Compliance Standards

Overview

CoreStack supports a growing list of industry-specific regulatory compliance standards and industry benchmark standards relevant to modern corporations across various sectors. Keeping pace with regulatory compliance is a core part of our commitment to deliver industry-leading cloud governance technology with unrivaled ease-of-use in today's complex tech landscape.

Each compliance standard contains various controls or rules that represent guidelines that need to be followed by an organization in order for their resources to comply with industry standards.

Compliance Standards Supported by CoreStack

CoreStack's SecOps platform offers a rich repository of 1600+ policies (guardrails) mapped to various compliance standards.

Assessing once is all that's required to measure your compliance posture against multiple industry standards, regulations, and best practices relevant to your organization from the lists below.

Standards

CoreStack Abstracted Cloud Compliance Controls
AC3 - Abstracted Cloud Compliance Controls – This includes CoreStack internal standards.
CIS AWS (1.3) - Center for Information Security Amazon Web Services Foundations 1.3
CIS AWS (1.4) - Center for Information Security Amazon Web Services Foundations 1.4
CIS AWS 2.0 - Center for Information Security Amazon Web Services Foundations 2.0
CIS Azure - Center for Information Security Microsoft Azure Foundations Security Benchmark 1.2
CIS Azure (1.3) - Center for Information Security Microsoft Azure Foundations Security Benchmark 1.3
CIS Azure (1.5) - Center for Information Security Microsoft Azure Foundations Security Benchmark 1.5. This includes only cloud native standards.
CIS Azure (1.5) - CS - Center for Information Security Microsoft Azure Foundations Security Benchmark 1.5. This includes CoreStack compliance standards.
CIS Azure (2.0) - Center for Information Security Microsoft Azure Foundations Security Benchmark 2.0.
CIS OCI - Center for Information Security Oracle Cloud Foundations Security Benchmark
CIS GCP - Center for Information Security Google Cloud Foundations Security Benchmark. This includes only cloud native standards.
CIS GCP – CS - Center for Information Security Google Cloud Foundations Security Benchmark. This includes CoreStack compliance standards.
FedRAMP Moderate - Federal Risk and Authorization Management Program, Moderate
FedRAMP High - Federal Risk and Authorization Management Program, High
GDPR - General Data Protection Regulation
HIPAA - Health Insurance Portability and Accountability Act (HIPAA)
ISO/IEC 27000-1 - Information Technology, Security Techniques, Information Security Management Systems
ISO/IEC 27017 - International Standard Organization Security controls for Cloud Services
NIST SP 800-53 Rev. 4 - National Institute of Standards and Technology, Revision 4
NIST SP 800-53 Rev. 5 - National Institute of Standards and Technology Revision 5
PCI DSS - Payment Card Industry Data Security Standard
SOC 2 - System and Organization Controls Type 2: Trust Services Criteria

CoreStack Compliance

CoreStack, as a platform, complies with the following standards:

ISO/IEC 27001 - Information Technology, Security Techniques, Information Security Management Systems
SOC 2 - System and Organization Controls Type 2: Trust Services Criteria

Navigation

Click Compliance _in the Left navigation menu and select _Standards _option to land in _Compliance Controls screen.

The tabs at the top represent the scope of the standards. There are 2 tabs – Marketplace _and _My Standards.

Marketplace

CoreStack provides a wide range of Pre-defined standards which can help in achieving Compliance and Security standards. These are Pre-loaded for all subscriptions and can be executed on-demand or scheduled.

These standards are available across all tenants and are created by the Product Administrator. It is managed by CoreStack. In on-premises installations, it will be managed by the on-site administrator.

My Standards

These standards can be created by end users. These standards would be visible only for users within the tenant. You can add more standards or edit/delete existing standards in this tab based on your role and access policies.

Compliance Schedules

Schedules can now be set for available compliance standards in CoreStack. Based on the frequency, time, date, and other specifications provided by users, the compliance standards can be scheduled to run. Running the compliance standards as per their schedules helps in the execution of assessments.

Viewing Schedules

Perform the following steps to view schedules for compliance standards:

  1. Access the CoreStack application and go to Compliance > Standards.

  1. Go to the Schedules tab.

You can view the list of available schedules along with details like the schedule name, compliance standard, cloud account details, recurrence, and date/time when the next schedule will be run.

The Schedule Details section on the right of the screen shows the schedule details like next run time, schedule name, compliance standard, recurrence, created time, and last updated.

You can see Upcoming and Past tabs on the top-right side of the screen. The Upcoming tab lists the schedules that will be run in future and the Past tab lists the schedules that have already run.

Updating a Schedule

Perform the following steps to update a schedule:

  1. On the Schedules tab, select a schedule and on the left pane and on the right pane (in Schedule Details section), click Edit.
  2. On the SCHEDULE screen, update the required fields, and click UPDATE.

A confirmation shows up after the details are updated.

Adding a Schedule

Perform the following steps to add a new schedule:

  1. On the Schedules tab, click the plus (+) icon.

  1. On the SCHEDULE screen, perform the following and click CREATE.
  • In the Standard list, click to select a compliance standard, and click Apply.
  • In the Name box, type the name of the schedule.
  • In the Description text box, type a description for the schedule. This is not a mandatory field to be filled.
  • In the Schedule Settings section, select one option from: Once, Daily, Weekly, Monthly, and Annually.

📘

Note:

In the Schedule Settings section, based on the selected scheduling option, different fields appear.

  • If you select Once: Fill the Set Date and Set Time fields.
  • If you select Daily: Fill the Repeat Every and Set Time fields.
  • If you select Weekly: Fill the Repeat Every, Select Week day(s), and Set Time fields.
  • If you select Monthly: Fill Repeat Every and one of the following:
    • of Every and Day fields
    • Select the Day(s) field
    • Last Day of the Month and Set Time fields
  • If you select Annually: Fill Repeat Every, At What Month, and one of the following fields:
    • of Every and Day fields
    • Or Select Date of the Month and Set Time fields

Deleting a Schedule

Perform the following steps to delete a schedule:

  1. On the Schedules tab, select a schedule and on the left pane and on the right pane (in Schedule Details section), click Delete.

A dialog box displays asking if you would like to delete the schedule or not.

  1. Click OK to delete the existing schedule.

Search and Filter Standards

CoreStack offers search and filter functions to help quickly look for the standards you need. The Search bar is available just above the standards list and works based on the Name mapped to it. To Filter Standards, you can click on the Filter icon placed to the right end above the standards list. Filter by services and scope is available.

Creating My Standards

CoreStack also provides the option for users to create their own standards and control, which help them to assess their standards. The following steps need to be performed in the My Standards tab of the Compliance Controls screen to create a new standard.

  1. Click "New Standard" button.
  2. Provide the following details to create the standard.
FieldDescription
NameSpecify a name for the new compliance standard.
DescriptionProvide a detailed description about the compliance standard.
ServiceSelect a required cloud service provider from the dropdown list in which the new compliance standard will be applicable.
ScopeSelect the required boundary to define the area of influence for the compliance standard: Account or Tenant.
Compliance LogoClick Choose Logo button and upload a logo for the new compliance standard.
Upload JSONUpload the JSON file that has the control attributes defined in it. You can download the sample JSON format that is available for reference.
  1. Click Create button to create the new standard.

A new compliance standard will be created and listed in the My Standards tab.

📘

Note:

If any control attribute needs to be added or deleted after the controls are loaded, then controls should be deleted along with created standard before a new control attribute is added.

Managing Existing Standards

You can manage the existing compliance standards in My Standards tab by using the below explained options.

  • By clicking on the _Edit _icon available in the standard, you can update the details configured in the standard.
  • By clicking on the _Delete _icon available in the standard, you can delete the standard.

Working with Standards

You can perform the following operations in compliance standards.

  • By clicking on the _Status _icon available in the standard, you can view the status of assessments performed using the standard.
  • By clicking on the _Assess _icon available in the standard, you can perform assessment of resources using the standard.
  • By clicking on the _History _icon available in the standard, you can view the history of assessments performed using the standard.
  • By clicking on the _Controls _button available in the standard, you can view the control objectives associated with the standard.

Compliance Controls

Compliance controls are individual rules which are enforced by the organization. Each control can be created as required by individual auditing specification and needs. CoreStack by default provides few essential controls for each standard, these are essential controls which are required for any organization looking into getting a certification for the standard. Any additional controls can be created as need for a required scenario.

📘

Note:

To create a compliance control, the CoreStack user must have suitable role such as account_admin or ops_admin.

Creating Control Objectives

The following steps need to be performed to create and add control objectives to a compliance standard.

  1. Click Controls button available in the required standard.
  2. Click Add Control Objectives button.
  3. Specify the required values in the fields.
  4. Click Save Control button.

A new control will be created and listed in the Compliance Controls tab.

If the control created is automated type, suitable policies can be mapped to the controls from CoreStack polices. The New tenant created is only available in the tenant level, any custom policy created for the control should be available to the current tenant.

Managing Control Objectives

You can manage the existing control objectives by using the below explained options.

  • Controls created by the user can be edited and changed as needed. To edit a control, select the control, navigate to the preview side bar from the menu, select the "more details button" in the preview tab and press the menu _button ":`" . Select _Edit Control option from the menu. After making the changes, click on Save Control button to update the changes.
  • To delete a control, select the control, navigate to the preview side bar from the menu, and select Delete _option from the menu. A pop up will appear asking you to confirm if you want to proceed to delete the control. Click "_OK" to proceed.

Updating Manual Type Controls

The controls which cannot be automated are classified as manual type controls. CoreStack allows the end users to manually update the status of manual type controls.

  1. Click Action button of the manual type control.
  2. Update the _Remarks _field and the updated date.
  3. Click Resolve to mark it as success or click Mark Violations to mark it as violations.