Manage and monitor for compliance

Security Command Center can measure your Google Cloud environment against various standards and regulations and produce reports based on findings of compliance violations. The Security Command Center Compliance page in the Google Cloud console provides a centralized view of these reports and shows the compliance status for each standard and regulation that is included in Security Command Center.

Security Command Center compliance reports provide your organization with actionable insights and recommendations to help address and comply with specific requirements. The reports are automatically scoped to the project, folder, or organization that you select. For example, if your Google Cloud console view is set to a project, the compliance report includes only the findings for that project. Security Command Center maps the security categories to the applicable standards and regulations. Muted findings are included in the report unless you explicitly exclude them.

Security Command Center compliance reporting isn't a replacement for a compliance audit, but you can use the report to help maintain compliance, map security controls to regulatory requirements, and catch violations early.

To monitor compliance, you must activate the Security Command Center Premium tier and enable Security Health Analytics and Web Security Scanner.

Standards included in Security Command Center

Most of Security Command Center's detectors are mapped to one or more of the following compliance standards:

CIS reviewed and certified the mappings of Security Command Center detectors to each supported version of the CIS Google Cloud Foundations Benchmark. Additional compliance mappings are included for reference purposes only.

Security Command Center frequently adds support for new benchmark versions and standards. Older versions of the CIS Benchmark remain supported, but are eventually deprecated. We recommend that you use the latest supported benchmark available.

Compliance page

The Security Command Center Compliance page gives you a view of how many compliance controls detected failures out of the total number of controls for each supported standard.

A compliance control consists of one or more detectors that correspond to the individual requirements that make up the control. As shown in the following screenshot, the numbers on the Compliance page show the total number of controls and detectors that Security Command Center supports for each standard, and, of that total number, what percentage are failing (the Warning percentage) and what percentage meet the standard (the Passed percentage).

The Compliance page.

For more information about the findings, you can view a report of your environment or each individual standard in the console on the Compliance page. You can also export each report to a CSV file. Security Command Center compliance reports list all the findings that violate a given standard. By selecting the finding in the Google Cloud console, you can find suggested remediation steps that help you address the failed controls. For more information about the Compliance page and exporting findings, see Using Security Command Center in the Google Cloud console.

Reviewing compliance violations

Security Command Center lets you search for violations using filters. You can search for one or more standards at the same time. For example, if you want to highlight findings that are related to PCI-DSS, you can set a filter for PCI and Security Command Center returns all of the findings that are related to PCI-DSS. This view also includes the other standards that the vulnerability applies to. The following screenshot shows an example of using the PCI filter in the Vulnerability page.

The PCI filter in the Vulnerability page.

After you filter based on your specified standards, you can view recommendations to help remediate violation findings. For more information on remediating findings, see Remediating Security Health Analytics findings, Remediating Web Security Scanner findings, and Rapid Vulnerability Detection.

What's next