Compliance monitoring
You are required to continuously monitor for possible security flaws and changes in baseline configurations for which you should take corrective action. With Security and Compliance Center you can embed security checks into your every day workflows to help monitor for security and compliance. By monitoring for risks, you can identify security vulnerabilities and quickly work to mitigate the impact and fix the issue. By using Security and Compliance Center along with external integrations (such as, OpenShift Compliance Operator (OSCO), Tanium, NeuVector, and so on), you can build a robust approach for monitoring for security and compliance issues.
Using Security and Compliance Center
Security and Compliance Center provides a number of pre-defined profiles. Each profile is a collection of controlsA technical, administrative, or physical safeguard designed to meet a set of defined security and privacy requirements. Controls exist to prevent, detect, or lessen the ability of a threat to exploit a vulnerability. , and each control has one or more goals. Goals are pre-defined automated tests used to evaluate your posture against a control.
Running a scan against a specific profile does not ensure regulatory compliance. The scan is intended to provide a point in time statement of your current posture for a specific group of resources.
The IBM Cloud for Financial Services profile provides a tailored set of goals that are mapped to the IBM Cloud Framework for Financial Services control requirements. This profile should always be used when leveraging the VPC reference architecture.
In addition, if you are using Red Hat OpenShift on IBM Cloud (whether in the VPC reference architecture or the Satellite reference architecture), then you should leverage the Red Hat OpenShift on IBM Cloud Compliance Operator (OSCO) (OSCO) via the OSCO integration with SCC.
To start evaluating your resources, see the Getting started with Security and Compliance Center
Compliance best practices for Financial Services Validated services
The following table provides references to additional information for managing security and compliance for each service in the reference architecture.
| Category | VPC reference architecture | Satellite reference architecture | Optional for both |
|---|---|---|---|
| Core | |||
| Containers | |||
| Networking | |||
| Storage | |||
| Security | |||
| Logging and monitoring |
|
|
|
| Integration |
|
For more information, see:
- Managing security and compliance in IBM Cloud - provides details on security and compliance within platform services.
Related controls in IBM Cloud Framework for Financial Services
The following IBM Cloud Framework for Financial Services controls are most related to this guidance. However, in addition to following the guidance here, do your own due diligence to ensure you meet the requirements.
| Family | Control |
|---|---|
| Change Management (CM) | CM-2 (2) Baseline Configuration | Automation Support for Accuracy and Currency CM-6 Configuration Settings CM-6 (1) Configuration Settings | Automated Management, Application, and Verification |
| Maintenance (MA) | MA-2 Controlled Maintenance |
| System and Information Integrity (SI) | SI-2 (2) Flaw Remediation | Central Management SI-6 Security Functionality Verification |
| Security Assessment and Authorization (CA) | CA-7 Continuous Monitoring |