Compliance Management User Guide

Last updated on October 27, 2020

Overview 

CloudHealth Secure State (CHSS) Compliance management helps you accelerate your company’s compliance programs and maintain your targeted conformance goals. Secure State compliance includes natively supported industry standards like CIS Foundations benchmarks, NIST 800-53, SOC-2 and many more. Compliance Management is currently in private beta, please reach out to your CloudHealth representative to join in.

The Compliance management service allows you to customize the service to only show the frameworks that apply to your business, choose to extend the existing compliance frameworks, and build a new standard based on your company’s specific requirements. Technical controls identified in a standard can be mapped to Secure State native rules. You can extend the predefined frameworks by associating custom rules to existing technical controls. Both predefined industry and custom standards can be continuously monitored and reported from Secure State.


Concepts

Compliance frameworks are a hierarchical collection of Control Groups and Controls. A rule is not owned by a framework as it may be associated to multiple controls across different frameworks.

Framework is the top level compliance collection. The framework name will appear on the Compliance dashboard and findings pages, and in filters used throughout the product. Control Group is a grouping of technical controls in a framework. This is intended for you to organize your controls into common themes. For example: mandatory and suggested controls or access and auditing controls. A framework requires a minimum of one control group. Major frameworks typically consist of multiple control groups.

Controls are the point requirements that must be adhered to. This is the technical control that Secure State can validate with a rule. One or more controls maybe assigned to a control group.

Rules are the policy checks that are running to validate and prove that you are adhering to a Control. A rule is not owned by the Framework as it can be associated to different controls in the organization.


Configuring Compliance

Changing Framework Visibility

Once onboarded onto the service, go to Dashboard > Compliance. Here you will see all of the native frameworks that Secure State manages. A framework has two states, published and unpublished. By publishing a framework, it will be visible in the platform, on the compliance dashboard and as a filter option. Unpublishing the framework will remove it from the compliance dashboard and the filter panel. This option is used to toggle whether a compliance framework is assessed for your environment.

To change the state of a framework:

  1. Navigate to the compliance list page, Governance > Compliance.

  2. Identify the framework and toggle the slider in the publish column.

Associating custom rules to native frameworks

In order to preserve accuracy and consistency of a CHSS defined compliance framework, we do not allow changing of native frameworks, control groups, and control settings. However, we allow you to add custom rules to a native framework by associating custom rules that you have created to a native control. This table shows when rules and controls can be associated.

To associate a rule to a control:

Note: You must first create a custom rule before proceeding.

  1. Navigate to Governance > Compliance and then choose the compliance framework you want to extend.

  2. Click on the Control tab and choose a Control that you intend to associate a custom rule.

  3. Click on the Rule Tab and click ASSOCIATE RULE.

  4. Select the rule from the list.

Create a custom framework

Before creating a custom framework, begin by creating an outline of what are the controls that you plan to have in place and how you plan to group similar controls. This is the best way to add compliance frameworks that are relevant to your business, but not natively supported by Secure State. We suggest documenting this in an internal wiki or document that can be linked to when creating a framework as a reference.

If you’re going to create a basic framework based on specific service. Here is an example:

Framework:                 My Company - AWS Cloud Requirements Control Group:            1. Controls for securing S3 Controls: 1. S3 Bucket Logging Enabled 2. S3 Bucket Public Read Prohibited 3. S3 Bucket Public Write Prohibited 4. S3 Bucket Replication Enabled 5. S3 Bucket SSL Requests Only 6. S3 Bucket Server-Side Encryption Enabled

  1. Navigate to Governance > Compliance

  2. Start by clicking on CREATE FRAMEWORK and walk through the wizard.

  3. Now click into the framework you just created and click Control groups in the sub-menu.

  4. Click ADD CONTROL GROUP and walk through the form.

  5. Choose the control group you created and click Controls.

  6. Click ADD CONTROL and walk through the wizard.

  7. Choose the control you created and click Rules.

  8. Click ASSOCIATE RULE and select the rules that you would like to associate to this control. You can choose either native Secure State or custom rules you have created.

Repeat the steps for all control groups and controls you have identified. Any findings for rules associated with your framework will be part of the compliance assessment for the framework.


Using the Compliance API

Compliance is a component of the Rules API.  The Rules API documentation can be found here: https://api.securestate.vmware.com/rules


FAQ

Q: Can I clone a framework, control group, or control? A: This currently on the roadmap.

Q: Can a rule be mapped to multiple controls across different frameworks? A: Yes, rules are meant to be written once, but mapped to controls in different frameworks.