Understanding the compliance monitoring views

Learn how to interpret and respond to the compliance monitoring views.

User interface

The Compliance Monitoring tool consists of the following views:

Dashboard view: This is the default view and provides an overview of the current status of compliance deployment, organized by compliance type. Individual tiles reflect the current configuration status of several compliance monitoring components, making it easy to quickly identify which compliance types require additional configuration.
Database view: The database view provides a table indicating which databases are configured with any of the supported compliance monitoring templates.
Set up compliance monitoring: The Set up compliance monitoring tool provides a guided interface for quickly associating databases with compliance templates and running the initial setup. Access the tool by clicking the icon on the Set up compliance monitoring tile of the dashboard view or by selecting databases and clicking the Set up compliance monitoring button on the database view.

The compliance monitoring views provide several interrelated ways to complete the configuration tasks associated with establishing compliance monitoring. The following table summarizes the tasks supported by the different views.

Table 1. Summary of tasks supported by compliance monitoring views.
Task	Set up compliance monitoring	Dashboard view	Database view
Associate compliance type with databases	From the Databases section, select databases from the Available databases table and click the icon to move them to the Selected databases table.
Populate groups		From a compliance type tile, click the Populate group link or navigate to View details > Summary and click the icon next to a group.
Define datasources for discovering sensitive data	From the Databases section, select databases from the Selected databases table and click the Provide credentials button.	From a compliance type tile, click the Datasource credentials link, select databases, and click Datasource actions > Provide credentials.	Select databases and click Datasource actions > Provide credentials.

Important: Once configured with a compliance monitoring template, databases that have been taken offline will continue to appear in the compliance monitoring tool.

Policies

The quick start compliance monitoring templates provide security policies that are designed to work effectively and without any modification. Use these policies to quickly get up and running with compliance monitoring. From the compliance monitoring dashboard view, click View details > Policies to see the policies associated with a specific compliance type.

When compliance monitoring is configured from a central manager, quick start security polices are automatically pushed-down to all collectors. If policies other than the default quick start security policies are installed, the quick start policies are installed last.

If you want to review the compliance monitoring policies in detail, they are available through the Policy Finder. Quick start compliance monitoring policies are identified with the following naming convention: Quick Start compliance type. For example, the default GDPR policy is named Quick Start GDPR. It is also possible to edit the compliance monitoring security policies using the Policy Builder for Data.

If you have modified the compliance monitoring policies, revert to the default settings from the Compliance Monitoring dashboard view by clicking View details in the desired compliance type tile, selecting the Policies tab, and clicking Reset to default. Before restoring the default settings, any customized settings are retained in a policy with the following naming convention: Quick Start compliance type timestamp (where timestamp indicates the date and time default settings were restored). For example, Quick Start GDPR 2017-05-01 19:17:59.

Policy installation schedule

By default, the quick start compliance monitoring tool defines a policy installation schedule that runs daily at 10:30 AM.

When compliance monitoring is configured from a standalone machine, a policy installation schedule is defined if there are no pre-existing policy installation schedules (regardless of whether the schedules are active or paused). When compliance monitoring is configured from a central manager, the policy installation schedule is configured for all collectors (regardless of whether existing policy installation schedules exist).

Groups

The compliance monitoring tool relies on several groups associated with each compliance type. These groups should be populated to establish effective compliance monitoring. From the compliance monitoring dashboard view, click View details > Summary to see the groups associated with a specific compliance type.

Restriction:

Hierarchical or nested groups are not supported.
Empty groups are not treated as wild cards and will not capture any traffic.

You may notice a discrepancy between the number of databases and the members of the Server IP group shown on the View details > Summary tab for a compliance type. This discrepancy reflects multiple databases running on a single database server or a Server IP group that has been updated outside of the compliance monitoring tool.

Reports

The quick start compliance monitoring templates provide several predefined reports for each compliance type. From the compliance monitoring dashboard view, click View details > Reports to see the reports associated with a specific compliance type. These reports are also available under the Accelerators section of the main Guardium navigation. This list of reports is predefined for each compliance type and does not reflect any custom reports you may have defined.

Restriction: The HIPAA compliance monitoring template does not provide any predefined reports.

Users and roles

The current user is assigned to the selected compliance-type role, enabling access to the related reports and accelerators. If different Guardium users configure different compliance types, the individual users will only have access to the reports and accelerators associated with the compliance types they configured.

For example, if user1 configures GDPR and user2 configures PCI, user1 will not have access to the PCI reports and accelerators because the PCI role has not been assigned to user1. For information about manually assigning specific roles to users, see Access management overview.

Sensitive data

You may notice a discrepancy between the Matches found value on a compliance type tile and the associated objects groups on the View details > Summary tab. Matches found indicates the number of unique table and column name pairs that matched criteria from the sensitive data discovery scenario. The number of members in the OBJECTS group is the number of unique table names and is a cumulative value from all scans.

Important: In the Scanning for sensitive data section of a tile,

icons indicate that one or more datasource has been configured for the discover sensitive . Click View databases to investigate which databases have datasources defined for discovering sensitive data.