity Framework, PCI-DSS v4.0, SOC 2 Type II, ISO 27001:2022, and GDPR where applicable to network infrastructure.
1.1 Compliance Overview
+------------------------------------------------------------------+
| COMPLIANCE FRAMEWORK COVERAGE |
+------------------------------------------------------------------+
| |
| Framework | Applicability | Status | Gap |
| -----------------+---------------------+------------+-----------|
| NIST CSF 2.0 | All operations | Compliant | None |
| PCI-DSS v4.0 | Payment processing | Compliant | None |
| SOC 2 Type II | Service delivery | Compliant | None |
| ISO 27001:2022 | ISMS | Compliant | None |
| GDPR | EU data handling | Compliant | None |
| HIPAA | Not applicable | N/A | N/A |
| |
+------------------------------------------------------------------+
1.2 SD-WAN Security Controls Matrix
| Control Category |
SD-WAN Feature |
Frameworks Addressed |
| Encryption |
IPsec AES-256-GCM |
NIST, PCI, ISO, SOC2 |
| Access Control |
RBAC, MFA |
NIST, PCI, ISO, SOC2 |
| Segmentation |
VPN isolation, SGT |
NIST, PCI, ISO |
| Monitoring |
Logging, SIEM |
All frameworks |
| Threat Detection |
UTD, IPS |
NIST, PCI, ISO |
2. NIST Cybersecurity Framework 2.0
2.1 Framework Overview
+------------------------------------------------------------------+
| NIST CSF 2.0 FUNCTIONS |
+------------------------------------------------------------------+
| |
| +-------------+ +-------------+ +-------------+ |
| | GOVERN | | IDENTIFY | | PROTECT | |
| +-------------+ +-------------+ +-------------+ |
| | Policy | | Asset Mgmt | | Access Ctrl | |
| | Risk Mgmt | | Risk Assess | | Encryption | |
| | Oversight | | Business Env| | Segmentation| |
| +------+------+ +------+------+ +------+------+ |
| | | | |
| +----------------+----------------+ |
| | |
| +-------------+ +------v------+ +-------------+ |
| | DETECT | | RESPOND | | RECOVER | |
| +-------------+ +-------------+ +-------------+ |
| | Monitoring | | Incident Rsp| | Recovery | |
| | Anomalies | | Mitigation | | Improvement | |
| | Continuous | | Communicate | | Planning | |
| +-------------+ +-------------+ +-------------+ |
| |
+------------------------------------------------------------------+
2.2 NIST CSF Control Mapping
| NIST Control |
Requirement |
SD-WAN Implementation |
Evidence |
| ID.AM-1 |
Physical device inventory |
vManage device inventory |
Automated discovery |
| ID.AM-2 |
Software platforms mapped |
Template-based config |
Configuration DB |
| ID.RA-1 |
Vulnerabilities identified |
UTD signatures |
Vulnerability scan |
| PR.AC-1 |
Identity management |
ISE integration |
Auth logs |
| PR.AC-3 |
Remote access managed |
Secure overlay tunnels |
IPsec config |
| PR.AC-4 |
Access permissions managed |
RBAC policies |
Permission audit |
| PR.AC-5 |
Network integrity protected |
Segmentation |
VPN isolation |
| PR.DS-1 |
Data-at-rest protected |
N/A (transit only) |
N/A |
| PR.DS-2 |
Data-in-transit protected |
AES-256-GCM encryption |
Crypto config |
| PR.DS-5 |
Protections against leaks |
DLP, URL filtering |
Policy rules |
| PR.IP-1 |
Baseline config created |
Template management |
Golden configs |
| PR.PT-1 |
Audit logs enabled |
Comprehensive logging |
Syslog config |
| DE.AE-1 |
Network operations monitored |
vManage analytics |
Dashboard |
| DE.CM-1 |
Network monitored |
Real-time monitoring |
NOC procedures |
| DE.CM-4 |
Malicious code detected |
UTD, AMP |
Alert logs |
| RS.RP-1 |
Response plan executed |
Incident runbooks |
IR procedures |
| RC.RP-1 |
Recovery plan executed |
DR procedures |
DR runbooks |
3. PCI-DSS v4.0 Compliance
3.1 Cardholder Data Environment (CDE) Scope
+------------------------------------------------------------------+
| PCI-DSS SCOPE IN SD-WAN |
+------------------------------------------------------------------+
| |
| In-Scope Components: |
| +----------------------------------------------------------+ |
| | - VPN 100 (PCI Zone) | |
| | - WAN Edge routers at Mumbai DC, Chennai DR | |
| | - SD-WAN Manager (management access) | |
| | - Transit networks carrying CDE traffic | |
| +----------------------------------------------------------+ |
| |
| Out-of-Scope (Segmented): |
| +----------------------------------------------------------+ |
| | - VPN 10, 20, 30, 40 (non-CDE traffic) | |
| | - Branch sites without payment processing | |
| | - Guest network (VPN 20) | |
| +----------------------------------------------------------+ |
| |
| Segmentation Validation: |
| - Annual penetration testing confirms isolation |
| - VPN isolation prevents cross-segment access |
| - Firewall rules enforce CDE boundaries |
| |
+------------------------------------------------------------------+
3.2 PCI-DSS Requirement Mapping
| PCI Req |
Description |
SD-WAN Control |
Evidence |
| 1.2 |
Network security controls |
Zone-based firewall |
FW policy |
| 1.3 |
Access restricted |
VPN isolation |
Segment config |
| 1.4 |
Network connections documented |
vManage inventory |
Topology docs |
| 2.2 |
Secure configurations |
Hardening templates |
Config baseline |
| 2.3 |
Wireless security |
802.1X, WPA3 |
Wireless config |
| 3.4 |
PAN rendered unreadable |
N/A (transit) |
N/A |
| 4.1 |
Strong cryptography |
AES-256-GCM |
IPsec config |
| 4.2 |
PAN secured in transit |
Encryption |
Tunnel verify |
| 5.2 |
Anti-malware |
UTD, AMP |
Threat logs |
| 6.4 |
Secure development |
N/A (vendor) |
Cisco CVD |
| 7.1 |
Access by need-to-know |
RBAC |
User roles |
| 8.2 |
Strong authentication |
MFA, certificates |
Auth config |
| 8.3 |
MFA for remote access |
SAML + MFA |
SSO config |
| 10.1 |
Audit trails |
Comprehensive logs |
Syslog |
| 10.2 |
Audit log content |
User actions logged |
Log samples |
| 10.3 |
Time synchronization |
NTP |
NTP config |
| 10.5 |
Audit log protection |
Secure syslog |
TLS config |
| 11.3 |
Penetration testing |
Annual test |
Pentest report |
| 11.4 |
Network intrusion detection |
UTD IPS |
Alert logs |
| 12.10 |
Incident response |
IR procedures |
Runbooks |
3.3 PCI-Specific Configuration
! PCI Zone Firewall Policy
zone-pair security ZP-PCI-TO-INTERNET source PCI-ZONE destination INTERNET-ZONE
description "PCI CDE to Internet - Payment Gateway Only"
service-policy type inspect PM-PCI-EGRESS
!
policy-map type inspect PM-PCI-EGRESS
class CM-PAYMENT-GATEWAY
inspect
log
class class-default
drop log
!
class-map type inspect match-all CM-PAYMENT-GATEWAY
match access-group name ACL-PAYMENT-PROCESSORS
!
ip access-list extended ACL-PAYMENT-PROCESSORS
permit tcp any host 192.0.2.100 eq 443 ! Payment processor 1
permit tcp any host 192.0.2.101 eq 443 ! Payment processor 2
deny ip any any log
! PCI Logging Requirements
logging host 10.254.1.50 transport tcp port 6514 secure
logging trap informational
logging source-interface Loopback0
!
4. SOC 2 Type II Compliance
4.1 Trust Service Criteria
+------------------------------------------------------------------+
| SOC 2 TRUST SERVICE CRITERIA |
+------------------------------------------------------------------+
| |
| +------------------+ |
| | SECURITY | Protect against unauthorized access |
| +------------------+ |
| | - Access control | - IPsec encryption |
| | - Network security| - Segmentation |
| | - Monitoring | - UTD threat detection |
| +------------------+ |
| |
| +------------------+ |
| | AVAILABILITY | System operates as committed |
| +------------------+ |
| | - HA design | - Controller redundancy |
| | - DR capability | - Multi-path routing |
| | - Monitoring | - SLA tracking |
| +------------------+ |
| |
| +------------------+ |
| | CONFIDENTIALITY | Data protected as committed |
| +------------------+ |
| | - Encryption | - AES-256 for all traffic |
| | - Access control | - Role-based access |
| | - Data handling | - DLP policies |
| +------------------+ |
| |
| +------------------+ |
| | INTEGRITY | Complete, accurate, authorized |
| +------------------+ |
| | - Change mgmt | - Template versioning |
| | - Validation | - Config compliance |
| | - Monitoring | - Integrity verification |
| +------------------+ |
| |
+------------------------------------------------------------------+
4.2 SOC 2 Control Mapping
| TSC |
Control Point |
SD-WAN Implementation |
Testing Procedure |
| CC6.1 |
Logical access |
RBAC, MFA |
User access review |
| CC6.2 |
Registration |
Provisioning workflow |
Account creation |
| CC6.3 |
Role modification |
Role-based templates |
Role change audit |
| CC6.6 |
Threats identified |
UTD, IPS |
Threat log review |
| CC6.7 |
Transmission protection |
IPsec encryption |
Crypto validation |
| CC6.8 |
Unauthorized access |
Firewall policies |
Policy review |
| CC7.1 |
Detection mechanisms |
Monitoring, alerts |
Alert validation |
| CC7.2 |
Monitoring systems |
vManage, SIEM |
Dashboard review |
| CC7.3 |
Threat evaluation |
Incident analysis |
Incident reports |
| CC7.4 |
Incident response |
IR procedures |
Tabletop exercise |
| CC8.1 |
Change management |
Template workflow |
Change records |
| A1.1 |
Capacity planning |
Performance monitoring |
Capacity reports |
| A1.2 |
Environmental threats |
HA, DR |
DR test results |
| C1.1 |
Confidential info |
Encryption, DLP |
Encryption audit |
5. ISO 27001:2022 Compliance
5.1 Annex A Control Mapping
| ISO Control |
Description |
SD-WAN Implementation |
| A.5.1 |
Policies for info security |
Security policy docs |
| A.5.15 |
Access control |
RBAC, MFA |
| A.5.17 |
Authentication |
Certificate-based, MFA |
| A.5.23 |
Cloud services security |
Cloud OnRamp security |
| A.5.24 |
Incident management |
IR procedures |
| A.8.1 |
User endpoint devices |
Endpoint security |
| A.8.3 |
Information access restriction |
Segmentation, ACLs |
| A.8.5 |
Secure authentication |
Strong auth |
| A.8.7 |
Protection against malware |
UTD, AMP |
| A.8.9 |
Configuration management |
Template management |
| A.8.10 |
Information deletion |
Secure decommission |
| A.8.15 |
Logging |
Comprehensive logging |
| A.8.16 |
Monitoring activities |
Real-time monitoring |
| A.8.20 |
Networks security |
Encryption, segmentation |
| A.8.21 |
Security of network services |
Secure protocols |
| A.8.22 |
Segregation of networks |
VPN isolation |
| A.8.23 |
Web filtering |
URL filtering |
| A.8.24 |
Use of cryptography |
AES-256, TLS 1.3 |
| A.8.26 |
Application security |
AppFW policies |
5.2 Statement of Applicability
+------------------------------------------------------------------+
| ISO 27001 STATEMENT OF APPLICABILITY |
+------------------------------------------------------------------+
| |
| Control Domain | Applicable | Implemented | Excluded |
| -------------------------+-----------+-------------+-----------|
| A.5 Organizational | 37 | 37 | 0 |
| A.6 People | 8 | 8 | 0 |
| A.7 Physical | 14 | N/A | 14* |
| A.8 Technological | 34 | 34 | 0 |
| |
| * Physical controls managed by data center providers |
| |
| SD-WAN Specific Controls: |
| +----------------------------------------------------------+ |
| | A.8.20 Network Security: | |
| | - IPsec encryption for all WAN traffic | |
| | - Certificate-based authentication | |
| | - TLS 1.3 for management | |
| +----------------------------------------------------------+ |
| | A.8.22 Segregation of Networks: | |
| | - 6 Service VPNs for traffic isolation | |
| | - SGT-based microsegmentation | |
| | - Zone-based firewall policies | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
6. GDPR Considerations
6.1 Network-Level GDPR Controls
| GDPR Article |
Requirement |
SD-WAN Implementation |
| Art. 25 |
Data protection by design |
Encryption by default |
| Art. 32 |
Security of processing |
Technical measures |
| Art. 33 |
Breach notification |
Incident detection |
| Art. 44-49 |
International transfers |
Regional segmentation |
6.2 Data Residency Configuration
! Regional Traffic Policy for GDPR
policy
data-policy EU-DATA-RESIDENCY
vpn-list VPN-10-EMPLOYEE
! EU user data stays in EU
sequence 10
match
source-data-prefix-list EU-USER-SUBNETS
destination-data-prefix-list EU-SERVERS
action accept
set
local-tloc-list EU-REGION-TLOCS
!
!
! Block EU data to non-EU regions
sequence 20
match
source-data-prefix-list EU-USER-SUBNETS
destination-data-prefix-list NON-EU-SERVERS
action drop
log
!
!
!
!
!
7. Compliance Monitoring and Reporting
7.1 Compliance Dashboard
+------------------------------------------------------------------+
| COMPLIANCE MONITORING DASHBOARD |
+------------------------------------------------------------------+
| |
| Framework Status: |
| +----------------------------------------------------------+ |
| | Framework | Score | Last Audit | Next Audit | |
| +----------------------------------------------------------+ |
| | NIST CSF | 94% | Nov 2025 | Nov 2026 | |
| | PCI-DSS | 100% | Oct 2025 | Oct 2026 | |
| | SOC 2 | 96% | Sep 2025 | Sep 2026 | |
| | ISO 27001 | 98% | Aug 2025 | Aug 2026 | |
| +----------------------------------------------------------+ |
| |
| Control Effectiveness: |
| +----------------------------------------------------------+ |
| | Control | Status | Evidence | |
| +----------------------------------------------------------+ |
| | Encryption | Effective | 100% tunnel encrypted | |
| | Access Control | Effective | 0 unauthorized access | |
| | Logging | Effective | 100% events captured | |
| | Segmentation | Effective | 0 cross-VPN violations| |
| | Threat Detection | Effective | 99.9% detection rate | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
7.2 Audit Evidence Collection
! Automated Compliance Evidence Collection
! Run monthly for audit preparation
! Encryption Status
show crypto ipsec sa summary > encryption_evidence.txt
! Access Control Evidence
show sdwan users > user_access_evidence.txt
! Logging Status
show logging > logging_config_evidence.txt
! Segmentation Verification
show sdwan policy service-chain > segmentation_evidence.txt
! Configuration Compliance
show sdwan running-config | include security > security_config.txt
8. Best Practices Summary
8.1 Compliance Best Practices
- Map controls to multiple frameworks to reduce redundancy
- Automate evidence collection for continuous compliance
- Conduct regular gap assessments against framework updates
- Maintain documentation for audit readiness
8.2 Audit Preparation Best Practices
- Keep evidence repository current (monthly updates)
- Document control exceptions with compensating controls
- Train staff on compliance requirements
- Conduct internal audits before external assessments
References
| Document |
Description |
Location |
| NIST CSF 2.0 |
Framework document |
nist.gov |
| PCI-DSS v4.0 |
Payment card standard |
pcisecuritystandards.org |
| SOC 2 Guide |
Trust services criteria |
aicpa.org |
| ISO 27001:2022 |
ISMS standard |
iso.org |
| Abhavtech Compliance Policy |
Internal compliance |
SharePoint |
Document Version: 1.0
Last Updated: December 2025
Classification: Internal Use
Document ID: SDWAN-SEC-3.10