Update: 15-10-2024

ibm-cloud-docs · Oct 15, 2024 · e7c5b3d · e7c5b3d
1 parent 14c1ebb
commit e7c5b3d
Show file tree

Hide file tree

Showing 28 changed files with 111 additions and 110 deletions.
diff --git a/attachments.md b/attachments.md
@@ -2,7 +2,7 @@
 
 copyright:
   years: 2020, 2024
-lastupdated: "2024-10-08"
+lastupdated: "2024-10-15"
 
 keywords: attachment, scan resources, scc, run evaluation
 
@@ -49,9 +49,15 @@ To create an attachment, you can use the {{site.data.keyword.compliance_short}}
 6. Select the scope that you want to target. Then, click **Next**.
 
    The scopes that are available in this view are filtered only to those scopes that contain resources that can be evaluated against your selected profile. If you aren't seeing the scope that you created, select a different profile or adjust the resources included in your scope.
-   {: tip}
+   {: tip} 
 
-<annotations>7. In the annotation section, add custom annotations to individual controls. These annotations are for reference only and do not affect the evaluation process. Then, click **Next**.</annotations>
+7. In the annotation section, add custom annotations to individual controls. These annotations are for reference only and do not affect the evaluation process. Then, click **Next**.
+
+   An annotation is a note that a user can add to a control. While these can be anything, typically they are used to highlight how your organization manages, mitigates, or remediates a control. For example, if you are looking at Control ID A.10.11 - Encryption of data, you might add the following test procedures as an annotation.
+
+   * Verify that encryption is enabled on all storage volumes containing sensitive data by inspecting system configurations.
+   * Review a sample of transmission logs to ensure data in transit is being encrypted using TLS 1.2 or higher.
+   * Conduct a key management audit to confirm that keys are being stored securely and are rotated as required.
 
 8. Define your scan settings.
 

diff --git a/available-profiles.md b/available-profiles.md
@@ -2,7 +2,7 @@
 
 copyright:
   years: 2024
-lastupdated: "2024-07-09"
+lastupdated: "2024-10-15"
 
 keywords: best practices, security and compliance, governance, profile, predefined profiles, benchmark, controls, goals, security, compliance
 
@@ -62,6 +62,6 @@ The following profiles are available for you to use in {{site.data.keyword.compl
 | NIST SP 800-53 | Validate that your resource configurations meet the baselines requirements that are identified by the National Institute of Standards and Technology | Multi-environment | [![Note icon](../../icons/note_icon.svg)](/docs/security-compliance?topic=security-compliance-nist-800-53-change-log) |
 | PCI | Validate that your resource configurations meet the baseline requirements that are identified by the Payment Card Industry Data Security Standard. | Multi-environment | [![Note icon](../../icons/note_icon.svg)](/docs/security-compliance?topic=security-compliance-pci-dss-change-log) |
 | SOC 2 | Validate that your resource configurations meet the baselines requirements that are identified in the Service Organization Control reports issued by the American Institute of Certified Public Accountants. | {{site.data.keyword.cloud_notm}} | [![Note icon](../../icons/note_icon.svg)](/docs/security-compliance?topic=security-compliance-soc2-change-log) |
-{: caption="Table 2. Available predefined profiles" caption-side="top"}
+{: caption="Available predefined profiles" caption-side="top"}
 
 **Integration required*
diff --git a/best-practices.md b/best-practices.md
@@ -2,7 +2,7 @@
 
 copyright:
   years: 2020, 2024
-lastupdated: "2024-03-19"
+lastupdated: "2024-10-15"
 
 keywords: scc best practices, enterprise, scc access
 
@@ -61,7 +61,7 @@ A scope defines which resources in your accounts are evaluated. It is defined wh
 
 Check out the following diagram to see how three attachments can co-exist within an enterprise.
 
-![The image shows how two attachments are applied across an enterprise. One rule moves down the hierarchy. Another rule is attached only to a specific account, so its properties are applied only to the resources that it contains.](images/access-model.svg){: caption="Figure 1. Attachment hierarchy" caption-side="bottom"}
+![The image shows how two attachments are applied across an enterprise. One rule moves down the hierarchy. Another rule is attached only to a specific account, so its properties are applied only to the resources that it contains.](images/access-model.svg){: caption="Attachment hierarchy" caption-side="bottom"}
 
 Attachment A
 :   In Attachment A, the target scope is the full enterprise. As you can see, all account groups and accounts that exist within the enterprise are evaluated. That is, unless they have been purposefully excluded. 
@@ -83,5 +83,3 @@ When you work with {{site.data.keyword.compliance_short}} outside of the enterpr
 You can select a single {{site.data.keyword.compliance_short}} instance in your main account to monitor a list of other target accounts (and their resources) and environments. This {{site.data.keyword.compliance_short}} instance in your main account must have access to scan resources in multiple target accounts for {{site.data.keyword.cloud_notm}} resources. You can define multiple scopes for each target account in an attachment.
 
 You can create multiple attachments that distribute accounts across multiple attachments. For example, you can select 1 to 200 accounts in a single attachment scope. Then, you can select 201 to 400 accounts in the next attachment scope.
-
-
diff --git a/custom-library.md b/custom-library.md
@@ -2,7 +2,7 @@
 
 copyright:
   years: 2020, 2024
-lastupdated: "2024-09-23"
+lastupdated: "2024-10-15"
 
 keywords: custom profiles, user-defined, controls, goals, security, compliance
 
@@ -19,7 +19,7 @@ subcollection: security-compliance
 With {{site.data.keyword.compliance_full}}, you can create a custom control library that is specific to your organization's needs. You define the controls and specifications before you map previously created assessments.
 {: shortdesc}
 
-![The diagram shows the layout of a control library. The information is conveyed in the surrounding text.](images/control-library.svg){: caption="Figure 1. Understanding control libraries" caption-side="bottom"}
+![The diagram shows the layout of a control library. The information is conveyed in the surrounding text.](images/control-library.svg){: caption="Understanding control libraries" caption-side="bottom"}
 
 
 A control library is a grouping of controls that are added to {{site.data.keyword.compliance_short}}. The service offers several predefined libraries that are designed to help meet compliance for a specific use case. Each control has several specifications and assessments that are mapped to it. A specification is a defined requirement that is specific to a component. When met by an organization, the specification helps to ensure that they are compliant with the control. An assessment, or several, are mapped to each specification with a detailed evaluation that is done to check whether the specification is compliant. For more information, see [Key Concepts](/docs/security-compliance?topic=security-compliance-posture-management).

diff --git a/custom-profile.md b/custom-profile.md
@@ -2,7 +2,7 @@
 
 copyright:
   years: 2020, 2024
-lastupdated: "2024-09-23"
+lastupdated: "2024-10-15"
 
 keywords: custom profiles, user-defined, controls, goals, security, compliance
 
@@ -20,7 +20,7 @@ With {{site.data.keyword.compliance_full}}, you can take advantage of predefined
 {: shortdesc}
 
 
-![The diagram shows the layout of a profile. The information is conveyed in the surrounding text.](images/profile.svg){: caption="Figure 1. Understanding profiles" caption-side="bottom"}
+![The diagram shows the layout of a profile. The information is conveyed in the surrounding text.](images/profile.svg){: caption="Understanding profiles" caption-side="bottom"}
 
 
 A profile is a grouping of controls that can be evaluated for compliance. In {{site.data.keyword.compliance_short}}, you can work with predefined profiles, or you can create a profile by selecting controls that have already been added to a control library. Controls already have specifications and assessments that are associated with them, but you can choose to create your own. To learn more about each entity, see [Key Concepts](/docs/security-compliance?topic=security-compliance-posture-management).

diff --git a/custom-rule.md b/custom-rule.md
@@ -2,7 +2,7 @@
 
 copyright:
   years: 2020, 2024
-lastupdated: "2024-09-23"
+lastupdated: "2024-10-15"
 
 keywords: custom profiles, user-defined, controls, goals, security, compliance
 
@@ -103,7 +103,7 @@ String-based operators are case-sensitive.
 | `num_greater_than` | Numeric | The property value is numerically greater than the condition value. | Yes |
 | `num_greater_than_equals` | Numeric | The property value is numerically greater than or equal to the condition value. | Yes |
 | `days_less_than` | Numeric | The property value is less than the condition value. | Yes |
-{: caption="Table 3. Supported operator types" caption-side="top"}
+{: caption="Supported operator types" caption-side="top"}
 
 [^string_equals]: To include multiple values, use an array. For example, `{"value": ["A", "B," "C"]}`.
 
@@ -135,7 +135,7 @@ Most often, rules are more complex than a single property. To create more comple
 2. If any of the three options are true.
 3. If A is true or if B and C are both true.
 
-![The diagram shows the correlation between multiple conditions. The information is conveyed in the surrounding text.](images/config-rules-property.svg){: caption="Figure 1. The ways in which properties can relate to each other." caption-side="bottom"}
+![The diagram shows the correlation between multiple conditions. The information is conveyed in the surrounding text.](images/config-rules-property.svg){: caption="The ways in which properties can relate to each other." caption-side="bottom"}
 
 
 

diff --git a/framework/architecture-workload-isolation.md b/framework/architecture-workload-isolation.md
@@ -2,7 +2,7 @@
 
 copyright:
   years: 2020, 2024
-lastupdated: "2024-08-07"
+lastupdated: "2024-10-15"
 
 keywords: public isolation for {{site.data.keyword.compliance_short}}, compute isolation for {{site.data.keyword.compliance_short}}, {{site.data.keyword.compliance_short}} architecture, workload isolation in {{site.data.keyword.compliance_short}} 
 
@@ -27,13 +27,13 @@ Review the following architecture for {{site.data.keyword.compliance_full}} and
 
 Check out the following image to see how the service workloads are isolated and managed.
 
-![This image shows the workload isolation for the {{site.data.keyword.compliance_short}} service.](../images/architecture.svg){: caption="Figure 1. Workload isolation" caption-side="bottom"}
+![This image shows the workload isolation for the {{site.data.keyword.compliance_short}} service.](../images/architecture.svg){: caption="Workload isolation" caption-side="bottom"}
 
 | Component | Description |
 |:----------|:------------|
 | Control plane | The microservices that make up the individual components of the service run in the control plane, where they are isolated from the other components. Additionally, internal dependencies are run and isolated as part of the control plane. |
 | Data plane |  |
-{: caption="Table 1. IBM-managed components of the {{site.data.keyword.compliance_short}}" caption-side="top"}
+{: caption="IBM-managed components of the {{site.data.keyword.compliance_short}}" caption-side="top"}
 {: #ibm-managed}
 {: tab-title="IBM"}
 {: tab-group="arch-manage"}
@@ -43,7 +43,7 @@ Check out the following image to see how the service workloads are isolated and
 |:----------|:------------|
 | {{site.data.keyword.cloud_notm}} services | As you interact with {{site.data.keyword.compliance_short}}, you are responsible for the instances of the other services that you chose to interact with through the service. |
 | {{site.data.keyword.at_short}} | As you interact with the service, a log of the events that are generated can be found in your instance of {{site.data.keyword.at_short}}. |
-{: caption="Table 1. Customer-managed components of the {{site.data.keyword.compliance_short}}" caption-side="top"}
+{: caption="Customer-managed components of the {{site.data.keyword.compliance_short}}" caption-side="top"}
 {: #customer-managed}
 {: tab-title="Customer"}
 {: tab-group="arch-manage"}
@@ -55,4 +55,3 @@ Check out the following image to see how the service workloads are isolated and
 {: #workload-isolation}
 
 Each regional deployment of the {{site.data.keyword.compliance_short}} serves multiple tenants and can be accessed through public endpoints. By default, all data at rest is encrypted by IBM keys. Data in transit is encrypted by using TLS. Your data is isolated from other customers' data, but it does share physical resources such as CPU, memory, and I/O devices. 
-
diff --git a/framework/at-events.md b/framework/at-events.md
@@ -1,7 +1,7 @@
 ---
 copyright:
   years: 2020, 2024
-lastupdated: "2024-10-08"
+lastupdated: "2024-10-15"
 
 keywords: Activity Tracker for {{site.data.keyword.compliance_short}}, LogDNA for {{site.data.keyword.compliance_short}}, {{site.data.keyword.compliance_short}} events, {{site.data.keyword.compliance_short}} security, audit logs for {{site.data.keyword.compliance_short}}, viewing {{site.data.keyword.compliance_short}} events, {{site.data.keyword.compliance_short}} events
 
@@ -62,4 +62,4 @@ You must use a paid plan for the {{site.data.keyword.at_short}} service to see e
 | `compliance.admin-settings.list` | View {{site.data.keyword.compliance_short}} settings for your account. |
 | `compliance.admin-settings.update` | Update {{site.data.keyword.compliance_short}} settings for your account. |
 | `compliance.admin-test-event.send` | Send a test event to a connected {{site.data.keyword.en_short}} service instance. |
-{: caption="Table 1. List of events that apply to {{site.data.keyword.compliance_short}}" caption-side="top"}
+{: caption="List of events that apply to {{site.data.keyword.compliance_short}}" caption-side="top"}
diff --git a/framework/disaster-recovery.md b/framework/disaster-recovery.md
@@ -2,7 +2,7 @@
 
 copyright:
   years: 2020, 2024
-lastupdated: "2024-01-03"
+lastupdated: "2024-10-15"
 
 keywords: HA for {{site.data.keyword.compliance_short}}, DR for {{site.data.keyword.compliance_short}}, high availability for {{site.data.keyword.compliance_short}}, disaster recovery for {{site.data.keyword.compliance_short}}, failover for {{site.data.keyword.compliance_short}}, BC for {{site.data.keyword.compliance_short}}, business continuity for {{site.data.keyword.compliance_short}}, disaster recovery for {{site.data.keyword.compliance_short}}
 
@@ -43,7 +43,7 @@ For more information about configuring Cloud Object Storage, including how to ma
 | --------------------------- | ------------ |
 | RPO | 12 hours |
 | RTO | 4 hours |
-{: caption="Table 1. RPO and RTO for {{site.data.keyword.compliance_short}}" caption-side="bottom"}
+{: caption="RPO and RTO for {{site.data.keyword.compliance_short}}" caption-side="bottom"}
 
 If you require continuous scans while the primary region is unavailable, you can provision a new instance of {{site.data.keyword.compliance_short}} by using a new Cloud Object Storage bucket. However, you cannot access previous scan result data until the regional service is restored.
 {: tip}
diff --git a/framework/endpoints.md b/framework/endpoints.md
@@ -2,7 +2,7 @@
 
 copyright:
   years: "2024"
-lastupdated: "2024-04-23"
+lastupdated: "2024-10-15"
 
 keywords: security compliance developer tools, integrate with application, API, SDK, CLI
 
@@ -42,7 +42,7 @@ Review the following table to determine the API endpoints to use when you connec
 | Frankfurt     | **Public:** `https://eu-de.compliance.cloud.ibm.com/instances/{instance_id}/v3`  \n  \n  **Private:** `https://private.eu-de.compliance.cloud.ibm.com/instances/{instance_id}/v3` |
 | Toronto       |  **Public:** `https://ca-tor.compliance.cloud.ibm.com/instances/{instance_id}/v3`  \n  \n  **Private:** `https://private.ca-tor.compliance.cloud.ibm.com/instances/{instance_id}/v3` |
 | Madrid       | **Public:** `https://eu-es.compliance.cloud.ibm.com/instances/{instance_id}/v3`  \n  \n  **Private:** `https://private.eu-es.compliance.cloud.ibm.com/instances/{instance_id}/v3` |
-{: caption="Table 1. Endpoints for interacting with {{site.data.keyword.compliance_short}}" caption-side="top"}
+{: caption="Endpoints for interacting with {{site.data.keyword.compliance_short}}" caption-side="top"}
 
 
 
@@ -69,9 +69,6 @@ Replace the variables in the example request according to the following table.
 | `region` | The region abbreviation that represents the geographic area where your {{site.data.keyword.compliance_short}} is located. For example, `us-south` or `eu-de`. |
 | `url_encoded_instance_CRN` | The Cloud Resource Name (CRN) that uniquely identifies your {{site.data.keyword.compliance_short}} service instance. The value must be URL encoded. |
 | `IAM_token` | Your {{site.data.keyword.cloud_notm}} IAM access token. |
-{: caption="Table 3. Required parameters for retrieving service endpoints with the API" caption-side="top"}
+{: caption="Required parameters for retrieving service endpoints with the API" caption-side="top"}
 
 A successful request returns the endpoint URLs that are associated with the region and service instance CRN that you specify. 
-
-
-
diff --git a/framework/event-notifications.md b/framework/event-notifications.md
@@ -2,7 +2,7 @@
 
 copyright:
   years: 2020, 2024
-lastupdated: "2024-09-23"
+lastupdated: "2024-10-15"
 
 keywords: event notifications for {{site.data.keyword.compliance_short}}, event notifications integration for {{site.data.keyword.compliance_short}}, alerts for {{site.data.keyword.compliance_short}}
 
@@ -29,7 +29,7 @@ Review the following sections to learn about the events that are generated by sp
 | `com.ibm.cloud.compliance.posture` | `posture-scan-completed` | An event is sent when a scan is complete. |
 | `com.ibm.cloud.compliance.posture` | `posture-scan-failure-threshold-limit-exceeds` | An event is sent when your specified threshold of failed controls is met. |
 | `com.ibm.cloud.compliance.posture` | `posture-scan-new-resource-in-inventory` | An event is sent when a new resource is found in your inventory. |
-{: caption="Table 1. List of events that apply to {{site.data.keyword.compliance_short}}" caption-side="top"}
+{: caption="List of events that apply to {{site.data.keyword.compliance_short}}" caption-side="top"}
 
 
 
@@ -48,7 +48,7 @@ Events that are generated by the {{site.data.keyword.compliance_short}} can be f
 
 Before you can enable notifications for {{site.data.keyword.compliance_short}}, be sure that you have an [{{site.data.keyword.en_short}} service instance](/catalog/services/event-notifications){: external} that is in the same account. Then, you can use the **Settings > Event Notifications** section in the {{site.data.keyword.compliance_short}} UI to connect the services.
 
-![The image shows the {{site.data.keyword.en_short}} screen in the Security and Compliance Center UI.](../images/event-notifications.svg){: caption="Figure 1. Connecting to {{site.data.keyword.en_short}}" caption-side="bottom"}
+![The image shows the {{site.data.keyword.en_short}} screen in the Security and Compliance Center UI.](../images/event-notifications.svg){: caption="Connecting to {{site.data.keyword.en_short}}" caption-side="bottom"}
 
 1. In the {{site.data.keyword.cloud_notm}} console, go to the **Resource list** page and select your instance of {{site.data.keyword.compliance_short}}.
 2. In your instance of {{site.data.keyword.compliance_short}}, go to the **Settings** page.
@@ -438,4 +438,4 @@ Review the following table for more information about event notification propert
 | `profile` | The name of the profile that is associated with the scan.|
 | `start_time` | The date and time the scan started. |
 | `end_time` | The date and time the scan completed. |
-{: caption="Table 2. Properties in an event notification payload" caption-side="bottom"}
+{: caption="Properties in an event notification payload" caption-side="bottom"}