add us and update compliance (#353)

* add us and update compliance

* Add videos links

* minor updates

* update video links

* further compliance updates

* fix linting issues

* fix vale feedback

* fix more vale feedback

* vale feedback

* bump vale

* fix vale feedback

---------

Co-authored-by: osama.ahmedkhan96@gmail.com <osama.ahmedkhan96@gmail.com>

.vale.ini

@@ -1,7 +1,7 @@
 StylesPath = styles
 MinAlertLevel = warning
 
-Packages = https://github.com/stakater/vale-package/releases/download/v0.0.43/Stakater.zip
+Packages = https://github.com/stakater/vale-package/releases/download/v0.0.44/Stakater.zip
 Vocab = Stakater
 
 # Only check MarkDown files

Dockerfile

@@ -1,6 +1,6 @@
 FROM python:3.13 as builder
 
-RUN pip3 install mkdocs-mermaid2-plugin mkdocs-table-reader-plugin mkdocs-include-markdown-plugin
+RUN pip3 install mkdocs-mermaid2-plugin mkdocs-table-reader-plugin mkdocs-include-markdown-plugin mkdocs-video
 
 # set workdir
 RUN mkdir -p $HOME/application

content/for-cisos-dpos/backup.md

@@ -0,0 +1,11 @@
+# Backup Strategy
+
+The **3-2-1-1-0 Backup Rule** is a modern extension of the traditional backup strategy designed to ensure data protection and recovery. Here's what it stands for:
+
+- **3 Copies of Your Data**: Keep three copies of your data: the primary data and two backups. This ensures redundancy.
+- **2 Different Storage Types**: Store backups on at least two different types of media (e.g., disk and tape, or local and cloud) to avoid single points of failure.
+- **1 Offsite Backup**: Keep one backup copy offsite, such as in a remote data center or a cloud service, to protect against local disasters.
+- **1 Immutable Backup**: Have at least one backup that is immutable or air-gapped, ensuring it cannot be modified or deleted (e.g., WORM storage or offline backups).
+- **0 Errors After Backup Verification**: Regularly verify and test backups to ensure they are error-free and can be restored when needed.
+
+This rule provides a comprehensive approach to safeguarding against data loss due to hardware failure, natural disasters, cyberattacks, or human error.

content/for-cisos-dpos/bsi-it-grundschutz.md

@@ -1,11 +1,15 @@
 # BSI IT-Grundschutz Controls
 
+!!! danger "Disclaimer"
+
+    It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed.
+
 The BSI IT-Grundschutz framework, a German standard for IT security, defines systematic methodologies and controls for safeguarding IT systems. With Stakater App Agility Platform (SAAP) built on Red Hat OpenShift, organizations can effectively implement these controls for Kubernetes-based workloads.
 
-- Total applicable modules in BSI IT-Grundchutz: 2
+- **Total applicable modules in BSI IT-Grundchutz**: 2
     - SYS.1.6 - Containerization: 10 Controls
     - APP.4.4 - Kubernetes: 21 Controls
-- Total applicable controls in BSI IT-Grundchutz: 31
+- **Total applicable controls in BSI IT-Grundchutz**: 31
 
 ## Controls Addressed by SAAP
 

content/for-cisos-dpos/cis.md

@@ -0,0 +1,35 @@
+# CIS Benchmarks
+
+!!! danger "Disclaimer"
+
+    It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed.
+
+The CIS Kubernetes Benchmark provides over **120 recommendations** for securing Kubernetes environments, addressing critical areas such as access control, data protection, and cluster configuration. SAAP plays a pivotal role in enabling compliance with these recommendations by leveraging Kubernetes features and advanced security configurations.
+
+- **Total Recommendations in CIS Kubernetes Benchmark**: 120+
+- **Key Areas Covered**: Control Plane Security, Worker Node Security, Network Security, Data Protection, and Pod Security.
+
+## Recommendations Addressed by SAAP
+
+- **Fully Applicable Recommendations**: SAAP enables compliance with 70–80 recommendations through Kubernetes-native features and configurations. Key examples include:
+
+    - **Control Plane Security**:
+        - Enforcing Role-Based Access Control (RBAC) to restrict unauthorized access.
+        - Securing API server communication with TLS encryption.
+    - **Node Security**:
+        - Disabling anonymous Kubelet access (--anonymous-auth=false).
+        - Restricting workload communications with NetworkPolicies.
+    - **Data Protection**:
+        - Encrypting Secrets in etcd using Kubernetes encryption providers.
+    - **Pod Security Standards (PSS)**:
+        - Ensuring workloads run with non-root users and minimal privileges.
+
+- **Partially Applicable Recommendations**: SAAP supports an additional 30–40 recommendations through configurable features and organization-specific configurations. For example:
+
+    - **Audit Logging**: SAAP enables centralized logging and monitoring but requires the organization to actively review and act on the logs.
+    - **Runtime Security**: Provides mechanisms to monitor workloads but relies on organization-defined actions for runtime behavior validation.
+    - **Container Image Security**: Enforces trusted container image policies but depends on organizational processes to ensure compliance with image signing and verification standards.
+
+SAAP directly or partially addresses over **100 recommendations** from the CIS Kubernetes Benchmark, making it a comprehensive solution for securing Kubernetes workloads. By focusing on technical enforcement, automation, and integration, SAAP simplifies the path to compliance, reducing the operational burden for organizations.
+
+This robust support makes SAAP an essential platform for adopting and maintaining secure Kubernetes environments, ensuring alignment with CIS best practices while enabling scalability, operational efficiency, and enhanced security.

content/for-cisos-dpos/dora.md

@@ -0,0 +1,22 @@
+# DORA
+
+!!! danger "Disclaimer"
+
+    It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed.
+
+DORA (Digital Operational Resilience Act) is a European Union regulation designed to ensure the resilience of financial entities against operational disruptions and cyber threats. SAAP plays a critical role in enabling compliance with DORA by leveraging Kubernetes features and configurations to address its requirements.
+
+- **Total Articles in DORA**: 5
+- **Key Provisions in DORA**: Multiple detailed requirements across areas such as ICT risk management, incident response, and third-party risk management.
+
+## Provisions Addressed by SAAP
+
+SAAP facilitates the implementation of critical provisions enforceable through Kubernetes configurations and features. These include:
+
+- **ICT Risk Management Framework**: Leveraging Kubernetes features such as Pod Security Standards (PSS), Role-Based Access Control (RBAC), and audit logging to establish a robust ICT risk management framework.
+- **Incident Response and Recovery**: Providing monitoring, logging, and disaster recovery capabilities using Kubernetes-native and compatible solutions for observability and backup.
+- **Operational Resilience Testing**: Supporting resilience testing through tools and practices that align with chaos engineering principles and load testing methodologies.
+- **Third-Party Risk Management**: Enforcing network isolation with Kubernetes NetworkPolicies and validating compliance through policy enforcement mechanisms.
+- **Information Sharing**: Enabling secure data exchange via encryption, secure storage practices, and secrets management within Kubernetes.
+
+SAAP addresses a substantial number of DORA provisions, empowering financial entities to align their Kubernetes-based workloads with regulatory requirements. By focusing on technical measures and leveraging Kubernetes capabilities, SAAP simplifies the path to operational resilience and compliance.

content/for-cisos-dpos/gdpr-eu.md

@@ -1,5 +1,9 @@
 # GDPR (Regulation (EU) 2016/679)
 
+!!! danger "Disclaimer"
+
+    It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed.
+
 ## Shared Responsibility Model
 
 The shared responsibility model outlines how GDPR compliance is a shared obligation between Stakater and its customers, with clearly defined roles:

content/for-cisos-dpos/hipaa.md

@@ -0,0 +1,33 @@
+# HIPAA
+
+!!! danger "Disclaimer"
+
+    It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed.
+
+HIPAA (Health Insurance Portability and Accountability Act) establishes safeguards for the protection of electronic Protected Health Information (ePHI). SAAP (Stakater App Agility Platform) enables technical compliance with HIPAA’s Security Rule by leveraging Kubernetes features and integrations to enforce technical safeguards.
+
+- **Total Safeguards in HIPAA Security Rule**: 3 (Administrative, Physical, Technical)
+- **Technical Safeguard Provisions Addressed by SAAP**: 5
+
+## Safeguards Addressed by SAAP
+
+- **Directly Applicable Safeguards**: SAAP enables the direct implementation of safeguards for secure Kubernetes-based workloads. These include:
+
+    - **Access Control (164.312(a)(1))**: Managing access through role-based policies and workload isolation.
+    - **Audit Controls (164.312(b))**: Recording and monitoring access through centralized logging and immutable storage.
+    - **Transmission Security (164.312(e)(1))**: Protecting data during transmission using encryption and communication isolation.
+
+- **Partially Applicable Safeguards**: Some safeguards are partially addressed, requiring additional integrations or organizational policies:
+
+    - **Integrity (164.312(c)(1))**: Validating workloads and enabling backup solutions for critical data.
+    - **Person or Entity Authentication (164.312(d))**: Strengthening access verification through layered authentication and granular permissions.
+
+SAAP directly addresses key technical safeguards within the HIPAA Security Rule by leveraging Kubernetes’ native features and best practices. It enables healthcare organizations to secure their Kubernetes-based workloads, simplify compliance efforts, and protect sensitive ePHI data. While SAAP primarily focuses on technical safeguards, compliance with administrative and physical safeguards requires broader organizational policies and processes.
+
+By integrating SAAP’s capabilities into their infrastructure, organizations can:
+
+- Implement strong access control mechanisms to protect sensitive information.
+- Facilitate monitoring and auditing of system activities to ensure compliance.
+- Protect the integrity and confidentiality of ePHI both at rest and in transit.
+
+SAAP enables organizations to align with HIPAA regulations while streamlining the management of modern cloud-native environments.

content/for-cisos-dpos/iso27k1.md

@@ -1,5 +1,9 @@
 # ISO 27001 Controls
 
+!!! danger "Disclaimer"
+
+    It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed.
+
 ISO 27001, an international standard for information security, includes 14 domains and 114 controls aimed at protecting information assets. SAAP plays a critical role in enabling compliance with these controls by focusing on the technical aspects of Kubernetes-based workloads.
 
 - Total Domains in ISO 27001: 14

content/for-cisos-dpos/nist-sp-800-171.md

@@ -1,5 +1,9 @@
 # NIST SP 800-171 Controls
 
+!!! danger "Disclaimer"
+
+    It is important to note that the information provided in this document is for general informational purposes only. Any liability for the completeness, accuracy, timeliness, or reliability of the content is expressly excluded. Organizations are advised to consult with legal, compliance, or technical experts to ensure that their specific compliance and security needs are adequately addressed.
+
 NIST SP 800-171, a cybersecurity standard developed by the National Institute of Standards and Technology (NIST), provides 14 families of controls and 110 requirements to protect Controlled Unclassified Information (CUI) in non-federal systems and organizations. SAAP plays a critical role in enabling compliance with these controls by focusing on the technical aspects of Kubernetes-based workloads.
 
 - Total Families in NIST SP 800-171: 14

content/for-cisos-dpos/overview.md

@@ -1,15 +1,30 @@
 # CISOs and DPOs Guide Overview
 
-At Stakater, compliance is not just a checkbox; it is a cornerstone of our philosophy. We understand the critical role that Data Protection Officers (DPOs) and Chief Information Security Officers (CISOs) play in safeguarding organizational integrity and building trust. With our Risk and Compliance as Code (RCaC) approach, we embed compliance practices directly into the infrastructure and workflows, ensuring that compliance becomes an automated, continuous process.
+At Stakater, compliance is not just a checkbox; it is a cornerstone of our philosophy. We understand the critical role that Data Protection Officers (DPOs) and Chief Information Security Officers (CISOs) play in safeguarding organizational integrity and building trust. With our **Risk and Compliance as Code (RCaC)** approach, we embed compliance practices directly into the infrastructure and workflows, ensuring that compliance becomes an automated, continuous process.
 
 Through the Stakater App Agility Platform (SAAP), we provide our customers with the tools and capabilities necessary to achieve and maintain compliance effortlessly. Whether it’s adhering to GDPR, NIST, ISO 27001, BSI IT-Grundschutz  or other industry standards, SAAP empowers your teams with automated checks, auditable policies, and streamlined workflows to mitigate risks and stay compliant at all times. By leveraging our platform, organizations can focus on innovation and growth while ensuring that regulatory requirements are consistently met.
 
-To explore specific compliance frameworks and how SAAP addresses them, please refer to the detailed resources linked below:
+To explore specific compliance frameworks and how SAAP addresses them, it is essential to understand that these frameworks can be broadly divided into two major categories:
 
-- [GDPR](gdpr-eu.md)
-- [ISO270001](iso27k1.md)
-- [NIST SP 800 171](nist-sp-800-171.md)
-- [BSI IT-Grundschutz](bsi-it-grundschutz.md)
+## 1. General Frameworks
+
+These frameworks are widely applicable across industries and focus on providing high-level best practices for security, privacy, and risk management. They serve as foundational guidelines for building secure and compliant environments. SAAP supports measures aligned with frameworks such as:
+
+- **International Organization for Standardization (ISO) 27000 Series**, which outlines best practices for Information Security Management - [ISO270001](iso27k1.md)
+- **National Institute of Standards and Technology (NIST) SP 800-171**, focused on strengthening cybersecurity - [NIST SP 800 171](nist-sp-800-171.md)
+- **General Data Protection Regulation (GDPR)**, which governs data privacy and protection in the European Union - [GDPR](gdpr-eu.md)
+- **BSI IT-Grundschutz**, a comprehensive framework developed by the German Federal Office for Information Security (BSI) to ensure robust information security management - [BSI IT-Grundschutz](bsi-it-grundschutz.md)
+- **Center for Internet Security (CIS) Benchmarks**, which provide globally recognized secure configuration guidelines for systems and applications - [CIS Benchmarks](cis.md)
+- **SOC 2 Type 2**, is a framework which evaluates the operational effectiveness of an organization’s security, availability, processing integrity, confidentiality, and privacy controls over a defined period - [SOC 2 Type 2](soc2-type2.md)
+
+## 2. Industry-Specific Standards
+
+These standards focus on addressing the unique compliance, security, and operational requirements of specific industries. SAAP incorporates relevant measures that can be applied to help organizations meet compliance requirements in areas such as:
+
+- Patient data protection - [HIPAA](hipaa.md)
+- Operational resilience in financial services - [DORA)](dora.md)
+
+SAAP provides a comprehensive approach to compliance by aligning with both industry-specific standards and general frameworks. The platform is designed to address these requirements efficiently, ensuring your organization remains secure and compliant.
 
 ## Disclaimer