Standard, Premium, and Enterpriseservice tiers (requiresorganization-level activation)

Compliance Manager frameworks consist ofcloudcontrolsthat help you meet your organization's security or regulatory requirements inyour cloud environments. Applying a framework is a two-step process. First, youmust identify the cloud controls that align with your business' security andcompliance obligations. Then, you deploy a framework that includes those cloudcontrols to the appropriate organization, folder, or project inGoogle Cloud. This page helps you complete the following steps:

1. Assess which built-in framework best aligns with your regulatory and securityrequirements. You can create your own custom framework, but we recommendstarting with a built-in framework.

2. Determine which built-in cloud controls map to your business requirements.
   (Premium and Enterprise tiers only) You cancreate custom cloud controls,if required.

3. Determine whether to deploy the framework to your Google Cloudorganization, or to specific folders and projects. You can only deploy oneframework to each organization, folder, or project.Compliance Manager supportsfolders configured for application management.

4. Copy an existing framework and modify it to match your requirements. Ifrequired, you can create a custom framework.

   Note: The Standard tier supports only the Security Essentials framework.Other built-in frameworks requirePremium orEnterprise tiers. For moreinformation, seeFrameworks forGoogle Cloud.

5. Deploy the framework on the appropriate organization, folder, or project.

Before you begin

• To get the permissions that you need to apply frameworks, ask your administrator to grant you the following IAM roles on your organization:

  • Compliance Manager Admin (roles/cloudsecuritycompliance.admin)
  • To view findings dashboards:Compliance Manager Viewer (roles/cloudsecuritycompliance.viewer)
  • To deploy frameworks that include cloud controls that are based on organization policies, one of:
    • Organization Policy Administrator (roles/orgpolicy.policyAdmin)
    • Assured Workloads Administrator (roles/assuredworkloads.admin)
    • Assured Workloads Editor (roles/assuredworkloads.editor)
  • To create a folder while deploying a framework, one of:
    • Folder Admin (roles/resourcemanager.folderAdmin)
    • Folder Creator (roles/resourcemanager.folderCreator)
  • To create a project while deploying a framework, all of:
    • Project Billing Manager (roles/billing.projectManager)
    • Project Creator (roles/resourcemanager.projectCreator)
    • Project Deleter (roles/resourcemanager.projectDeleter)
  • To assign Data Security Posture Management (DSPM) frameworks to anApp Hub application, all of:App Hub Viewer (roles/apphub.viewer)

  For more information about granting roles, seeManage access to projects, folders, and organizations.

  The roles for deploying frameworks with organization policies contain the requiredorgpolicy.policies.create,orgpolicy.policies.update, andorgpolicy.policies.get permissions.

  The roles for creating folders contain the requiredresourcemanager.folders.get,resourcemanager.folders.create, andresourcemanager.folders.delete permissions.

  The roles for creating projects contain the requiredresourcemanager.projects.get,resourcemanager.projects.create,resourcemanager.projects.delete, andresourcemanager.projects.createBillingAssignment permissions.

  The roles for assigning DSPM frameworks to applications contain the requiredapphub.locations.list,apphub.applications.list andapphub.applications.get permissions.

  You might also be able to get these permissions withcustom roles or otherpredefined roles.

View frameworks

Complete the following steps to view the configuration for built-in frameworksor other frameworks that you've already created.

1. In the Google Cloud console, go to theCompliance page.

   Go to Compliance

2. Select your organization.

3. To view all available frameworks, click theConfigure tab.

   The dashboard shows the available frameworks, a brief description, supportedplatforms, and the resources that the framework has been applied to.

4. To view details about a specific framework, click the framework name.

Create a framework

After you determine which cloud controls apply to resources within yourorganization or a specific folder or project, you can create a framework. Youcan create a custom framework or copy an existing framework and modify it. Whenyou copy a framework, it includes the latest releases of any built-in cloudcontrols.

1. In the Google Cloud console, go to theCompliance page.

   Go to Compliance

2. Select your organization.

3. In theConfigure tab, clickCreate custom framework.

4. Complete one of the following:

   • To use an existing framework, complete the following:

     1. SelectStart from an existing framework.

     2. Select the framework that you want to copy.

     3. ClickAdd.

   • To create a custom framework, selectStart new.

5. Enter a name, unique identifier, and description for your framework. ClickContinue.

   If you're copying an existing framework, the list of cloudcontrols that were part of the existing framework displays.

6. To add the cloud controls that you require, complete the following:

   • To add an existing cloud control, clickAdd Cloud Controls. Select allthe cloud controls that you require and then clickAdd.

     When you add a control, verify the control type (detective, preventive, oraudit) of the control. Note that preventive and audit controls are availableonly in Premium and Enterprise tiers. Don't include audit-only controls ina framework that you want to use to monitor your environment and detectviolations. You can'tdeploy frameworks that includeaudit-only controls.

   • (Premium and Enterprise tiers only) To create a custom cloud control, clickCreate custom cloud control. Forinstructions, seeCreate a custom cloudcontrol.

7. ClickContinue.

8. Add any additional parameters that the cloud controls require.

   For example, if you want to enable a Data Security Posture Management (DSPM) cloud controlsuch as theData access governance cloud control, specify the locationsthat principals must use. For more information about Data Security Posture Management controls,seeData access governance cloudcontrol.

9. ClickCreate.

Deploy a framework

Deploy a framework to an organization, folder, or project so that you cancontrol and monitor those resources using the framework's cloud controls. Youcan deploy multiple frameworks to each organization, folder, or project. If youare deploying a framework that includes only theadvanced data security cloudcontrols,you can deploy the framework to App Hub applications in foldersconfigured for application management.

Folders and projects inherit frameworks through the Google Cloudresourcehierarchy. Therefore,if you deploy frameworks at the organization level and at a project level, allthe cloud controls within both frameworks apply to the resources in the project.If there are any differences in cloud control definitions, the lower-level cloudcontrol is used by the resources in the project. For example, if a cloud controlrule is set to Allow at the organization level and to Deny at the project level,the project-level setting of Deny is applied to the resources in the project.

As a best practice, we recommend that you deploy a framework at the organizationlevel that includes the cloud controls that can apply to your entire business.You can then deploy more stringent frameworks to folders and projectsthat require them.

Note: If you deploy a framework to a folder or project that has Security Health Analytics enabled, you might receive duplicate findings. Compliance Manager uses a different evaluation engine then Security Health Analytics.

1. In the Google Cloud console, go to theCompliance page.

   Go to Compliance

2. Select your organization.

3. In theConfigure tab, for the framework that you want to deploy, clickmore_vertMore Actions>Apply to resources.

4. Choose one of the following options:

   • To monitor for drift only, chooseMonitor.

   • To monitor for drift and actively prevent violations, chooseMonitor andprevent.

5. Select the resource that you want to deploy the framework to. You can choosean existing organization, folder, or project. For DSPM only,you can select an application to deploy a framework that includes onlyDSPM advanced cloud controls to an application. Ifyou chose to actively prevent violations, you can create a new folder orproject and deploy the framework to it.

6. Complete one of the following:

   • If you selectedMonitor, complete the following:

     1. Verify the information.
     2. If you selected a folder configured for application management and yourframework includes onlyadvanced DSPM cloudcontrols,select the application that you want to monitor.
     3. ClickMonitor.

   • If you selectedMonitor and prevent, complete the following:

     1. ClickNext. Review the cloud controls and modes.
     2. ClickContinue.
     3. If displayed, verify the additional information that's required forsome cloud controls.
     4. ClickNext.
     5. Review your selections and then clickEnforce.

After you deploy the framework, you can monitor your environment for any driftfrom your defined cloud controls. Security Command Center reports instances of driftasfindings that you can review, filter, and resolve. It can takeapproximately six hours after you deploy a framework for findings related tocloud controls to appear.

Edit a custom framework

After you create a framework, you can change its name and description, add orremove cloud controls, and update any parameters. You can only edit frameworksthat you create; you can't edit built-in frameworks.

1. In the Google Cloud console, go to theCompliance page.

   Go to Compliance

2. Select your organization.

3. On theConfigure tab, click the framework that you want to edit.

4. On theFramework details page, verify that the framework isn't assignedto a resource. If required,remove theassignments.

5. ClickActions> Edit.

6. In theUpdate framework details page, change the name and description asrequired. ClickContinue.

7. To change the cloud controls that are included in the framework, complete thefollowing:

   • To add an existing cloud control, clickAdd Cloud Controls. Select allthe cloud controls that you require and then clickAdd.

   • To create a custom cloud control, clickCreate custom cloud control.For instructions, seeCreate a custom cloud control.

   • To remove a cloud control, select the cloud control and clickRemove.

8. ClickContinue.

9. Add any additional parameters that the cloud controls require.

10. ClickSave.

Remove resources from a deployed framework

You can remove the organization, folders, or projects that you assigned to adeployed framework. Removing resources means that the framework no longergenerates findings for that node of your resource hierarchy.

When you remove resources, the state of most of the related findings changes toInactive after seven days. If your framework includes the Data deletion cloudcontrol, the findings change toInactive after 90 days. The states forfindings that are related to the Data flow governance cloud control and the Dataaccess governance cloud control aren't automatically changed.

1. In the Google Cloud console, go to theCompliance page.

   Go to Compliance

2. Select your organization.

3. On theConfigure tab, click the framework that you want to unassignresources from.

4. On theFramework details page, clickActions>Manage resource assignments.

5. In theAssigned resources table, find the resource that you want toremove and clickdeleteDelete.

6. Review the confirmation message and clickUnassign.

7. Optional: change the state of associated findings toInactive. Forinstructions, seeChange the state of afinding.

Update a framework to a newer release

Google publishes regular updates to its built-in frameworks as services deploynew features or as new best practices emerge.

You can view the releases of built-in frameworks in theframeworks dashboard in theConfigure tab or in the framework details page.

Google notifies you in the console and release notes when the following updatesoccur:

• Built-in cloud controls are added or removed from a framework.
• Built-in cloud controls areupdated.

To update a framework, complete the following:

1. In the Google Cloud console, go to theCompliance page.

   Go to Compliance

2. Select your organization.

3. On theConfigure tab, click the framework that you want to update.

4. On theFramework details page, in theAssigned resources table,review theUpdate status for any assignments that are identified asUpdate available.

5. To apply the changes, complete the following:

   1. Remove the resource assignment.

      Note: When you remove a resource assignment,Compliance Manager no longer evaluates that resourceusing that framework. Findings are no longer created.

   2. Redeploy the framework to your resource so thatCompliance Manager can resume evaluating the resource andcreating findings.

Delete a custom framework

Delete a framework when it's no longer required. Youcan only delete frameworks that you create; you can't delete built-inframeworks.

Note: You can't recover a framework after you delete it.

1. In the Google Cloud console, go to theCompliance page.

   Go to Compliance

2. Select your organization.

3. On theConfigure tab, click the framework that you want to unassignresources from.

4. On theFramework details page, verify that the framework isn't assignedto a resource. If required,remove theassignments.

5. ClickActions> Delete.

6. In theDelete window, review the message. TypeDelete and clickConfirm.

What's next

• Monitor yourframeworks for compliance.
• Audit your environment withCompliance Manager.
• Review and manage findings in theconsole.