Assess and report compliance with security standards

With Security Command Center, you can assess, improve, and report on the compliance of your resources on Google Cloud with common security standards and benchmarks (collectively, security standards).

Assess compliance

You can see at a glance how compliant your cloud environment is with a given security standard on the Compliance page in the Google Cloud console.

The Compliance page shows all of the security standards that Security Command Center supports, as well as how compliant you are with each standard.

How compliant you are is measured by the number of recommendations or controls of a given standard that you are compliant with, displayed as a percentage of the total number of controls that Security Command Center evaluates for the standard. If Security Command Center finds no vulnerabilities or misconfigurations (collectively, vulnerabilities) for a particular control, the control is a passing control.

Security Command Center vulnerability detection services, such as Security Health Analytics and Web Security Scanner, monitor controls based on a best effort mapping between the detectors of the services and the controls of a standard.

Assess compliance for a specific standard

For each standard, you can open the Compliance details page to see additional details about which controls Security Command Center checks for the standard, how many violations were detected for each control, and the option to export a compliance report for the standard.

You can sort the list of rules by clicking the column headers, including Controls, which sorts the list by the number of the control. If a rule corresponds to multiple controls, sorting by control number sorts the rule lowest control number.

To see the active Security Command Center findings that correspond to a particular rule or control, in the Rules column, click the rule name. The Findings page open and displays the findings filtered by the finding category that corresponds to the rule.

For an overview of how Security Command Center supports compliance management, see Managing and monitoring for compliance.

Review findings for compliance violations

To see the individual findings for each control, on the Compliance detail page, click the rule name. The Findings page opens, displaying the findings for the control.

To view details about a particular finding, including recommendations for how to remediate the issue, on the Findings page, click the name in the Category column.

For more information on remediating findings, see Remediating Security Health Analytics findings and Remediating Web Security Scanner findings.

Report on compliance

On the Compliance details page for a particular compliance standard, you can export a compliance report for the standard as a CSV file.

Reports include the information displayed on the Compliance details page, and provide a clear link between each standard control and its corresponding Security Command Center rule and finding category. The severity of each finding category is also included.

The report is a point-in-time snapshot of how compliant your cloud environment is for a particular standard on a date that you specify.

Security Command Center compliance reports are not a replacement for a compliance audit, but can help you maintain your compliance status and catch violations early.

Set the scope of a compliance report

Security Command Center automatically scopes compliance reports to the project, folder, or organization that you select at the top of the page in the Google Cloud console. For example, if your Google Cloud console view is set to a project, the compliance report includes only the findings for that project.

If Security Command Center is active at the organization level and your view is set to an organization, the compliance report includes the findings for the entire organization, including all of the projects it contains. If Security Command Center is active at a project level and you select an organization or folder, the Compliance page does not display.

Export a compliance report

To export a CSV report that aggregates violation findings for a specific compliance standard, follow these steps:

  1. Go to the Compliance page in the Google Cloud console:

    Go to Compliance

  2. Use the project selector in the Google Cloud console to select the project, folder, or organization for which you need to see a compliance report:

    Project selector

  3. On the Compliance page, locate the standard for which you need a report.

  4. Next to the standard name, click View details. The Compliance detail page opens.

  5. On the Compliance detail page, click Export report. The Export compliance report page opens.

  6. On the Export compliance report page, select the date for which you need the report. The report is a snapshot of compliance on that date.

  7. Click Export. The report is downloaded to your workstation as a CSV file.

How detectors and findings map to compliance controls

Security Command Center detection services, like Security Health Analytics and Web Security Scanner, use detection modules (detectors) to check for vulnerabilities and misconfigurations in your cloud environment.

When a vulnerability is found, the detector generates a finding. A finding is a record of a vulnerability or other security issue that includes information such as the following:

  • A description of the vulnerability
  • A recommendation to address the vulnerability that would bring the control into compliance
  • The numerical ID of the control that corresponds to the finding
  • Recommended steps for remediating the vulnerability

Not all controls in a standard can be mapped to Security Command Center findings, usually because certain controls can't be automated, but possibly for other reasons. Consequently, the total number of controls that Security Command Center checks for is usually less than the total number of controls that a standard defines.

CIS reviews and certifies the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.

To learn more about Security Health Analytics and Web Security Scanner findings and the mapping between supported detectors and compliance standards, see vulnerabilities findings.

Supported standards and benchmarks

Security Command Center monitors your compliance with detectors that are mapped to the controls of a wide variety of security standards.

For each supported security standard, Security Command Center checks a subset of the controls. For the controls checked, Security Command Center shows you how many are passing. For the controls that are not passing, Security Command Center shows you a list of findings that describe the control failures.

CIS reviews and certifies the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.

Security Command Center adds support for new benchmark versions and standards periodically. Older versions remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark or standard available.

With the security posture service, you can map organization policies and Security Health Analytics detectors to the standards and controls that apply to your business. After you create a security posture, you can monitor for any changes to the environment that could affect your business's compliance.

For more information about managing compliance, see Assess and report compliance with security standards.

Security standards supported on Google Cloud

Security Command Center maps detectors for Google Cloud to one or more of the following compliance standards:

Security standards supported on AWS

Security Command Center maps detectors for Amazon Web Services (AWS) to one or more of the following compliance standards: