Monitor your frameworks for compliance

After you apply a framework to your resources, you can view monitoring dashboards that shows the status of your environment's compliance with the framework. The monitoring dashboards also provide guidance on how to further align your environment to relevant industry standards and regulatory requirements. You can use the monitoring dashboards to assess your workloads' compliance with multiple frameworks over time. Compliance specialists and privacy teams can use the dashboard to monitor, track, and consult on issues.

The summary monitoring dashboard for Compliance Manager provides an overview of the following:

• Whether your environment is in compliance with applied frameworks.
• The list of current findings, with the frameworks that generated them.

The detailed framework dashboard provides the following details, related to a specific deployed framework:

• Whether your environment is in compliance with the applied controls. The compliance scoring is based only on the regulatory controls that are part of the framework. If your framework doesn't include regulatory controls (for example, the Data security and privacy essentials framework), then scoring is based on the cloud controls.
• Information about how to remediate any violations.
• Mapping information between cloud controls and regulatory controls.
• Shared responsibilities status for cloud controls.
• Current compliance status, as well as compliance status trends over time.
• The ability to download a report, in CSV format.
• The list of top findings related to the framework.

Before you begin

• To get the permissions that you need to monitor frameworks, ask your administrator to grant you the Compliance Manager Viewer (roles/cloudsecuritycompliance.viewer) IAM role on your organization. For more information about granting roles, see Manage access to projects, folders, and organizations.

  You might also be able to get the required permissions through custom roles or other predefined roles.

• Apply the frameworks that you want to monitor to the appropriate organization, folders, and projects.

Monitor your framework

1. In the console, go to the Compliance page.

   Go to Compliance

2. Select your organization.

3. Click Monitor (New).

   The summary dashboard appears. This dashboard provides a summary of applied frameworks and the percentage of cloud controls and regulatory controls that don't have any associated findings.

4. For details about a framework, click the framework.

   In the Framework details page, the following details are available:

   • The time when the framework was applied, in your timezone.
   • The releases of the framework that's applied. For more information about how Compliance Manager evaluates scoring when multiple versions of a framework are applied, see Monitoring across multiple releases of a deployed framework
   • The organization, folders, or projects that the framework is applied to.
   • A timeline that shows the trends of passing controls.
   • An overview of the controls that are in the framework, including the mapping between regulatory controls and cloud controls. The Overview by Controls table displays regulatory controls in the Control toggle and cloud controls in the Cloud Control toggle. For frameworks that don't have cloud control groups or regulatory controls, cloud control IDs are treated as groups.
   • The findings that are associated with the cloud controls.

   This page might take some time to update the findings. For the latest information about findings, use the Findings page. The Summary tab for findings shows the applied frameworks and cloud controls that are related to the finding.

5. To view information from an earlier date, use the date picker.

6. To download a report about the framework, click Download report. The report is downloaded in CSV format. The filename is framework-name_yyyy-mm-dd.csv.

Monitoring across multiple releases of a deployed framework

In some scenarios, your organization might have multiple releases of a framework deployed to different projects and folders in your environment. For example, you might deploy release 5 of a framework to a test project, and leave release 4 of the framework applied to a production project.

In this scenario, Compliance Manager aggregates the passing scores for your regulatory controls to create the summary view of passing controls and passing controls over time. If your framework doesn't include any regulatory controls, then the compliance scoring is based on cloud controls. The aggregation logic is as follows:

• If a control is passing across all assigned releases of the framework, the control is counted as passing.
• If a control is failing in one or more of the assigned releases of the framework, the control is counted as failing.

The score is calculated as follows:

TOTAL_UNIQUE_PASSING_CONTROLS / TOTAL_UNIQUE_CONTROLS = FRAMEWORK_SCORE

The monitoring summary dashboard shows only the aggregated framework score. The detailed framework monitoring dashboard also includes the following information:

• The applied releases of the framework

• In the Controls Overview table, the following:

  • The framework releases that a control is included in
  • The cloud control releases that are applied
  • The ability to review findings related to different releases of a control
  • A list of all unique control groups for all applied releases
  • For each control group, a list of all cloud controls and applied releases

What's next

• Create a custom framework that better matches your organization's security and compliance objectives.
• Create an audit report for your environment.