Governance, risk, and compliance

The governance, risk, and compliance (GRC) capabilities for IBM Cloud Pak® for Multicloud Management are expanded to include improved policies, profiles, and compliance validation. These capabilities blend together data and management tools from the core IBM Cloud Pak for Multicloud Management and the optional IBM Cloud Pak® for Multicloud Management – Infrastructure Management module. These components, together, formulate the Governance and risk dashboard.

Note: The Governance, risk and compliance (GRC) capabilities are deprecated from IBM Cloud Pak® for Multicloud Management – Infrastructure Management 2.3 Fix Pack 5, and will be removed in the next release. Most of the compliance capabilities for container policies are available in Red Hat Advanced Cluster Management which can be used as a replacement. Similarly, most of the compliance capabilities for VM policies are available in Infrastructure Management component in IBM Cloud Pak® for Multicloud Management – Infrastructure Management and can be used as a replacement.

Red Hat Advanced Cluster Management governance and risk management

If you have the IBM Cloud Pak for Multicloud Management integrated with Red Hat® Advanced Cluster Management for Kubernetes, you can choose to use the governance and risk management capabilities within Red Hat Advanced Cluster Management instead of the equivalent capabilities that are available with IBM Cloud Pak for Multicloud Management. Hybrid GRC capabilities are not affected and you can continue to use these capabilities to augment the Red Hat Advanced Cluster Management capabilities for governance and risk management.

If you do choose to use the Red Hat Advanced Cluster Management governance and risk management capabilities, refer to the Red Hat product documentation for details on the available capabilities, such as creating and managing security policies. For more information, see Governance and risk (Red Hat) .

For more information about Red Hat Advanced Cluster Management, see the OpenShift documentation .

IBM Cloud Pak® for Multicloud Management Policies tab

You can use the Governance and risk dashboard to view and manage security risks and policies. The Policies tab facilitates your understanding of the state of your policies, policy violations, and profiles (for VMs).

You can quickly view the status of your violations and compliance in the Highlights section of the Governance and risk dashboard.

The Risk across servers section contains two tiles:

• The Violation across servers tile succinctly indicates which of your resources are at risk, and to what degree.
• The Resources tile displays your resource types, their overall resource type risk level, and a total count of that resource type.

By clicking specific resource types in the Resources tile, you can gain a comprehensive view of the status of that resource type for your enterprise. You can immediately identify resource names, hostnames, the owner of those resources, a violation count, and the risk level of those violations. You can also click on the policies that apply to your resources to view the Details tab of that policy type.

The Policies section provides you with a view of your VM and container policies, including any violations that they might have. You can customize the Summary view by filtering the violations by categories or standards, or, alternatively, collapse the Summary view to see less information.

The Policies table displays a filterable table of your policies and their potential violations. You can change the filter to view results by either policy or violation. You can also use this table to drill down into the details of your non-compliant policies.

The Profiles section includes a table view of your VM policies by using IBM Cloud Pak® for Multicloud Management – Infrastructure Management. This table includes more details about your VM policies, VM status, resource type, and the associated profile. The compliance status for VMs indicates whether the VM is complaint with its associated policy profile. You can click entries within the table for more details about them.

The Security findings tab

The Security findings tab provides you with a summarized view of security findings for both your clusters and your VMs. You can customize the Summary view by filtering the violations by categories or standards. Collapse the summary to see less information.

The Security findings table lists the security findings for all of your resources (across both namespaces and groups). You can also filter the findings table by either security findings or by resource findings. The Security findings table includes the following details:

• A brief description of the finding
• The resource that the violation occurred on
• The severity, as determined by the policy
• The group (either the name of the cluster, or VM)
• The standard that was violated
• The controls
• The category type of the finding
• The last time it was updated

The Resource findings table includes the group, a count of high severity findings on that resource, and what was violated.

For more information about the structure of IBM Cloud Pak for Multicloud Management policies, and how to use the IBM Cloud Pak for Multicloud Management Governance and risk dashboard, see the following topics:

• Policies
• Policy controllers
• Policy examples
• Policy samples
• Creating policies
• Enabling Ansible Tower
• Accessing resource violation data in the console
• Managing security policies
• Deleting policies
• Security findings