My Standards

Suggest Edits

Introduction

You can create your own custom compliance standards that are tailored to your own business needs, standards, and organizational policies. These standards would be visible only for users within the tenant. You can also edit/delete existing standards based on your role and access policies.

Creating a new standard

  1. Click Compliance > Standards.

  1. Click Standards (Marketplace) drop-down > My Standards.

The My Standard window appears.

  1. Select the green New Standard button in the top-right corner.
  2. Input a Name and an optional Description.
  3. Select the Service this new Standard will apply to:
    a. AWS, Azure, GCP, Oracle, or VMWare (Do not 'Select All')
  4. Select Engine Type for the Policies you will be using.
    a. (Details on Policy Engines found here)

  1. Select the Scope that this Standard will apply to:
    a. The current Tenant, or all Tenants within the Account.
  2. Select a logo:
    a. Logo should be in PNG format and have dimensions of around 250 × 200 pixels.
  3. Upload your JSON File:
    a. JSON File will determine Control Objectives and must align with CSV/XSLX for Bulk Uploads.

📘

Note:

When you upload an excel with respect to policies in our market place, the policy having default value will be configured by default. You can change the values any time.

Creating Control Objectives

You have the option to upload Control Objectives to your created Standard either individually or in bulk using a CSV/XSLX file.

Instructions for both processes follow below.

Create an Individual Control Objective

  1. Click Controls under the Logo of your selected Standard.
  2. Click on Add Control Objectives.
  3. These options will differ based on the JSON file uploaded during Standard Creation.
  4. Please fill out each of the Control Objectives and Control Objectives Actions.
  5. Click on Save Controls to finish creating the Control Objective.
  6. If you selected Manual for Control Action Nature, there are no further steps.
    a. Non-Compliance with this standard will provide notifications only.
  7. If You select Automated for Control Action Nature, then click on the new Control created.
  8. On the new screen, you will be able to see Control Information, click the + symbol top-right.
  9. The Add Policy button (+) will allow you to search for and select policies to add.
  10. Confirm that your Control has all of the Policies required for operation by clicking on it.
  11. Review Policy Mapping under Control Information.

To Bulk Upload Control Objectives

  1. Click Controls under the Logo of your selected Standard.
  2. Click on Add Control Objectives.
  3. Click Bulk in the top right corner to toggle from the Blue Single selection.

  1. Click Browse and upload the excel sheet in CSV or XSLX format.
    a. The columns of the Spreadsheet should correlate with the JSON file instructions uploaded.
  2. Click Save controls. The controls will be created for the selected tenants.
    a. If any policies have been designated by their URIs within the spreadsheet, they will also be
    mapped within 24 hours.

The following sample JSON is an example representing a My Standards model:

{
  "control_action_attributes": {
    "action_method": {
      "optional": false,
      "ui-text-element": "dropdown",
      "allowed_values": [
        "Report",
        "Policy",
        "Validation",
        "Monitoring",
        "checklist"
      ],
      "filter": false,
      "position": 5,
      "label": "Control action method",
      "type": "string"
    },
    "nature": {
      "optional": false,
      "ui-text-element": "dropdown",
      "allowed_values": [
        "Manual",
        "Automated"
      ],
      "filter": true,
      "position": 2,
      "label": "Control action nature",
      "type": "string"
    },
    "purpose": {
      "optional": false,
      "ui-text-element": "dropdown",
      "allowed_values": [
        "Preventive",
        "Detective"
      ],
      "filter": false,
      "position": 3,
      "label": "Control action purpose",
      "type": "string"
    },
    "classification": {
      "optional": false,
      "ui-text-element": "dropdown",
      "allowed_values": [
        "Process",
        "Technical"
      ],
      "filter": false,
      "position": 4,
      "label": "Control action classification",
      "type": "string"
    },
    "level": {
      "optional": false,
      "ui-text-element": "dropdown",
      "allowed_values": [
        "Cloud account",
        "Organization",
        "Resource",
        "OS"
      ],
      "filter": true,
      "position": 1,
      "label": "Control action level",
      "type": "string"
    }
  },
  "control_attributes": {
    "Security_Control_Clause": {
      "optional": false,
      "ui-text-element": "dropdown",
      "allowed_values": [
        "5. Security policy",
        "6. Organization of information security",
        "7. Human resources security",
        "8. Asset management",
        "9. Access control",
        "10. Cryptography",
        "12. Operations security",
        "13. Communications security",
        "14. System acquistion, development and maintenance",
        "15. Supplier relationships",
        "16. Information security incident management",
        "17. Information security aspects of business continuity management",
        "18. Compliance"
      ],
      "abstracted-name": "Category",
      "position": 1,
      "label": "Security Control Clause",
      "type": "string"
    },
    "Security_Category": {
      "type": "string",
      "ui-text-element": "dropdown",
      "label": "Security Category",
      "abstracted-name": "Subcategory",
      "filter": true,
      "position": 2,
      "allowed_values": [
        "5.1 Information Security Policy",
        "6.1 internal organization",
        "6.2 Mobile devices and teleworking",
        "7.1 Prior to employment",
        "7.2 During employment",
        "7.3 Termination and change of employment",
        "8.1 Responsibility for assets",
        "9.1 Business requirements of access control",
        "9.2 User access management",
        "9.3 User responsibilities",
        "9.4 System and application access control",
        "10.1 Cryptography controls",
        "12.1 Operational procedures and responsibiities",
        "12.2 Protection from malware",
        "12.3 Backup",
        "12.4 Logging and monitoring",
        "12.5 Control of operational software",
        "12.6 Technical vulnerability management",
        "12.7 Information system audit considerations",
        "13.1 Network security management",
        "13.2 Information transfer",
        "14.1 Security requirements of information systems",
        "14.2 Security in development and support processes",
        "14.3 Test Data",
        "15.1 Information security in supplier relationships",
        "15.2 Supplier service delivery management",
        "16.1 Management of information security incidents and improvements",
        "17.1 Information Security Continuity",
        "17.2 Redundancies",
        "18.1 Compliance with legal and contractual requirements",
        "18.2 Information security reviews"
      ],
      "optional": false
    },
    "Control_Objective": {
      "type": "string",
      "ui-text-element": "text-area",
      "label": "Control Objective",
      "filter": false,
      "position": 3,
      "abstracted-name": "Control Name",
      "purpose": "compliance_control_name",
      "optional": false
    },
    "description": {
      "type": "string",
      "ui-text-element": "text-area",
      "label": "Description",
      "filter": false,
      "position": 4,
      "optional": false
    }
  }
}

Scheduling My Standard

In addition to creating custom standards, users can also set the scheduled frequency for how often that standard should be applied in CoreStack.

Follow the steps below to learn how you can set the scheduling for a custom standard tied to a cloud account.

  1. Login to CoreStack and navigate to “Governance’ > “ Account Governance” in the left navigation menu.

  1. A list of accounts onboarded to CoreStack will be listed. On the right-hand side of a listed account, select the “View” tab and then click on “View Settings”.

  1. Click on the “Governance Configuration” tab in the left-side menu.

  1. Click on the “Compliance“ tab along the top to view the list of standards available in CoreStack.

  1. Scroll through until you see the custom standard you created and select it, then click on ‘Configure”.

  1. CoreStack will check for validation of all the necessary permissions on the native cloud provider end. After a successful validation, click on “Next”.

  1. There are two options available for executing the standard in the account selected:

a. On-Demand execution: Execution of the standard will be triggered the moment the ‘Save and Finish’ button is clicked.

b. Scheduled execution: Execution of the standard will be triggered “Daily”, “Weekly”, “Monthly” or “Yearly” based on your selection. To enable this option, the “Schedule execution” toggle switch needs to be on and the frequency level needs to be set.

  1. After the preferred execution option has been selected, click on “Save and Finish”.

  1. After the standard had been assigned, the execution result will be visible by navigating to Compliance > Posture in the main navigation menu.

📘

Note: The number above the “Green” Control Status bar represents the number of standards which have passed, and the number above the “Red” coloured bar represents the set of standards which have failed.

  1. Reports can also be generated by clicking on the “Reports” option shown on the left side of the screen.

  1. Click on the “Compliance” option available in the screen as shown below.

  1. Click on the “Compliance Assessment” option, as shown below, to generate an assessment report for the respective cloud account.

📘

Note:

The time taken for the report to be generated after the assessment has been initiated is estimated to be around 12 hours.

Updated 7 months ago