Pulse control map
Pulse runs 8 technical-control checks on every tracked vendor. Each
check maps to specific subcategories of NIST CSF v2.0
and Annex A controls of ISO/IEC 27001:2022.
Pulse evidences 8 CSF subcategories and
8 ISO controls. Regulator-specific mappings
(FCA, DORA, OCC, APRA, HKMA, MAS) are at /regulators/.
SPF
Sender Policy Framework
What it evidences: Vendor's mail domain is locked down against sender spoofing
NIST CSF v2.0
- PR.DS-02 — Data-in-transit is protected
- PR.DS-08 — Integrity-checking mechanisms are used to verify data integrity
- DE.CM-01 — Networks and network services are monitored to find adverse events
ISO/IEC 27001:2022 Annex A
- A.5.14 — Information transfer
- A.8.23 — Web filtering
- A.5.7 — Threat intelligence
DKIM
DomainKeys Identified Mail
What it evidences: Vendor signs outbound email so a forged copy is detectable in transit
NIST CSF v2.0
- PR.DS-02 — Data-in-transit is protected
- PR.DS-08 — Integrity-checking mechanisms verify data integrity
ISO/IEC 27001:2022 Annex A
- A.5.14 — Information transfer
- A.8.24 — Use of cryptography
DMARC
Domain-based Message Authentication, Reporting & Conformance
What it evidences: Vendor publishes a policy telling recipients how to handle forged email and where to report it
NIST CSF v2.0
- PR.DS-08 — Integrity-checking mechanisms verify data integrity
- DE.CM-01 — Networks are monitored to find adverse events
ISO/IEC 27001:2022 Annex A
- A.5.14 — Information transfer
- A.8.20 — Networks security
CERT
SSL/TLS Certificate Validity
What it evidences: Vendor's web endpoint has a valid, non-expired TLS certificate from a trusted CA
NIST CSF v2.0
- PR.DS-02 — Data-in-transit is protected
- PR.PS-01 — Configuration management practices are established
ISO/IEC 27001:2022 Annex A
- A.8.24 — Use of cryptography
- A.8.20 — Networks security
WHOIS
Domain Expiration & Registry State
What it evidences: Vendor's domain registration is current and not at risk of expiry hijacking
NIST CSF v2.0
- ID.AM-02 — Software platforms and applications are inventoried
- PR.AA-02 — Identities and credentials are issued and managed
ISO/IEC 27001:2022 Annex A
- A.5.9 — Inventory of information and other associated assets
- A.8.32 — Change management
DNSSEC
DNS Security Extensions
What it evidences: Vendor's DNS chain is cryptographically signed, preventing cache-poisoning redirects
NIST CSF v2.0
- PR.DS-02 — Data-in-transit is protected
- PR.DS-08 — Integrity-checking mechanisms verify data integrity
- PR.PS-01 — Configuration management practices are established
ISO/IEC 27001:2022 Annex A
- A.8.20 — Networks security
- A.8.24 — Use of cryptography
MTA_STS
Mail Transfer Agent Strict Transport Security
What it evidences: Vendor's inbound mail enforces TLS — downgrade-to-plaintext attacks blocked
NIST CSF v2.0
- PR.DS-02 — Data-in-transit is protected
- PR.PS-01 — Configuration management practices are established
ISO/IEC 27001:2022 Annex A
- A.5.14 — Information transfer
- A.8.20 — Networks security
TAKEOVER
Subdomain Takeover Surface
What it evidences: No dangling DNS records pointing at abandoned cloud assets that an attacker could claim
NIST CSF v2.0
- ID.AM-02 — Software platforms and applications are inventoried
- ID.RA-01 — Vulnerabilities in assets are identified, validated, and recorded
- DE.CM-09 — Computing hardware and software are monitored to find adverse events
ISO/IEC 27001:2022 Annex A
- A.5.9 — Inventory of information and other associated assets
- A.8.8 — Management of technical vulnerabilities