Compliance manager
The Compliance manager page provides you with an overview of the general compliance status of your organization’s endpoints relative to recognized standards. It offers access to a a list of individual control names, the sections they belong to, and the score assigned to each control. Additionally, it includes a feature for generating compliance reports with a single click.
Availability
Companies with Risk Management as part of their base license also have access to the Compliance Manager. Full access to the basic standard (Bitdefender Cyber Hygiene Baseline for Windows), including the reporting functionality for up to 1,000 resources and their identities from your organization, is provided at no extra cost.
However, to access and download reports for advanced standards and more than 1,000 resources, a Compliance Manager add-on license is required.
Standard available with base license:
Cyber Hygiene - Windows
Advanced standards available with the Compliance Manager add-on:
CIS v8.0
CMMC 2.0 (US)
DORA (EU)
GDPR (EU)
HIPAA (US)
ISO/IEC 27001:2022
NIS2 Directive (EU)
PCI DSS V4.0.1
SOC 2
On the Compliance manager page, standards unavailable with your current license are indicated with a lock icon, while restricted data is marked with a triple asterisk (***).
As a user with GravityZone yearly license, to get access to advanced standards and more information about Compliance Manager:
Go to the Products Hub page. To do this:
Go to the message informing about the limited access to compliance features at the top of the page and click the Learn more link.
Click a control name for a locked standard to open the side panel and click the Learn more button in the Risks or Affected assets tabs.
Click the Products Hub icon in the upper right corner of GravityZone Control Center.
On the Compliance Manager presentation page, click the Contact us button.
In the Contact details window, write the which compliance standards or products features you are interested in.
Click Submit.
A Bitdefender representative will contact you as soon as possible.
As a user with GravityZone monthly subscription, to get access to advanced standards and more information about Compliance Manager, contact your partner for assistance.
When clicking the Contact your partner link in areas with limited access on the Compliance manager page, you will be redirected to the Bitdefender corporate website.
Overview
The Compliance manager page includes the following elements:
The Smart views panel toggle button. This feature allows you to customize, save, and switch between different configurations of the Compliance manager page.
The panel has the following sections:
Search views - Use this search field to filter out the views displayed in the sections below, by name.
Saved - This section displays a list of all your saved views that have not been marked as favorites.
Favorites - All views marked as favorites are displayed under this section.
Defaults - This section displays the views that are available by default:
Compliance posture
For any view in the Saved or Favorites category, you can click the vertical ellipses
to Rename or Delete the view.The View options menu. This section provides you with multiple functions for working with views:
Save - Save changes you make to a saved view.
Save as - Save a modified view under a different name.
Discard changes - Revert the saved view to its original state.
Add to favorites - Add the view to the Favorites category.
Show or hide filters - Hide or display the filters menu.
Open settings - Display the Settings panel.
You can use this panel to customize what columns are displayed in the view and enable or disable the Compact view.
The Compliance overview. This section displays four key values that provide an immediate summary of your organization's compliance status in relation to the currently selected compliance standard. These values include:
Overall compliance - Displays what percentage of the total number of verified checks have been found to be compliant.
Compliant checks - Shows the total number of checks that have been verified and confirmed to meet compliance requirements.
Non-compliant checks - Indicates the total number of checks that have been verified but found not compliant.
Ignored checks - Lists the total number of checks that have been manually flagged by the organization as exempt from risk score and compliance score calculation.
Note
This information is based on the settings configured in the Filters section.
Information restricted due to the selected standard being unavailable with your current GravityZone license is marked with a triple asterisk (***).
The Download report button. Clicking the button will display a confirmation window, where you can select the compliance standard for which you want to display data for and the format in which you want to generate the report.
Supported formats:
PDFandXLSX.For details about the report, refer to Reading compliance reports.
The Filters section. You can use these options to customize the risks that are displayed in the below grid and in the Compliance overview section. The following filters are currently available:
Filter name
Description
Compliance standard
Select the compliance standard for which you want to display data.
By default, the only available standard is Cyber Hygiene - Windows. Standards that unavailable with your current GravityZone license are marked with a lock icon.
Score
Select a score range between 0 and 100.
Only controls with a risk score between these values are displayed.
The Compliance grid. This section displays a list of all checks found under the compliance standard selected in the Filters section. The information available for each compliance is displayed under these columns:
Control name - The name of the compliance control.
Control ID - The ID of the compliance control.
Section name - The name of the section in the compliance standard where the control can be found.
Section ID - The name of the section in the compliance standard where the control can be found.
Score - The compliance score of the control.
Note
Running a new Risk Scan on the company's endpoints may change existing score values.
Compliant - Indicates how many checks have been identified as compliant under the scope of the selected control.
Non-compliant - Indicates how many checks have been identified as non-compliant under the scope of the selected control.
Ignored - Indicates how many checks have been ignored under the scope of the selected control.
Note
Clicking on any line in the grid displays the Additional information side panel for the control displayed on that line.
Information restricted due to the selected standard being unavailable with your current GravityZone license is marked with a triple asterisk (***).
Important
Due to a limitation with the Compliance grid, data is not always updated in real time. Therefore, actions like fixing or ignoring risks may sometimes be reflected with delays up to one hour.
Displaying additional information for a specific control
To view additional data on any specific control, click on the corresponding row in the Compliance manager page grid. A side panel will open, displaying further details about the selected control and how your company performed in verifying compliance with its requirements.
Note
Information restricted due to the selected standard being unavailable with your current GravityZone license is marked with a triple asterisk (***).
The side panel contains the following information:
The General section - provides key details about the selected control, including:
Standard - The compliance standard associated with the control.
Section name - The section within the standard under which the control falls.
Score - The compliance score achieved for this specific control.
Checks breakdown - A summary of all checks performed on the control, categorized by result - compliant, non-compliant, or ignored, giving insight into the distribution of compliance outcomes for this control.This information offers a concise view of your organization’s compliance performance relative to the specific requirements of each control.
The Description tab - Provides detailed information about the purpose and requirements of the selected control. This section includes, if available, specific instructions or guidelines necessary to meet compliance. This content helps clarify the intent of the control and provides actionable steps or recommendations for maintaining compliance with the selected standard.
The Risks tab - Offers insights into potential vulnerabilities or issues identified during compliance checks. This tab includes two areas:
Findings - Displays up to 10 findings generated from performing the compliance check on the company. A View all findings link is available to navigate to the Risk management > Findings page, with filters applied to show all findings related to this control.
User behavior risks - Shows up to 10 user behavior-related risks associated with the compliance check. A View all risks link directs users to the Risk management > Identities page, where filters are applied to display all user behavior risks tied to this control.
These sections allow users to quickly assess specific findings and behavior risks relevant to the control, with options for deeper exploration on dedicated pages.
The Affected assets tab - Provides an overview of all assets impacted by findings and user behavior risks associated with the selected control. This tab includes:
Resources - Displays a list of resources affected by findings related to this control. Clicking View all resources directs you to the Risk Management > Resources page, with filters applied to display only resources linked to these findings.
Identities - Shows a list of user identities affected by user behavior risks associated with this control. The View all identities link takes you to the Risk Management > Identities page, where filters are applied to display only identities related to these user behavior risks.
This tab provides a clear view of affected assets, with options to explore detailed information on affected resources and identities through their respective pages.
Compliance reports
Compliance reports provide you with a detailed, targeted, overview of your company's compliance with corporate governance policies, enterprise risk management, and company regulatory policies.
The report gathers data from your company's managed endpoints, groups it into compliance-relevant topics, and creates an easily readable, single source of insight into endpoint compliance.
Creating a compliance report
To create a compliance report, follow these steps:
On the Compliance manager page, click the Download report button.
A confirmation window appears.
Configure the following settings:
Compliance standard - Select the compliance standard for which you want to create the report.
Format: Select the format in which you want to create the report (
PDForXLSX).
Click Download.
The report will be created and downloaded to your computer.
Reading compliance reports
A compliance report contains the following sections:
In PDF format
Executive summary
This section provides you with a general overview of the compliance adherence in your company and your regulatory posture. It contains the following subsections:
Check overview
This section provides compliance numbers and statistics for all your managed endpoints. It contains the following information:
Overall compliance - Displays what percentage of the total number of verified checks have been found to be compliant.
Total checks - The total number of checks that apply to your company's endpoints at the time of the latest Risk scan.
Checks compliant - Shows the total number of checks that have been verified and confirmed to meet compliance requirements.
Checks non-compliant - Indicates the total number of checks that have been verified but found not compliant.
Note
Ignored checks are excluded when compiling this data.
Compliance controls overview
This section lists the compliance standards that apply to your endpoints and your company adherence to each one.
A control is the totality of checks that have to be done in order for a compliance standard to be verified. Checks are only processed for the subsections of the compliance standard that apply to each endpoint.
Controls compliant - The percentage of compliance controls that were passed from the total number of checks performed.
Total controls - The total number of compliance standards that apply to your company's endpoints at the time of the latest Risk scan.
Controls compliant - The number of controls that have been identified as compliant.
Controls non-compliant - The number of controls that have been identified as non-compliant.
Note
Controls marked as Not evaluated are excluded when compiling this data. The number of checks that could not be processed, either due to the information not being available or all the applicable checks associated to the compliance standard have been ignored.
Non-compliant checks by score
This section provides a breakdown of all non-compliant checks, grouped by their severity:
High
Medium
Low
Legend
This section lists all the visual and written markings used in the report and provides additional details and context.
Score
Indicator | Description |
|---|---|
100% | Controls that passed all their checks when performed by GravityZone on applicable scopes are marked with 100% score and a checked mark. Additional verification may be required to fulfil control requirements. |
1-99% | Controls that have some of their checks passed when performed by GravityZone on applicable scopes are marked with 1-99% score. |
0% | Controls that failed all their checks when performed by GravityZone on applicable scopes are marked with 0% score and an x mark. |
Not evaluated | Controls that have all their applicable checks excluded or GravityZone was unable to perform them due to insufficient data are marked as Not evaluated. |
Risk score classification
Indicator | Description |
|---|---|
High | Checks marked with high risk indicate that the discovered weakness is publicly disclosed and trivial to abuse. High risk checks typically represent weaknesses that were leveraged to gain privileged access to networks, systems, or applications. |
Medium | Checks marked with medium risk are likely to lead to compromise but either require other attacks to be significantly impactful, resulting in limited access, or require advanced knowledge and techniques to execute the attacks. |
Low | Low risk checks indicate weaknesses that are not directly exploitable. Low checks typically require a chain of weaknesses to exploit fully, disclose non-sensitive technical information, or do not lead to any additional compromise within an environment. |
Controls Overview
This section lists all of the controls that were performed on your endpoints and assets, and provides the following information for each one:
ID - The name of a control and the numbers of all its applicable subsection.
Guideline description - Provides a general description of what checks are made and what standards need to be met for the control to pass.
Score - Indicates the compliance score of the control.
Compliant - Indicates the number of checks that have been verified and confirmed to meet the compliance requirements for the control.
Non-compliant - Indicates the number of checks that that do not meet the compliance requirements for the control.
Ignored - The number of checks for that have been manually flagged by the organization as exempt from risk score and compliance score calculation.
List of Assets
This section provides you with a breakdown of resources (endpoints) and identities involved in the compliance verification that resulted in the report.
Legal Notice
This section contains all relevant legal information related to the generation, use, sharing, and purpose of Bitdefender compliance reports.
In XLSX format
While providing the same level of insight as the PDF version, the XLSX report provides more specific data regarding the data compiled for the creation of the report.
The Summary tab
This tab provides multiple statistics, including the date and time of the report, the resources (endpoints) and identities involved in the compliance verification that resulted in the report.
Check overview
This section provides compliance numbers and statistics for all your managed endpoints. It contains the following information:
Overall compliance - The percentage of the total number of verified checks have been found to be compliant.
Total checks - The total number of checks that apply to your company's endpoints at the time of the latest Risk scan.
Compliant checks - Shows the total number of checks that have been verified and confirmed to meet compliance requirements.
Non-compliant checks - Indicates the total number of checks that have been verified but found not compliant.
Ignored checks - Indicates the total number of checks that have been ignored under the scope of the selected control.
Compliance controls overview
This section lists the compliance standards that apply to your endpoints and your company adherence to each one. It contains the following information:
Controls compliant - The percentage of compliance controls that were passed from the total number of checks performed.
Total controls - The total number of compliance standards that apply to your company's endpoints at the time of the latest Risk scan.
Compliant controls - The number of controls that have been identified as compliant.
Non-compliant controls - The number of controls that have been identified as non-compliant.
Not evaluated controls - Controls that have all their applicable checks excluded or GravityZone was unable to perform them due to insufficient data.
Legend
This section lists all the visual and written markings used in the report and provides additional details and context.
Score
Indicator | Description |
|---|---|
100% | Controls that passed all their checks when performed by GravityZone on applicable scopes are marked green and a check mark. Additional verification may be required to fulfill control requirements. |
80% | Controls that passed between 71% and 99% of their checks when performed by GravityZone on applicable scopes, are marked green. |
50% | Controls that passed between 21% and 70% of their checks when performed by GravityZone on applicable scopes, are marked yellow. |
20% | Controls that passed between 1% and 20% of their checks when performed by GravityZone on applicable scopes, are marked red. |
0% | Controls that failed all their checks when performed by GravityZone on applicable scopes are marked red and an x mark. |
Not evaluated | Controls that have all their applicable checks excluded or GravityZone was unable to perform them due to missing data are marked as Not evaluated. |
Note
Ignored checks or controls not evaluated are excluded when doing % score calculation.
Legal notice
This section contains all relevant legal information related to the generation, use, sharing, and purpose of Bitdefender compliance reports.
The Check Overview tab
This section lists all of the controls that were performed on your endpoints and assets, and provides the following information for each one:
Item - The number of the displayed item, as ordered in the document.
ID - The ID of the control.
Guideline description - Provides a general description of what checks are made and what standards need to be met for the control to be compliant.
Score - The compliance score achieved for this specific control.
Score breakdown - Provides you with the number of checks included in this control, grouped based on results: compliant, non-compliant, or ignored.
Check breakdown - Provides a detailed description for each rule that is included in the control and applicable to your organization. Checks are done using detection rules, which are the main tool in building the compliance report framework.
Additionally, a breakdown is provided for each rule, indicating on how many endpoints the check corresponding to that rule is compliant, non-compliant, or ignored. Each check represents one detection rule applicable to one endpoint. If you have a total number of 300 endpoints in your environment and a total number of detection rules equal to 500 applicable to your environment, the number of checks performed will be 300 x 500.
A rule, also known as an Indicator of Compromise (IOC), defines either a misconfiguration or a human risk present on the organizational assets.