CC6.6 · D4 · f1
evidence/network-security-policy.md — Prism Cloud network security policy defining environment segmentation, WAF requirements, encryption in transit standards, and security group rules.evidence/firewall-rules.json — AWS security group export for all Prism Cloud VPCs showing inbound/outbound rules, VPC peering configurations, and WAF associations.evidence/tls-config-audit.csv — TLS configuration audit across 15 endpoints showing TLS versions, cipher suites, certificate status, and PII handling flags.evidence/exception-register.csv — Approved network security exceptions with compensating controls, risk ratings, and review outcomes.evidence/incident-response-contacts.md — Prism Cloud incident response contact list and on-call rotation. Not relevant to CC6.6 system boundary protection controls. [noise]| ID | Type | Severity | Finding |
|---|---|---|---|
| F-001 | red_herring | low | Cross-VPC security group sg-0a1b2c3d4e5f60008 allows all traffic between staging and production Security group sg-0a1b2c3d4e5f60008 (prod-data-sync-cross-vpc) contains rules sgr-021 and sgr-022 that allow all protocols and ports between the staging VPC (10.1.0.0/16) and the production VPC (10.0.... |
| F-002 | gap | high | Webhook receiver endpoint webhooks.prismcloud.io has no WAF protection Security group sg-0a1b2c3d4e5f60011 (prod-webhook-receiver) accepts inbound HTTPS traffic on port 443 from 0.0.0.0/0 but has no WAF association (waf_association is null). The firewall rules export not... |
| F-003 | gap | high | Notification service uses unencrypted HTTP for internal communication The notification service (TLS-008 in the TLS config audit, sg-0a1b2c3d4e5f60006 in the firewall rules) uses unencrypted HTTP on port 8080 for internal communication from the application tier. The TLS ... |
| F-004 | gap | medium | Batch processing security group allows outbound 0.0.0.0/0 on Elasticsearch port 9200 Security group sg-0a1b2c3d4e5f60012 (prod-batch-processing) contains outbound rule sgr-032 allowing TCP port 9200 to 0.0.0.0/0, described as 'Elasticsearch cluster access — legacy configuration pendin... |
| F-005 | gap | medium | Elasticsearch endpoint TLS-014 uses TLS 1.2 while handling customer PII The Elasticsearch cluster endpoint (TLS-014, es.prod.prismcloud.local on port 9200) uses TLS 1.2 and is flagged as handling customer PII (search indices contain user profiles and activity data). The T... |
| Model | Provider | Score | Recall | Prec. | F1 | Gaps | Reported |
|---|---|---|---|---|---|---|---|
| Sonnet 4.6 | Anthropic | 100% | 100% | 100% | 100% | 4/4 | 4 |
| Opus 4.7 | Anthropic | 57% | 100% | 40% | 57% | 4/4 | 10 |
| GPT-5.5 | OpenAI | 62% | 100% | 44% | 62% | 4/4 | 9 |
| GPT-4.1 | OpenAI | 55% | 75% | 43% | 55% | 3/4 | 7 |
| Haiku 4.5 | Anthropic | 25% | 75% | 15% | 25% | 3/4 | 20 |
| GPT-4o | OpenAI | 44% | 50% | 40% | 44% | 2/4 | 5 |