Compliance Standards

Overview

CoreStack supports a growing list of industry-specific regulatory compliance standards and industry benchmark standards relevant to modern corporations across various sectors. Keeping pace with regulatory compliance is a core part of our commitment to deliver industry-leading cloud governance technology with unrivaled ease-of-use in today's complex tech landscape.

Each compliance standard contains various controls or rules that represent guidelines that need to be followed by an organization in order for their resources to comply with industry standards.

Compliance standards supported by CoreStack

CoreStack's SecOps platform offers a rich repository of 1600+ policies (guardrails) mapped to various compliance standards.

Assessing once is all that's required to measure your compliance posture against multiple industry standards, regulations, and best practices relevant to your organization from the lists below.

Standards

CoreStack Abstracted Cloud Compliance Controls
CIS Azure (1.2) - Center for Information Security Microsoft Azure Foundations Security Benchmark 1.2
CIS Azure (1.3) - Center for Information Security Microsoft Azure Foundations Security Benchmark 1.3
CIS AWS (1.3) - Center for Information Security Amazon Web Services Foundations 1.3
CIS OCI - Center for Information Security Oracle Cloud Foundations Security Benchmark
CIS GCP - Center for Information Security Google Cloud Foundations Security Benchmark
FedRAMP Moderate - Federal Risk and Authorization Management Program, Moderate
FedRAMP High - Federal Risk and Authorization Management Program, High
GDPR - General Data Protection Regulation
HIPAA - Health Insurance Portability and Accountability Act (HIPAA)
ISO/IEC 27000-1 - Information Technology, Security Techniques, Information Security Management Systems
ISO/IEC 27017 - International Standard Organization Security controls for Cloud Services
NIST SP 800-53 Rev. 4 - National Institute of Standards and Technology, Revision 4
NIST SP 800-53 Rev. 5 - National Institute of Standards and Technology Revision 5
PCI DSS - Payment Card Industry Data Security Standard
SOC 2 - System and Organization Controls Type 2: Trust Services Criteria

Best Practices

CoreStack compliance

CoreStack, as a platform, complies with the following standards:

ISO/IEC 27001 - Information Technology, Security Techniques, Information Security Management Systems
SOC 2 - System and Organization Controls Type 2: Trust Services Criteria

Navigation

Click Compliance _in the Left navigation menu and select _Standards _option to land in _Compliance Controls screen.

The tabs at the top represent the scope of the standards. There are 2 tabs – Marketplace _and _My Standards.

Marketplace

CoreStack provides a wide range of Pre-defined standards which can help in achieving Compliance and Security standards. These are Pre-loaded for all subscriptions and can be executed on-demand or scheduled.

These standards are available across all tenants and are created by the Product Administrator. It is managed by CoreStack. In on-premises installations, it will be managed by the on-site administrator.

My Standards

These standards can be created by end users. These standards would be visible only for users within the tenant. You can add more standards or edit/delete existing standards in this tab based on your role and access policies.

Search and Filter Standards

CoreStack offers search and filter functions to help quickly look for the standards you need. The Search bar is available just above the standards list and works based on the Name mapped to it. To Filter Standards, you can click on the Filter icon placed to the right end above the standards list. Filter by services and scope is available.

Creating My Standards

CoreStack also provides the option for users to create their own standards and control, which help them to assess their standards. The following steps need to be performed in the My Standards tab of the Compliance Controls screen to create a new standard.

  1. Click "New Standard" button.
  2. Provide the following details to create the standard.
FieldDescription
NameSpecify a name for the new compliance standard.
DescriptionProvide a detailed description about the compliance standard.
ServiceSelect a required cloud service provider from the dropdown list in which the new compliance standard will be applicable.
ScopeSelect the required boundary to define the area of influence for the compliance standard: Account or Tenant.
Compliance LogoClick Choose Logo button and upload a logo for the new compliance standard.
Upload JSONUpload the JSON file that has the control attributes defined in it. You can download the sample JSON format that is available for reference.
  1. Click Create button to create the new standard.

A new compliance standard will be created and listed in the My Standards tab.

📘

Note: If any control attribute needs to be added or deleted after the controls are loaded, then controls should be deleted along with created standard before a new control attribute is added.

Managing Existing Standards

You can manage the existing compliance standards in My Standards tab by using the below explained options.

  • By clicking on the _Edit _icon available in the standard, you can update the details configured in the standard.
  • By clicking on the _Delete _icon available in the standard, you can delete the standard.

Working with Standards

You can perform the following operations in compliance standards.

  • By clicking on the _Status _icon available in the standard, you can view the status of assessments performed using the standard.
  • By clicking on the _Assess _icon available in the standard, you can perform assessment of resources using the standard.
  • By clicking on the _History _icon available in the standard, you can view the history of assessments performed using the standard.
  • By clicking on the _Controls _button available in the standard, you can view the control objectives associated with the standard.

Compliance Controls

Compliance controls are individual rules which are enforced by the organization. Each control can be created as required by individual auditing specification and needs. CoreStack by default provides few essential controls for each standard, these are essential controls which are required for any organization looking into getting a certification for the standard. Any additional controls can be created as need for a required scenario.

📘

Note: To create a compliance control, the CoreStack user must have suitable role such as account_admin or ops_admin.

Creating Control Objectives

The following steps need to be performed to create and add control objectives to a compliance standard.

  1. Click Controls button available in the required standard.
  2. Click Add Control Objectives button.
  3. Specify the required values in the fields.
  4. Click Save Control button.

A new control will be created and listed in the Compliance Controls tab.

If the control created is automated type, suitable policies can be mapped to the controls from CoreStack polices. The New tenant created is only available in the tenant level, any custom policy created for the control should be available to the current tenant.

Managing Control Objectives

You can manage the existing control objectives by using the below explained options.

  • Controls created by the user can be edited and changed as needed. To edit a control, select the control, navigate to the preview side bar from the menu, select the "more details button" in the preview tab and press the menu _button ":`" . Select _Edit Control option from the menu. After making the changes, click on Save Control button to update the changes.
  • To delete a control, select the control, navigate to the preview side bar from the menu, and select Delete _option from the menu. A pop up will appear asking you to confirm if you want to proceed to delete the control. Click "_OK" to proceed.

Updating Manual Type Controls

The controls which are not automatable are classified as manual type controls. CoreStack allows the end users to manually update the status of manual type controls.

  1. Click Action button of the manual type control.
  2. Update the _Remarks _field and the updated date.
  3. Click Resolve to mark it as success or click Mark Violations to mark it as violations.