Compliance Management User Guide

Last updated on May 24, 2021

Overview 

CloudHealth Secure State (CHSS) compliance management helps you accelerate your company’s compliance programs and maintain your targeted conformance goals. Secure State compliance includes natively supported industry standards like CIS Foundations benchmarks, NIST SP 800-53, SOC2 and many more.

You can customize the compliance management service in several ways:

  • Only show the frameworks that apply to your business.

  • Associate custom rules to existing technical controls to extend the native compliance frameworks

  • Build a new standard based on your company’s specific requirements as a custom compliance framework.

  • Associate either native or custom rules to your custom framework.

Both predefined industry and custom standards can be continuously monitored and reported from Secure State.


Concepts

Compliance frameworks are a hierarchical collection of Control Groups and Controls. A rule is not owned by a framework as it may be associated with multiple controls across different frameworks.

Framework is the top level compliance collection. The framework name will appear on the Compliance dashboard and findings pages, and in filters used throughout the product. Control Group is a grouping of technical controls in a framework. This is intended for you to organize your controls into common themes. For example: mandatory and suggested controls or access and auditing controls. A framework requires a minimum of one control group. Major frameworks typically consist of multiple control groups.

Controls are the point requirements that must be adhered to. This is the technical control that Secure State can validate with rules. One or more controls may be assigned to a control group.

Rules are the policy checks that are running to validate and prove that you are adhering to a Control. A rule is not owned by the Framework as it can be associated to different controls in the organization.


Compliance lifecycle

Secure State strives to stay current with the latest compliance framework revisions. New versions of supported frameworks are added to Secure State a reasonable period of time after they are published. Given the frequency with which many frameworks are updated, Secure State maintains a policy of supporting the latest two versions of a framework at any one time. This means that when a new compliance framework revision is added to Secure State the previous version is still supported, but any earlier version is retired shortly after release. To continue using a native compliance framework older than the two most recent versions, you must clone the framework before it is retired and continue to manage it as a custom framework for your team. Refer to the Clone a framework section of this guide for more details.


Supported frameworks

Secure State currently offers native support for the following frameworks:

  • AICPA SOC 2, version 2017

  • CIS AWS Foundations Benchmark, versions 1.3.0 and 1.2.0

  • CIS Azure Foundations Benchmark, versions 1.3.0 and 1.2.0

  • CIS GCP Foundations Benchmark, version 1.1.0

  • CIS Google Kubernetes Engine (GKE) Benchmark, version 1.0.0

  • EU GDPR, version 2016-679

  • ISO IEC 27001, version 2013

  • NIST CSF, version 1.1

  • NIST SP 800-53, Revision 5

  • NIST SP 800-171, Revision 1

  • PCI DSS, version 3.2.1

  • US HIPAA 164, version 2017-10-01


Configuring compliance

Changing framework visibility

Once onboarded onto the service, go to Dashboard > Compliance. Here you can see all of the native frameworks that Secure State manages. A framework has two states, published and unpublished. By publishing a framework, it will be visible in the platform, on the compliance dashboard, and as a filter option. Unpublishing the framework will remove it from the compliance dashboard and the filter panel. This option is used to toggle whether a compliance framework is assessed for your environment.

To change the state of a framework:

  1. Navigate to the compliance list page, Governance > Compliance.

  2. Identify the framework and toggle the slider in the publish column.

Associating custom rules to native frameworks

To preserve accuracy and consistency of a CHSS-defined compliance framework, we do not allow changing of native frameworks, control groups, and control settings. However, you can add custom rules to a native framework by associating custom rules that you have created to a native control. This table shows when rules and controls can be associated.

To associate a rule to a control:

Note: You must first create a custom rule before proceeding.

  1. Navigate to Governance > Compliance and then choose the compliance framework you want to extend.

  2. Click on the Control tab and choose a control that you intend to associate with a custom rule.

  3. Click on the Rule tab and click Associate Rule.

  4. Select the rule from the list.

After the rule is associated to the control, you can edit its properties by clicking on the rule and selecting Options, then Edit.

Create a custom framework

Before creating a custom framework, begin by creating an outline of the controls you plan to have in place and how you plan to group similar controls. This is the best way to add compliance frameworks that are relevant to your business but not natively supported by Secure State. Once you have created a custom framework, you can filter the various views and reports in Secure State to display only the information about the rules you have associated with it. You should document this in an internal wiki or other document that can be linked to when creating a framework as a reference.

Here is an example of a custom framework based on a specific service:

  1. Navigate to Governance > Compliance.

  2. Start by clicking on Create Framework and walk through the wizard.

  3. Now click on framework you just created and click Control groups in the sub-menu.

  4. Click Add Control Group and walk through the form.

  5. Choose the control group you created and click Controls.

  6. Click Add Control and walk through the wizard.

  7. Choose the control you created and click Rules.

  8. Click Associate Rule and select the rules that you would like to associate to this control. You can choose either native Secure State or custom rules you have created.

Repeat these steps for all control groups and controls you have identified. You are allowed up to 50 control groups and 1100 controls per custom framework, and 20 custom frameworks total. You can request increases on these limits if necessary.

Any findings for rules associated with your framework are part of the compliance assessment for the framework.

Edit a custom framework

You can edit the properties for a custom framework and its individual controls groups or controls from the details pages for each respective area. Note that you can edit only one custom framework, control group, or control at a time.

  • To edit a custom framework, click the checkbox next to it in the Governance > Compliance page and select Edit Framework.

  • To edit a control group, click on a custom framework, then click the checkbox next to the desired control group and click Edit Control Group.

  • To edit a control, click on a control group, then click the checkbox next to the desired control and click Edit Control.

Clone a framework

You can also clone an existing native or custom framework if you would like to use it as a template for another framework you're developing for your company. The process is simple and streamlined for user convenience.

  1. Navigate to Governance > Compliance.

  2. Choose the framework you would like to clone.

  3. Click on Clone Framework and walk through the wizard.

  4. Edit the Name, Author, and Version fields as necessary (other fields are optional).

  5. Click on Clone.

You should now have a copy of the selected framework with the attributes you entered, along with copies of all the control groups and controls associated with the framework. Modify them further as necessary to fit the needs of your organization.

View framework changes

Any update to a native or custom framework, its control groups, and its controls are recorded under the Change Log tab for each area, along with the user that made the update and the time the update occurred at.

Framework change log

Control group change log

Control change log

Review the change log to keep track any changes your team makes to custom frameworks you may have.


Using the Compliance API

Compliance is a component of the Rules API.  A reference guide to using the rules API can be found at https://docs.securestate.vmware.com/api/rules-api/

You can write and test the API calls on a local machine with your tool of choice or try out our swagger documentation at https://api.securestate.vmware.com/rules.