The compliance page allows you to monitor and manage your organization's compliance and standards status across multiple targets in one place. It provides an overview of various compliance standards (e.g., SOC 2, PCI-DSS, ISO 27001, GDPR, HIPAA, (OWASP 2021 Standard)) and displays any vulnerabilities affecting your compliance.

What are the different compliance standards Astra complies with?

1. SOC2: SOC 2 (System and Organization Controls 2) compliance is a critical framework for managing customer data. It is based on five key "trust service principles": security, availability, processing integrity, confidentiality, and privacy. This framework ensures that a company's systems are secure and that sensitive information is handled appropriately.

|| By complying to SOC 2 standards, companies can demonstrate their commitment to protecting customer data, reassuring clients and stakeholders of their dedication to maintaining high standards of data security and privacy. SOC 2 reports are commonly used to provide transparency and assurance about a company's internal controls and data handling practices.

2. PCI-DSS: PCI-DSS (Payment Card Industry Data Security Standard) is a comprehensive set of security standards designed to safeguard cardholder data and ensure secure transactions for credit card payments. This standard applies to all organizations that handle, process, store, or transmit credit card information. The primary goal of PCI-DSS is to prevent data breaches and fraud by enforcing best practices for data security.

|| By adhering to the PCI-DSS standards, organizations can protect sensitive information, build trust with customers, and maintain a secure payment environment.

3. ISO27001: ISO 27001 is a global standard for information security management systems (ISMS). It offers a structured framework for establishing, implementing, maintaining, and continuously improving information security practices within an organization. This standard helps organizations safeguard sensitive information by identifying and managing risks, and ensuring that effective security controls are in place.

|| Complying to ISO27001 demonstrates a strong commitment to information security, which can build trust with clients and stakeholders.

4. GDPR: GDPR (General Data Protection Regulation) is a data protection law established by the European Union. It sets out rules for how organisations must collect, process, store, and manage personal data of EU citizens. The main goals of GDPR are to enhance privacy rights, ensure data security, and give individuals more control over their personal information.

|| Organizations operating within the EU or handling data of EU residents must comply with GDPR requirements.

5. HIPAA: HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law established to protect the privacy and security of individuals' medical information. It sets specific standards for how health data should be handled, stored, and transmitted. These standards are designed to ensure the confidentiality of medical information and prevent unauthorized access.

|| By complying to HIPAA guidelines, organizations can help safeguard sensitive health data and maintain trust with individuals.

6. (OWASP 2021 Standard): OWASP 2021 Standard is the latest version of the OWASP Top Ten, an important list by the Open Web Application Security Project. This list identifies the ten most critical web application security risks. The 2021 edition focuses on the most significant vulnerabilities and threats impacting web applications today.

|| OWASP 2021 Standard offers valuable guidance for organizations to enhance their security practices and protect against these prevalent risks.

Navigating the Compliance Page

When you first land on the Compliance page, you'll see a summary view of your organisation's compliance status across multiple standards.

Use the Fix Vulnerabilities Button:

• You can also access the same section by clicking the Fix Vulnerabilities button under the How Astra Helps panel. Both this button and the Vulnerabilities tab will redirect you to the vulnerabilities view.

Access Vulnerabilities Section:

At the top of the page, there's a tab called Vulnerabilities that shows results from automated scans and manual penetration testing. Clicking this will take you to a detailed list of vulnerabilities categorized by their associated compliance standards.

|| Vulnerabilities that do not meet the compliance requirements will appear in the Vulnerabilities Requiring Fix section. These are issues that need to be addressed to achieve or maintain compliance. Vulnerabilities that do not pose compliance risks or have been resolved will be listed under Fixed Vulnerabilities.

Impacting Vulnerability Section: This section lists the Vulnerability Fixed percentage.

• Vulnerabilities Reported: This section lists the vulnerabilities identified in Automated Vulnerability Scans and Manual Penetests.

• Fixed Vulnerabilities: This section lists the percentage that have been fixed and have passed the compliance checks.

• Vulnerabilities Require Fixes: This section shows the percentage of vulnerabilities that did not pass compliance checks and require fixing.

• Vulnerability Severity: This graphical section will show the Severity level of Vulnerability as High, Medium, Low.

• Time Frame: The default timeframe in this Vulnerability Severity section is 3 Months. You can select as per your requirements as Last Month, 6 Month, and Custom Range.

By clicking on any row in the table, you can access the vulnerability details sheet

Breakdown of Compliance Table

• Vulnerability Name: The precise vulnerability identified.

• Scan name: The name of the scan that detected the vulnerability.

• Target: The specific target (system, application, or endpoint) where the vulnerability was found.

• Severity: The level of risk posed by the vulnerability (e.g., Info, Low, Medium, High, Critical).

• Risk Score: A numeric score representing the risk level.

You can use the following filters to sort and view vulnerabilities more efficiently.

• Sort by Risk Score: Sort vulnerabilities in ascending or descending order based on their risk score.

• Status: Filter vulnerabilities by status, such as "Fix Needed" or "Already Fixed."

• Severity: Filter vulnerabilities by their severity level (e.g., Low, Medium, High, Critical).

• Type of Scan: Filter vulnerabilities based on the type of scan that detected them.

• Custom Time Range: Filter vulnerabilities detected within a custom time range.

|| Frequently Asked Questions (FAQs)

Does Astra provide SOC 2 certification?

• No, Astra does not provide SOC 2 certification directly. However, Astra helps you strengthen your compliance posture by focusing on Vulnerability Management, which is a key requirement in frameworks like SOC 2. By identifying and fixing security vulnerabilities, Astra helps reduce compliance gaps and improve your overall security readiness.

How can I get SOC 2 certification?

• To get SOC 2 certified, you'll need to work with a recognized compliance provider. Platforms like Vanta, Sprinto, or Drata can guide you through the full audit process and help you achieve certification. Astra complements this process by helping you meet security requirements through vulnerability management.

How can I download compliance reports?

• Currently, this type of compliance report is not available in Astra. However, we're working on making it available soon. Stay tuned for updates!