To review the available compliance frameworks, go to Dashboard > Compliance. Here you can see all of the native frameworks that CloudHealth Secure State manages. A framework has two states, published and unpublished. By publishing a framework, it will be visible in the platform, on the compliance dashboard, and as a filter option. Unpublishing the framework will remove it from the compliance dashboard and the filter panel. This option is used to toggle whether a compliance framework is assessed for your environment.
To change the state of a framework:
To preserve accuracy and consistency of a CHSS-defined compliance framework, we do not allow changing of native frameworks, control groups, and control settings. However, you can add custom rules to a native framework by associating custom rules that you have created to a native control. This table shows when rules and controls can be associated.
To associate a rule to a control:
Note: You must first create a custom rule before proceeding.
After the rule is associated to the control, you can edit its properties by clicking on the rule and selecting Options, then Edit.
Before creating a custom framework, begin by creating an outline of the controls you plan to have in place and how you plan to group similar controls. This is the best way to add compliance frameworks that are relevant to your business but not natively supported by CloudHealth Secure State. Once you have created a custom framework, you can filter the various views and reports to display only the information about the rules you have associated with it. You should document this in an internal wiki or other document that can be linked to when creating a framework as a reference.
Here is an example of a custom framework based on a specific service:
Repeat these steps for all control groups and controls you have identified. You are allowed up to 50 control groups and 1100 controls per custom framework, and 20 custom frameworks total. You can request increases on these limits if necessary.
Any findings for rules associated with your framework are part of the compliance assessment for the framework.
You can edit the properties for a custom framework and its individual controls groups or controls from the details pages for each respective area. Note that you can edit only one custom framework, control group, or control at a time.
You can also clone an existing native or custom framework if you would like to use it as a template for another framework you're developing for your company. The process is simple and streamlined for user convenience.
You should now have a copy of the selected framework with the attributes you entered, along with copies of all the control groups and controls associated with the framework. Modify them further as necessary to fit the needs of your organization.
Any update to a native or custom framework, its control groups, and its controls are recorded under the Change Log tab for each area, along with the user that made the update and the time the update occurred at.
Framework change log
Control group change log
Control change log
Review the change log to keep track any changes your team makes to custom frameworks you may have.
Compliance is a component of the Rules API. A reference guide to using the rules API can be found at https://docs.securestate.vmware.com/api/rules-api/
You can write and test the API calls on a local machine with your tool of choice or try out our swagger documentation at https://api.securestate.vmware.com/rules.