Compliance Standards
Overview
The platform supports a growing list of industry-specific regulatory compliance standards and industry benchmark standards relevant to modern corporations across various sectors. Keeping pace with regulatory compliance is a core part of our commitment to deliver industry-leading cloud governance technology with unrivalled ease-of-use in today's complex tech landscape.
Each compliance standard contains various controls or rules that represent guidelines that need to be followed by an organization in order for their resources to comply with industry standards.
Compliance Standards Supported by the Platform
Within the platform, SecOps offers a rich repository of 1600+ policies (guardrails) mapped to various compliance standards.
Assessing once is all that's required to measure your compliance posture against multiple industry standards, regulations, and best practices relevant to your organization from the lists below.
Standards
| Platform Abstracted Cloud Compliance Controls |
| AC3 - Abstracted Cloud Compliance Controls – This includes the platform's internal standards. |
| CIS AWS (1.3) - Center for Information Security Amazon Web Services Foundations 1.3 |
| CIS AWS (1.4) - Center for Information Security Amazon Web Services Foundations 1.4 |
| CIS AWS 2.0 - Center for Information Security Amazon Web Services Foundations 2.0 |
| CIS Azure - Center for Information Security Microsoft Azure Foundations Security Benchmark 1.2 |
| CIS Azure (1.3) - Center for Information Security Microsoft Azure Foundations Security Benchmark 1.3 |
| CIS Azure (1.5) - Center for Information Security Microsoft Azure Foundations Security Benchmark 1.5. This includes only cloud native standards. |
| CIS Azure (1.5) - CS - Center for Information Security Microsoft Azure Foundations Security Benchmark 1.5. This includes platform native compliance standards. |
| CIS Azure (2.0) - Center for Information Security Microsoft Azure Foundations Security Benchmark 2.0. |
| CIS OCI - Center for Information Security Oracle Cloud Foundations Security Benchmark |
| CIS GCP - Center for Information Security Google Cloud Foundations Security Benchmark. This includes only cloud native standards. |
| CIS GCP – CS - Center for Information Security Google Cloud Foundations Security Benchmark. This includes platform native compliance standards. |
| FedRAMP Moderate - Federal Risk and Authorization Management Program, Moderate |
| FedRAMP High - Federal Risk and Authorization Management Program, High |
| GDPR - General Data Protection Regulation |
| HIPAA - Health Insurance Portability and Accountability Act (HIPAA) |
| ISO/IEC 27000-1 - Information Technology, Security Techniques, Information Security Management Systems |
| ISO/IEC 27017 - International Standard Organization Security controls for Cloud Services |
| NIST SP 800-53 Rev. 4 - National Institute of Standards and Technology, Revision 4 |
| NIST SP 800-53 Rev. 5 - National Institute of Standards and Technology Revision 5 |
| PCI DSS - Payment Card Industry Data Security Standard |
| SOC 2 - System and Organization Controls Type 2: Trust Services Criteria |
Platform Compliance
The platform itself complies with the following standards:
| ISO/IEC 27001 - Information Technology, Security Techniques, Information Security Management Systems |
| SOC 2 - System and Organization Controls Type 2: Trust Services Criteria |
Navigation
Click Compliance _in the Left navigation menu and select _Standards _option to land in _Compliance Controls screen.
The tabs at the top represent the scope of the standards. There are 2 tabs – Marketplace _and _My Standards.
Marketplace
The platform provides a wide range of Pre-defined standards which can help in achieving Compliance and Security standards. These are Pre-loaded for all subscriptions and can be executed on-demand or scheduled.
These standards are available across all tenants and are created by the Product Administrator. It is managed by the platform. In on-premises installations, it will be managed by the on-site administrator.
My Standards
These standards can be created by end users. These standards would be visible only for users within the tenant. You can add more standards or edit/delete existing standards in this tab based on your role and access policies.
Compliance Schedules
Schedules can now be set for available compliance standards in the platform. Based on the frequency, time, date, and other specifications provided by users, the compliance standards can be scheduled to run. Running the compliance standards as per their schedules helps in the execution of assessments.
Viewing Schedules
Perform the following steps to view schedules for compliance standards:
- Access the platform and go to Compliance > Standards.
- Go to the Schedules tab.
You can view the list of available schedules along with details like the schedule name, compliance standard, cloud account details, recurrence, and date/time when the next schedule will be run.
The Schedule Details section on the right of the screen shows the schedule details like next run time, schedule name, compliance standard, recurrence, created time, and last updated.
You can see Upcoming and Past tabs on the top-right side of the screen. The Upcoming tab lists the schedules that will be run in future and the Past tab lists the schedules that have already run.
Note:
You can filter the schedules by compliance standards, cloud accounts, and recurrence to view more specific details. To apply a filter, click the Filter icon right above the Schedule Details section. In the Filter pane, select values in the following fields and then click Apply Filter.
- In the Compliance Standards list, click to select one compliance standard and click Apply.
- In the Cloud Accounts list, click to select one cloud account and click Apply.
- In the Recurrence list, click to select the frequency of the schedule and click Apply.
You can click Reset on the Filter pane to clear the values added by you for the filter.
Updating a Schedule
Perform the following steps to update a schedule:
- On the Schedules tab, select a schedule and on the left pane and on the right pane (in Schedule Details section), click Edit.
- On the SCHEDULE screen, update the required fields, and click UPDATE.
A confirmation shows up after the details are updated.
Note:
You can filter the schedules by compliance standards, cloud accounts, and recurrence to view more specific details. To apply a filter, click the Filter icon right above the Schedule Details section. In the Filter pane, select values in the following fields and then click Apply Filter.
- In the Compliance Standards list, click to select one compliance standard and click Apply.
- In the Cloud Accounts list, click to select one cloud account and click Apply.
- In the Recurrence list, click to select the frequency of the schedule and click Apply.
You can click Reset on the Filter pane to clear the values added by you for the filter.
Adding a Schedule
Perform the following steps to add a new schedule:
- On the Schedules tab, click the plus (+) icon.
- On the SCHEDULE screen, perform the following and click CREATE.
- In the Standard list, click to select a compliance standard, and click Apply.
- In the Name box, type the name of the schedule.
- In the Description text box, type a description for the schedule. This is not a mandatory field to be filled.
- In the Schedule Settings section, select one option from: Once, Daily, Weekly, Monthly, and Annually.
Note:
In the Schedule Settings section, based on the selected scheduling option, different fields appear.
- If you select Once: Fill the Set Date and Set Time fields.
- If you select Daily: Fill the Repeat Every and Set Time fields.
- If you select Weekly: Fill the Repeat Every, Select Week day(s), and Set Time fields.
- If you select Monthly: Fill Repeat Every and one of the following:
- of Every and Day fields
- Select the Day(s) field
- Last Day of the Month and Set Time fields
- If you select Annually: Fill Repeat Every, At What Month, and one of the following fields:
- of Every and Day fields
- Or Select Date of the Month and Set Time fields
Note:
You can filter the schedules by compliance standards, cloud accounts, and recurrence to view more specific details. To apply a filter, click the Filter icon right above the Schedule Details section. In the Filter pane, select values in the following fields and then click Apply Filter.
- In the Compliance Standards list, click to select one compliance standard and click Apply.
- In the Cloud Accounts list, click to select one cloud account and click Apply.
- In the Recurrence list, click to select the frequency of the schedule and click Apply.
You can click Reset on the Filter pane to clear the values added by you for the filter.
Deleting a Schedule
Perform the following steps to delete a schedule:
- On the Schedules tab, select a schedule and on the left pane and on the right pane (in Schedule Details section), click Delete.
A dialog box displays asking if you would like to delete the schedule or not.
- Click OK to delete the existing schedule.
Note:
You can filter the schedules by compliance standards, cloud accounts, and recurrence to view more specific details. To apply a filter, click the Filter icon right above the Schedule Details section. In the Filter pane, select values in the following fields and then click Apply Filter.
- In the Compliance Standards list, click to select one compliance standard and click Apply.
- In the Cloud Accounts list, click to select one cloud account and click Apply.
- In the Recurrence list, click to select the frequency of the schedule and click Apply.
You can click Reset on the Filter pane to clear the values added by you for the filter.
Compliance Notifications
Users can configure notifications for compliance standards. After a compliance standard executes successfully, a notification will be triggered (only if any violations are found) for the configured email/webhook with details about the summary of the execution that will include the violation details.
Perform the following steps to configure notifications:
-
Click Compliance > Standards > Notifications.
-
Click Create New (plus icon) on the top-right corner of the screen.
The Create New Notification dialog box appears.
-
In the Please Select Cloud Account list, click to select a cloud account, and then click Apply.
-
In the Email Address box, type the email address of the recipient.
-
In the Webhook box, type the webhook link.
-
In the Microsoft Teams Webhook box, type the Microsoft Teams webhook link.
Note:
To configure a notification, it’s mandatory to fill at least one field among Email Address, Webhook, and Microsoft Teams Webhook.
-
Click CREATE.
A new notification will now be added for a cloud account. You can view this notification on the left pane of the screen. You can also update or delete notification configurations.
Update Notification Configuration
To edit/update notification details for an existing notification, perform the following steps:
-
On the left pane, select a cloud account. You can now view the corresponding details in the Notification Details section.
-
To update notification details, click Edit.
-
You can make the required changes and then click Save.
Note:
You can click Delete to delete the notification configuration.
Search and Filter Standards
The platform offers search and filter functions to help quickly look for the standards you need. The Search bar is available just above the standards list and works based on the Name mapped to it. To filter by Standards, you can click on the Filter icon placed to the right end above the standards list. Filtering by Services and Scope is also available.
Creating My Standards
The platform also provides the option for users to create their own standards and control, which help them to assess their standards. The following steps need to be performed in the My Standards tab of the Compliance Controls screen to create a new standard.
- Click New Standard button.
- Provide the following details to create the standard.
| Field | Description |
|---|---|
| Name | Specify a name for the new compliance standard. |
| Description | Provide a detailed description about the compliance standard. |
| Service | Select a required cloud service provider from the dropdown list in which the new compliance standard will be applicable. |
| Scope | Select the required boundary to define the area of influence for the compliance standard: Account or Tenant. |
| Compliance Logo | Click Choose Logo button and upload a logo for the new compliance standard. |
| Upload JSON | Upload a JSON file that has the control attributes defined in it. You can download a sample JSON format that is available for reference. |
- Click the Create button to create the new standard.
A new compliance standard will be created and listed in the My Standards tab.
Note:
If any control attribute needs to be added or deleted after the controls are loaded, then controls should be deleted along with created standard before a new control attribute is added.
Managing Existing Standards
You can manage the existing compliance standards in My Standards tab by using the below explained options.
- By clicking on the _Edit _icon available in the standard, you can update the details configured in the standard.
- By clicking on the _Delete _icon available in the standard, you can delete the standard.
Working with Standards
You can perform the following operations in compliance standards.
- By clicking on the _Status _icon available in the standard, you can view the status of assessments performed using the standard.
- By clicking on the _Assess _icon available in the standard, you can perform assessment of resources using the standard.
- By clicking on the _History _icon available in the standard, you can view the history of assessments performed using the standard.
- By clicking on the _Controls _button available in the standard, you can view the control objectives associated with the standard.
Compliance Controls
Compliance controls are individual rules which are enforced by the organization. Each control can be created as required by individual auditing specification and needs. By default, the platform provides few essential controls for each standard, these are essential controls which are required for any organization looking into getting a certification for the standard. Any additional controls can be created as need for a required scenario.
Note:
To create a compliance control, the user must have suitable role such as account_admin or ops_admin.
Creating Control Objectives
The following steps need to be performed to create and add control objectives to a compliance standard.
- Click Controls button available in the required standard.
- Click Add Control Objectives button.
- Specify the required values in the fields.
- Click Save Control button.
A new control will be created and listed in the Compliance Controls tab.
If the control created is automated type, suitable policies can be mapped to the controls from platform polices. The New tenant created is only available in the tenant level, any custom policy created for the control should be available to the current tenant.
Managing Control Objectives
You can manage the existing control objectives by using the below explained options.
- Controls created by the user can be edited and changed as needed. To edit a control, select the control, navigate to the preview side bar from the menu, select the "more details button" in the preview tab and press the menu _button ":`" . Select _Edit Control option from the menu. After making the changes, click on Save Control button to update the changes.
- To delete a control, select the control, navigate to the preview side bar from the menu, and select Delete _option from the menu. A pop up will appear asking you to confirm if you want to proceed to delete the control. Click "_OK" to proceed.
Updating Manual Type Controls
The controls which cannot be automated are classified as manual type controls. The platform allows the end users to manually update the status of manual type controls.
- Click Action button of the manual type control.
- Update the _Remarks _field and the updated date.
- Click Resolve to mark it as success or click Mark Violations to mark it as violations.
Updated 5 months ago