# Background The compliance center should be the central location for compliance teams to manage their compliance standards adherence reporting, violations reporting and compliance frameworks for their group. Currently, it comprises of four tabs: - **Standard Adherence dashboard**: The compliance standards adherence dashboard lists the adherence status of projects complying to the GitLab standard. - **Compliance Violations Report**: With the compliance violations report, you can see a high-level view of merge request activity for all projects in the group. - **Compliance Frameworks Report**: With compliance frameworks report, you can see all the compliance frameworks in a group. Each row of the report shows the framework name and associated projects; and - **Compliance Project Report**: With compliance projects report, you can see the compliance frameworks that are applied to projects in a group. Each row of the report shows the project name, path and compliance framework label if the project has one assigned. # Problem Despite these four different tabs in the compliance center showing compliance managers different aspects of their group or project's compliance posture, a problem that compliance managers face is that, at the moment, there isn't a single unified view (e.g. a single pane of glass) that provides compliance managers with a better and clearer picture, at a high level, of how their compliance posture stacks up. Compliance managers want aggregated information across all of the projects within a group that not only informs them, at a glance, how many compliance frameworks are being applied across all of the projects within a group, but also aggregated information around the % of their projects within a group that are remaining compliant with their instances associated compliance frameworks (e.g. the number of failed requirements or number of projects with existing violations etc.) # Current Assumptions or Pain Points The following are the pain points and benefits of addressing this issue: | Pain Point | Benefit | Description | |------------|---------|-------------| | Decreases visibility | Improves visibility | of aggregate or total number of projects that have compliance frameworks associated with them | | Decreases visibility | Improves visibility | of the aggregate or total number of projects that have violations associated with them | | Decreases visibility | Improves visibility | over the number of failed requirements or checks across all the projects within the group | | Decreases awareness | Improves awareness | of what compliance frameworks and the period of time by which they were applied to associated projects within a group. | | Decreases user satisfaction | Improves user satisfaction | due to not being able to get a snapshot or 'single pane of glass' of all the aggregate information they need to understand their group's compliance posture. | | Misaligned with | Aligns with | the [direction of the Compliance group](https://about.gitlab.com/direction/govern/compliance/), to achieve compliance **visibility** of **checks**, **violations** and **audit events** throughout the entire DevSecOps lifecycle | # Possible solution To address the above problem, we want to create a 'single pane of glass' dashboard that not only help compliance managers visualise, at a glance, key pieces of compliance information at a glance, but also to be able to easily find and filter for the particular compliance component, be that checks, violations or compliance frameworks, that they are looking for at an aggregate level. An example of how this might look like can be seen below:  **NOTE**: This is only an example mock-up and should not be taken as a fully fledged feature or something that will closely resemble what we might/will deliver as part of this initiative. # Personas * [Cameron (Compliance Manager)](https://handbook.gitlab.com/handbook/product/personas/#cameron-compliance-manager) # JTBD User Stories <table> <tr> <th>Issue</th> <th>Persona</th> <th>User Story</th> </tr> <tr> <td>Users want to understand the compliance posture of all the projects in their group at a glance.</td> <td> Cameron (Compliance Manager) </td> <td> **When I** am viewing the Compliance Center; **I want** to understand, at a glance, what the compliance posture is across all of the projects in my group; **So I can** understand whether there are any projects within my group that have failed checks or have existing violations. </td> </tr> <tr> <td>Users want to be given a total number count or percentage of compliance framework requirements that have failed checks for all of the projects in their group at a glance.</td> <td> Cameron (Compliance Manager) </td> <td> **When I** am viewing the Compliance Center; **I want** to understand, at a glance, the total number or percentage of failed checks for each requirement there is across all of the projects in my group; **So that** I can understand if there is a failed check which requires further investigation on my part. </td> </tr> <tr> <td>Users want to be given a total number count or percentage of violations for all of the projects in their group at a glance.</td> <td> Cameron (Compliance Manager) </td> <td> **When I** am viewing the Compliance Center; **I want** to understand, at a glance, the total number or percentage of violations there are across all of the projects in my group; **So that** I can understand if there is a violation event which requires further investigation on my part. </td> </tr> <tr> <td>Users want to understand how many projects within the group has a compliance framework attached to them.</td> <td> Cameron (Compliance Manager) </td> <td> **When I** am viewing the Compliance Center; **I want** to understand, at a glance, the total number of projects in the particular group with compliance frameworks attached to them; **So that** I can understand whether there are any projects that require compliance frameworks attached to them moving forward. </td> </tr> <tr> <td>Users want to be able to help the auditor identify whether or not a specific control or framework was applied for the entire duration of the audit.</td> <td> Cameron (Compliance Manager) </td> <td> **When I** am viewing the Compliance Center; **I want** to be able to show evidence to an auditor of whether a specific project has had a compliance framework attached to them throughout the duration of the audit; **So that** I can help the auditor understand the compliance posture of my projects throughout the duration of their specific audit. </td> </tr> </table> ## Next steps * [ ] Could you communicate the idea with both compliance and policy groups? * [ ] Problem validation for compliance * [ ] Problem validation for policies * [ ] Could you clarify the technical possibilities? * [ ] Design explorations for compliance * [ ] Design explorations for policy _This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._ <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->