Compliance Dashboard
Table of Contents
Compliance Dashboard
The Compliance Overview is a dashboard that provides a snapshot of your overall compliance posture across various compliance standards.
Use the Compliance Dashboard as a tool for risk oversight across all the supported cloud platforms and gauge the effectiveness of the security processes and controls you have implemented to keep your enterprise secure. You can also create compliance reports and run them immediately, or schedule them on a recurring basis to measure your compliance over time.
The Compliance Dashboard supports you whether you’ve spent a lot of time designing and establishing internal regulations and devising the right policies, or you use the built-in regulatory compliance standards available on Prisma Cloud.
The built-in regulatory compliance standards that Prisma Cloud supports are:
Cloud Type | Compliance Standards Supported |
AWS | APRA CPS 234, Brazilian Data Protection Law (LGPD), CIS AWS 3 Tier Arch v1.0, CCPA 2018, CIS v1.2, CIS v1.3, CIS AWS v.1.4, CSA CCM v3.0.1, CSA CCM v4.0.1, CMMC, GDPR, HITRUST v9.3, HITRUST v9.4.2, HIPAA, ISO 27001:2013, MAS TRM 2021, MITRE ATT&CKv6.3, MITRE ATT&CKv8.2, MPAA Content Protection Best Practice v4.08, Multi-Level Protection Scheme (MLPS) v2.0, NIST 800.53 Rev4, NIST 800-53 Rev5, NIST 800-171 Rev1, NIST SP 800-171 Rev2, NIST SP 800-172, NIST 800-53 Rev5, NIST CSF v1.1, PCI DSS v3.2, PIPEDA, Monetary Authority of Singapore (MAS) Technology Risk Management (TRM), Risk Management in Technology (RMiT), SOC 2, AWS well architected framework, CyberSecurity Law of the People’s Republic of China, CIS AWS 3 Tier Arch v1.0, ISO/IEC 27002:2013, ISO/IEC 27018:2019, ISO/IEC 27017:2015, MITRE ATT&CK v10.0, New Zealand Information Security Manual (NZISM) v3.4, Australian Energy Sector Cyber Security Framework (AESCSF), Australian Cyber Security Centre (ACSC) Information Security Manual (ISM), Australian Cyber Security Centre (ACSC) Essential Eight, CIS Critical Security Controls (CIS CSC) V7.1, CIS CSC V8, Federal Financial Institutions Examination Council (FFIEC), Payment Card Industry Data Security Standard (PCI DSS v4.0), New York Department of Financial Services (NYDFS) 23 Codes, Rules and Regulations (Part 500), Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1), HITRUST CSF v.9.6.0, Korea–Information Security Management System (K-ISMS), FedRAMP Moderate and Low Baselines (800-53 R4), CIS Amazon Web Services Foundations Benchmark (v1.5.0), SCF 2022.2.1, MLPS 2.0 (Level 2), Sarbanes Oxley Act (SOX), AWS Foundational Security Best Practices, CSA CCM v.4.0.6, ISO 27002:2022, ISO 27001:2022, CRI Profile v.1.2.1, Mitre Att&ck v12, Otoritas Jasa Keuangan (OJK) 38/POJK.03/2016, MLPS 2.0 (Level 3), CIS AWS Foundations Benchmark v2.0.0 |
Azure | Azure Security Benchmark (ASB) v2, Azure Security Benchmark (ASB) v3, APRA CPS 234, Brazilian Data Protection Law (LGPD), CCPA 2018, CIS v1.1, CIS v1.2, CIS v1.3, CIS v1.3.1, CIS v1.4.0, CMMC, CSA CCM v3.0.1, CSA CCM v4.0.1, GDPR, HITRUST v9.3, HITRUST v9.4, HIPAA, ISO 27001:2013, MITRE ATT&CKv6.3, MITRE ATT&CKv8.2, MPAA Content Protection Best Practice v4.08, Multi-Level Protection Scheme (MLPS) v2.0, NIST 800.53 R4, NIST 800-53 Rev5, NIST CSF v1.1, NIST SP 800-171 Rev2, NIST SP 800-172, PCI DSS v3.2, PIPEDA, SOC 2, CyberSecurity Law of the People’s Republic of China, ISO/IEC 27002:2013, ISO/IEC 27018:2019, ISO/IEC 27017:2015, MITRE ATT&CK v10.0, New Zealand Information Security Manual (NZISM) v3.4, Australian Energy Sector Cyber Security Framework (AESCSF), Australian Cyber Security Centre (ACSC) Information Security Manual (ISM), Australian Cyber Security Centre (ACSC) Essential Eight< CIS Critical Security Controls (CIS CSC) V7.1, CIS CSC V8, Federal Financial Institutions Examination Council (FFIEC), Payment Card Industry Data Security Standard (PCI DSS v4.0), FedRAMP Moderate and Low Baselines (800-53 R4), CIS Microsoft Azure Foundations Benchmark (v1.5.0), SCF 2022.2.1, MLPS 2.0 (Level 2), Sarbanes Oxley Act (SOX), CSA CCM v.4.0.6, ISO 27002:2022, ISO 27001:2022, CIS v2.0.0 (Azure) Level 1 and Level 2, CRI Profile v.1.2.1, Mitre Att&ck v12 |
GCP | APRA CPS 234, Brazilian Data Protection Law (LGPD), CCPA 2018, CIS v1.0, CIS v.1.1, CIS v.1.2, CIS GKE v1.1, CSA CCM v3.0.1, CSA CCM v4.0.1, CMMC, GDPR, HITRUST v9.3, HITRUST v9.4, HIPAA, ISO 27001:2013, MITRE ATT&CKv6.3, MITRE ATT&CKv8.2, MPAA Content Protection Best Practice v4.08, NIST 800.53 R4, NIST 800-53 Rev5, NIST CSF v1.1, NIST SP 800-171 Rev2, NIST SP 800-172, PCI DSS v3.2, PIPEDA, SOC 2, ISO/IEC 27002:2013, ISO/IEC 27018:2019, ISO/IEC 27017:2015, MITRE ATT&CK v10.0, New Zealand Information Security Manual (NZISM) v3.4, Australian Energy Sector Cyber Security Framework (AESCSF), Australian Cyber Security Centre (ACSC) Information Security Manual (ISM), Australian Cyber Security Centre (ACSC) Essential Eight, CIS Critical Security Controls (CIS CSC) V7.1, CIS CSC V8, Federal Financial Institutions Examination Council (FFIEC), Payment Card Industry Data Security Standard (PCI DSS v4.0), CIS Google Cloud Platform Foundation Benchmark v1.3.0, CIS Google Kubernetes Engine (GKE) v1.2.0 and v1.3.0, FedRAMP Moderate and Low Baselines (800-53 R4), SCF 2022.2.1, CIS Google Cloud Platform Foundation Benchmark v2.0.2, CSA CCM v.4.0.6, ISO 27002:2022, ISO 27001:2022, CRI Profile v.1.2.1, Mitre Att&ck v12, CIS Google Kubernetes Engine (GKE) v1.4.0 - (Level 1 and Level 2) |
Alibaba | Brazilian Data Protection Law (LGPD), CIS v1.0.0, CMMC, CSA CCM v4.0.1, HITRUST v9.3, MAS TRM 2021, MPAA Content Protection Best Practice v4.08, Multi-Level Protection Scheme (MLPS) v2.0, MITRE ATT&CKv8.2, NIST 800.53 Rev4, NIST 800-53 Rev5, NIST CSF v1.1, NIST SP 800-171 Rev2, NIST SP 800-172, PCI DSS v3.2, MAS TRM, RMiT, CyberSecurity Law of the People’s Republic of China, ISO/IEC 27002:2013, ISO/IEC 27018:2019, ISO/IEC 27017:2015, MITRE ATT&CK v10.0, New Zealand Information Security Manual (NZISM) v3.4, Australian Energy Sector Cyber Security Framework (AESCSF), Australian Cyber Security Centre (ACSC) Information Security Manual (ISM), Australian Cyber Security Centre (ACSC) Essential Eight, CIS Critical Security Controls (CIS CSC) V7.1, CIS CSC V8, Federal Financial Institutions Examination Council (FFIEC), Payment Card Industry Data Security Standard (PCI DSS v4.0), FedRAMP Moderate and Low Baselines (800-53 R4), SCF 2022.2.1, MLPS 2.0 (Level 2), Sarbanes Oxley Act (SOX), CSA CCM v.4.0.6, ISO 27002:2022, ISO 27001:2022, CRI Profile v.1.2.1, Mitre Att&ck v12 |
Oracle Cloud Infrastructure | CIS v1.0, CIS v1.1, CSA CCM v4.0.1, HITRUST v9.4, MITRE ATT&CKv8.2, MPAA Content Protection Best Practice v4.08, NIST SP 800-171 Rev2, NIST SP 800-172, NIST CSF v1.1, PCI DSS v3.2, ISO/IEC 27002:2013, ISO/IEC 27018:2019, ISO/IEC 27017:2015, MITRE ATT&CK v10.0, New Zealand Information Security Manual (NZISM) v3.4, Australian Energy Sector Cyber Security Framework (AESCSF), Australian Cyber Security Centre (ACSC) Information Security Manual (ISM), Australian Cyber Security Centre (ACSC) Essential Eight, CIS Critical Security Controls (CIS CSC) V7.1, CIS CSC V8, Federal Financial Institutions Examination Council (FFIEC), Payment Card Industry Data Security Standard (PCI DSS v4.0), CIS Oracle Cloud Infrastructure Foundations Benchmark v1.2.0, SCF 2022.2.1, MLPS 2.0 (Level 2), Sarbanes Oxley Act (SOX), CSA CCM v.4.0.6, ISO 27002:2022, ISO 27001:2022., CRI Profile v.1.2.1, Mitre Att&ck v12 |
To help you easily identify the gaps and measure how you’re doing against the benchmarks defined in the governance and compliance frameworks, the Compliance Dashboard combines rich visuals with an interactive design. The dashboard results include data for the last full hour. The timestamp on the bottom left corner of the screen indicates when the data was aggregated for the results displayed.
The compliance dashboard is grouped into three main sections that enable you to continuously monitor progress.
- Filters—The left pane provides filters that help sharpen the focus on your compliance posture across different cloud types, accounts, regions, and specific compliance mandates—compliance standards and the requirements and sections within each standard.The compliance time selector allows you to specify the time range for which you want to see your compliance posture. By default, the dashboard shows your compliance state as of today. Because the Prisma Cloud service ingests data on all assets in the connected cloud accounts, you can use this data to audit usage/deployment of resources on each cloud and measure improvement over time. For example, you can see how you were doing three months ago and analyze trends in adherence to compliance guidelines today.
- Compliance Score and Charts—The interactive main section presents the overall health of the cloud resources in your organization. The rich visual display helps you focus your attention on the gaps in compliance for a standard or regulation that is important to you.
- The compliance score presents data on the total unique resources that are passing or failing the policy checks that match compliance standards. Use this score to audit how many unique resources are failing compliance checks and get a quick count on the severity of these failures. The links allow you to view the list of all resources on theAsset Explorer, and theView Alertslink enables you to view all the open alerts of Low, Medium, or High severity.
- The compliance trendline is a line chart that shows you how the compliance posture of your monitored resources have changed over time (on the horizontal X axis). You can view the total number of resources monitored (in blue), and the number of resources that passed (in green) and failed (in red) over that time period.
- The Compliance coverage bar graph highlights the passed and failed resource count across all compliance standards and enables easy comparison. Click on any given compliance standard to view the total number of failed assets for that standard.To review all the details, click the link for the description of the compliance standard.
- Compliance Standards Table—The last section is a list of all the built-in and custom standards that you may have defined to monitor and audit your organization’s performance. Each row in the table includes a description of a standard and the total number of policies that map to the standard. It also includes the total number of unique resources monitored for that standard, the pass and fail count, along with a percentage of the resources that passed the compliance checks. For each failed check, the severity of the issue affects where it is counted. For example, if a resource fails a high severity policy, it is not counted towards a medium or low failure even if it fails a medium or low severity policy rule.To learn about each compliance standard, the requirements/sections that it comprises and the policies that map to each requirement, use the links in each row. You can also click the description in the table to open a new tab that automatically filters the data to display information about the selected compliance standard and then generate a report on demand. To generate compliance reports, see Add a New Compliance Report.
Unlike the Asset Inventory that aggregates all your resources and displays the pass and fail count for all monitored resources, the Compliance Dashboard only displays the results for monitored resources that match the policies included within a compliance standard. For example, even if you have 30 AWS Redshift instances, if none of the compliance standards include policies that check the configuration or compliance and security standards for Redshift instances, the 30 Redshift instances are not included in the resource count on the Compliance Dashboard. The results on the Compliance Dashboard therefore, help you focus your attention on the gaps in compliance for a standard or regulation that is important to you. See Assets, Policies, and Compliance on Prisma Cloud for additional context.