Skip to main content

Manage Policy Frameworks

A policy framework serves as a collection of policies that you want to work with as a unit. A framework serves as the basis for automated reports. You can use them for other purposes as well, however. For example, you can create frameworks to group violating policies, which can serve as a sort of burndown list to ease remediation tracking and organization.

Lacework provides many built-in frameworks, many based on standard benchmarks. You can create your own custom frameworks as well, as described here.

Create a Custom Framework

Create a custom framework by choosing an existing framework to serve as the basis for your framework. In your custom framework, you can remove and rearrange policies and add new ones, including your own custom compliance policies. After you have created a custom framework, you can use it as the basis for report configurations.

When choosing a basis for your custom framework, keep in mind that Lacework provides hundreds of compliance policies with which to build frameworks. These policies are rooted in industry benchmarks, including PCI, ISO27001, SOC2, HIPAA, and more. Before starting, consider the target audience for the reports to be generated from your custom framework. Usually cloud security teams care about CIS for Security Posture baseline, while compliance teams usually care about one or two industry benchmarks, but not all of them. By being aware of the existing frameworks and the intended audience for your reports, you can determine the best basis for your customization.

note

Currently, a custom report can only contain compliance policy frameworks of the same cloud type (that is, only AWS, GCP, or Azure compliance policies).

To create a custom framework:

  1. Click Configure framework.
  2. Choose the existing framework that you want to serve as the template for your custom framework and click Next.
  3. Provide a unique name for your framework.
  4. To customize and refine the composition of your framework, expand existing framework sections in the left-side panel and click Add / Edit policies to change the policies in that section. Alternatively, modify them from the list below, where you can modify existing properties or add or remove policies from your framework.
  5. To add a section, click Add section and configure the new section as follows:
    1. Provide the following properties
      • Section id: Provide a unique section identifier.
      • Section name: Provide a descriptive name for the section.
      • Section description: Add an optional description for the section.
    2. Click Save.
    3. Add policies to the new section using the section controls.
  6. Click Save to complete the custom framework creation.

After you create a compliance framework, the Pending changes status message may appear next to the framework title in the list. This status indicates that policies in the new or modified framework have changed or have been added or updated since they were last evaluated. Changes that can trigger this status include, for example, a change to the policy query, to its activity state, or to its severity. The status clears after the next evaluation.

It may take up to 24 hours for the results to reflect the framework configuration changes.

Edit a Custom Framework

Custom frameworks have version numbers. When you edit a custom framework, you increment its revision number. That way, a report can be correlated to a version of the framework (TBD ... or something like this... needs more info.)

After you edit a compliance framework, the Pending changes status message may appear next to the framework title in the list. This status indicates that policies in the new or modified framework have changed or have been added or updated since they were last evaluated. Changes that can trigger this status include, for example, a change to the policy query, to its activity state, or to its severity. The status clears after the next evaluation.

It may take up to 24 hours for the results to reflect the framework configuration changes.

Delete a Custom Framework

You can delete custom frameworks. If there are active report configurations based on the framework, the report configurations are automatically disabled and shown to be inactive in the console, that is, reports based on the deleted framework are no longer generated or delivered.

To remove the custom framework, open the framework from the Frameworks catalog page and click the delete icon at the top of the page. Confirm the delete operation when prompted.

Last updated on