title: Compliance Frameworks Overview category: Compliance Frameworks tags: compliance, sox, hipaa, gdpr, pci-dss, iso-27001, nist, cis priority: Normal
Compliance Frameworks Overview
Compliance frameworks provide the foundation for identity governance in IdentityCenter. They translate regulatory requirements and industry standards into actionable policies that can be monitored, enforced, and reported on across your entire identity landscape.
What are Compliance Frameworks?
A compliance framework is a structured set of controls that define the security and governance requirements your organization must meet. In identity management, these controls govern how accounts are created, who has access to what, how access is reviewed, and how violations are handled.
IdentityCenter maps each framework to a collection of policies that implement its controls. When you activate a framework, the platform automatically creates and configures the corresponding policies, giving you an immediate compliance posture without manual rule-building.
Supported Frameworks
IdentityCenter includes built-in support for the following compliance frameworks:
| Framework | Full Name | Focus Area | Typical Industry |
|---|---|---|---|
| SOX | Sarbanes-Oxley Act | Financial controls, segregation of duties | Publicly traded companies |
| HIPAA | Health Insurance Portability and Accountability Act | Protected health information access | Healthcare |
| GDPR | General Data Protection Regulation | Data privacy, consent, right to access | Any organization handling EU data |
| PCI-DSS | Payment Card Industry Data Security Standard | Cardholder data protection | Retail, financial services |
| ISO 27001 | International Organization for Standardization 27001 | Information security management | Any organization |
| NIST | National Institute of Standards and Technology | Cybersecurity framework, risk management | Government, critical infrastructure |
| CIS | Center for Internet Security Controls | Security benchmarks, hardening | Any organization |
How Frameworks Map to Policies
Each framework defines a set of controls, and each control is implemented by one or more policies in IdentityCenter. The relationship is hierarchical:
Framework (e.g., SOX)
└── Control (e.g., SOX Section 404 - Internal Controls)
└── Policy (e.g., "Segregation of Duties - Finance + IT")
└── Violation (e.g., "User jsmith has both Finance Admin and IT Admin roles")
A single policy can satisfy controls from multiple frameworks. For example, a "Stale Account Detection" policy may contribute to SOX, HIPAA, and ISO 27001 compliance simultaneously. IdentityCenter tracks these cross-framework mappings automatically.
The Compliance Center
The Compliance Center is the central hub for all framework and policy management. Navigate to it at Administration > Compliance Center (/admin/compliance-center).
From the Compliance Center you can:
- View all available frameworks and their activation status
- Activate or deactivate frameworks
- See the overall compliance posture per framework
- Drill into individual controls and their associated policies
- Review open violations grouped by framework
- Generate audit-ready compliance reports
Framework Categories
Frameworks and their policies are organized into four categories that reflect different aspects of identity governance:
| Category | Purpose | Examples |
|---|---|---|
| Compliance | Meet regulatory and legal requirements | SOX segregation of duties, HIPAA access controls |
| Risk | Identify and mitigate security risks | Stale accounts, excessive permissions, orphaned accounts |
| Lifecycle | Govern identity and account lifecycle events | Onboarding completeness, offboarding verification |
| Governance | Enforce organizational standards | Naming conventions, required attributes, manager assignment |
Policy Types
Policies created by frameworks fall into four operational types, each defining what action the policy takes when it evaluates identities:
| Policy Type | Behavior | Use Case |
|---|---|---|
| Detection | Identifies violations and logs them for review | Stale account detection, missing manager identification |
| Enforcement | Automatically takes corrective action | Disable accounts inactive for 180 days |
| Notification | Sends alerts when violations are found | Email manager when direct report fails access review |
| Remediation | Creates remediation tasks for assigned owners | Generate ticket for orphaned account cleanup |
Most framework-generated policies start as Detection policies so you can review violations before enabling automated enforcement. You can promote them to Enforcement once you are confident in their accuracy.
Severity Levels
Every policy is assigned a severity level that determines its priority in dashboards, reports, and remediation queues:
| Severity | Description | Recommended Response Time | Dashboard Color |
|---|---|---|---|
| Critical | Immediate security or compliance risk requiring urgent action | Hours | Red |
| High | Significant issue that must be addressed promptly | 1-2 business days | Orange |
| Medium | Moderate risk that should be resolved in a reasonable timeframe | 1 week | Yellow |
| Low | Minor issue with limited immediate impact | 1 month | Blue |
| Info | Informational finding, no action required | As needed | Gray |
Severity levels are configurable per policy. When a framework is activated, each generated policy receives a default severity based on the criticality of the underlying control.
Compliance Score
IdentityCenter calculates a compliance score for each active framework as a percentage:
Compliance Score = (Passing Controls / Total Controls) x 100
A control is considered passing when all of its associated policies have zero open violations. The overall compliance score is displayed on the Compliance Center dashboard and can be trended over time to demonstrate continuous improvement to auditors.
Getting Started with Compliance
For most organizations, the recommended approach is:
- Identify your requirements - Determine which frameworks apply to your organization based on industry, geography, and contractual obligations.
- Activate one framework first - Start with your most critical framework to establish baseline processes.
- Review generated violations - Run an initial evaluation and review the results before enabling enforcement.
- Tune policies - Adjust thresholds and add exceptions where legitimate business needs exist.
- Expand coverage - Activate additional frameworks once your processes are mature.
Tip: Framework policies work best when your directory synchronization is fully configured and running on a regular schedule. Ensure your connections and sync projects are established before activating frameworks.
Next Steps
- Activating Compliance Frameworks - Step-by-step guide to activating your first framework
- Compliance Reporting - Generate audit-ready reports from your compliance data
- Policies Overview - Deep dive into the policy engine
- Creating Policies - Build custom policies for your organization
- Access Reviews Overview - Conduct access review campaigns for compliance