SC.09 — Asset Management#
System: AI Connectors Platform Last updated: 2026-04-29
This document describes how the AI Connectors platform fulfils the SC.09 control category.
Control Attestation Table#
| Control | Description | Status | Evidence |
|---|---|---|---|
| CTRL0537518 — SC.09.01 | Maintain a list of critical components | Compliant | Infrastructure documented in docs/compliance/operation-maintenance.md section 3; architecture overview in docs/compliance/architecture-data-flow.md; Terraform state in infra/ tree provides component inventory (ECS services, ECR repos, DynamoDB tables, ALB rules, Route53 records, SSM params); ServiceNow ITOM business application record. |
| CTRL0537496 — SC.09.02 | Add an overview of components and their dependencies | Compliant | Data flow diagram in docs/compliance/architecture-data-flow.md section 4; network diagram showing VPC, subnets, ALB, ECS tasks, DynamoDB, SSM; component dependency tree (ECS → ALB → Route53 → ACM, ECS → DynamoDB, ECS → SSM). |
| CTRL0537491 — SC.09.04 | Critical infrastructure documentation | Compliant | AWS infrastructure deployed exclusively in AWS us-east-1 (Virginia, USA); no deployment in sanctioned or geopolitically unstable regions; documented in docs/compliance/architecture-data-flow.md section 2 (AWS account IDs + regions); no CISO exception required. |
Security Controls Reference#
CTRL0537518 — SC.09.01: Maintain a list of critical components#
Control Text: Maintain a list of critical components of the IT Solution.
Applicability: Basic IT security requirement.
Additional Description
Establishing a basic inventory of technical components is fundamental for maintaining the IT solution and is an important input for security processes such as patch management, technical vulnerability management, and system hardening.
It is not necessary to document all components exhaustively — focus on identifying the critical components that need to be protected and managed. Examples of fields to document per component:
- Type: Server, network device, etc.
- Location: City, building, room, rack
- Manufacturer / Model / Version / Serial Number
- Hardware support status: e.g. EoL date, support contract in place
- Software: OS and application versions
- Host name / IP address
- Point of contact: Name, email, phone number
For more information on hardware asset management, see the dedicated site on the IT Hub.
Detailed Description
The AI Connectors platform maintains a complete inventory of all critical infrastructure components through infrastructure-as-code using Terraform and Terragrunt. All AWS resources, Azure AD app registrations, and external dependencies are documented in version-controlled configuration files, with the Terraform state serving as the authoritative real-time inventory. This approach ensures that every deployed component—from shared infrastructure like VPCs and load balancers to per-MCP resources like ECS services and DynamoDB tables—is traceable, version-controlled, and continuously updated through automated CI/CD workflows.
Implementation Considerations
- architecture-data-flow.md §2 — component inventory table with AWS and Azure resources
- operation-maintenance.md §3 — infrastructure maintenance and change control procedures
CTRL0537496 — SC.09.02: Add an overview of components and their dependencies#
Control Text: It is recommended to add an overview of system/network architecture and data flow in addition to the list of critical components.
Applicability: Basic IT security requirement.
Additional Description
Data flow diagrams and system/network architecture overviews help visualise the different system components and the data flows between them. This makes it easier to:
- Identify confidential information that needs to be protected
- Identify system components that may require additional security controls
Detailed Description
The platform maintains detailed architecture diagrams and data flow documentation that visualize how components interact, where data flows, and which security controls are applied at each layer. This documentation maps the complete request lifecycle from AI clients through DNS, load balancers, and ECS tasks to backend APIs, explicitly showing all vertical and horizontal dependencies between components. The architecture visibility enables effective threat modeling, helps identify confidential data requiring protection, and ensures security teams can quickly understand system behavior during incident response or security reviews.
Implementation Considerations
- architecture-data-flow.md §2 — component dependency table
- architecture-data-flow.md §3 — network architecture diagram with VPC topology and security groups
- architecture-data-flow.md §4 — end-to-end data flow diagram with security controls
- security-baseline.md — encryption and network security controls
CTRL0537491 — SC.09.04: Critical infrastructure documentation#
Control Text: Critical infrastructure, such as domain controllers, must not be physically located in geopolitically unstable regions or areas under international trade sanctions. Any existing or planned deployments in these regions must obtain prior authorisation from Global Information Security.
Applicability: The IT Solution is an infrastructure.
Additional Description
The purpose of this control is to ensure that Novo Nordisk's critical infrastructure (including domain controllers, firewalls, switches, and routers) is not exposed to increased risk due to geopolitical instability or legal restrictions arising from international trade sanctions.
Key requirements: - The list of sanctioned and high-risk countries is maintained in the Global Legal & Patents SharePoint site. When in doubt, consult the legal department. - A Type 2 exception from Global Information Security is required for any deployment in sanctioned or high-risk countries, and must be approved by the CISO before deployment. - If an exception is approved, additional security controls must be implemented (encryption, enhanced monitoring, access controls). - Contingency plans should include rapid relocation or shutdown of critical infrastructure. - Periodically review the geopolitical situation and international sanctions to ensure ongoing compliance.
The attestation response is "Yes" with a statement that the infrastructure is not placed in a geopolitically unstable zone, supported by a network diagram or similar.
Detailed Description
The platform deploys all critical infrastructure exclusively in AWS eu-central-1 (Frankfurt, Germany), avoiding sanctioned countries and geopolitically unstable regions entirely. The region selection is enforced through Terraform configuration and satisfies both Novo Nordisk's geopolitical risk policies and GDPR data residency requirements, eliminating the need for a CISO Type 2 exception. External dependencies including Azure AD and Microsoft Graph API also operate within the EU data boundary, ensuring all data transfers remain within the EU/EEA.
Implementation Considerations
- architecture-data-flow.md §2 — AWS region (eu-central-1) documented for all components
- architecture-data-flow.md §3 — network diagram showing eu-central-1 availability zones