Mapped to the frameworks you answer to.
TabTotal GRC assists with, and produces audit-ready evidence for, 9 of the 10 leading GRC frameworks across your Tableau estate. The tools help you prepare and evidence the work. They never certify you, attest, or make you compliant: a human verifies every finding, AI is optional and never in the write path, and the final determination always rests with you and your auditor.
The honesty moat
Assist, never certify.
Every tool helps you operationalize and evidence a control. None of them issues a certificate or makes you compliant. Only your auditor or certification body can do that.
A human verifies everything.
Findings are deterministic and reproducible, and each one is flagged for human review. The optional AI explains in plain English. It can never confirm or certify a finding, and it is never in the write path.
We claim 9 of 10, not 10 of 10.
ISO 27017, the cloud-provider security extension, is not covered by any tool, so we never claim it. The honest number is the one we publish.
Two tools carry no compliance line.
TabTranslate (display translation) and TabRender (accessible recolour) are not GRC functions, so by design they make no framework claims.
Nine frameworks. Seven tools. One estate.
Which tool assists which framework. TabTranslate and TabRender are not GRC functions, so they carry no compliance line by design.
| Framework | TabMigrate | TabOffboard | TabLineage | TabRisk | TabGuard | TabQuality | TabTable |
|---|---|---|---|---|---|---|---|
| SOC 2 | |||||||
| HIPAA | |||||||
| ISO 27001 | |||||||
| GDPR | |||||||
| PCI DSS | |||||||
| CCPA / CPRA | |||||||
| CIS Benchmarks | |||||||
| NIST 800-53 | |||||||
| NIST CSF |
Assist and evidence only. A check means the tool produces audit-ready evidence mapped to that framework's controls, verified by a human. It never means certification.
SOC 2 · AICPA Trust Services Criteria
SOC 2 is an independent attestation, against the AICPA Trust Services Criteria, of how a service organization controls customer data over a period of time.
SOC 2 is a reporting framework defined by the AICPA under which an independent CPA examines and reports on a service organization's controls relevant to the Trust Services Criteria: Security (the common criteria, CC1 to CC9) plus the optional Availability, Confidentiality, Processing Integrity, and Privacy categories. A Type 1 report assesses control design at a point in time, while a Type 2 report tests operating effectiveness across a review period, which is why auditors require contemporaneous, tamper-evident evidence rather than after-the-fact assertions. It applies to SaaS providers, data platforms, and any organization that processes or hosts customer data and is asked to demonstrate trustworthy controls to its customers.
For your Tableau estateA Tableau estate is squarely in SOC 2 scope: it holds reporting data, enforces logical access to workbooks and data sources, and changes constantly as content moves from UAT to production and as people join and leave, so each of those activities needs evidenced access, change-management, and monitoring controls. Tableau's native APIs stop short of the byte-reproducible, secrets-redacted artifacts and dual-signed approval records a Type 2 auditor expects, which is the gap these tools help operationalize.
Control areas it touches
CC6.1
The entity implements logical access security over protected information assets to restrict access to authorized users.
CC6.2
The entity registers and authorizes new users before granting access, and removes that access when it is no longer required.
CC6.3
The entity authorizes, modifies, and removes access to data and assets based on roles and least-privilege principles, with timely de-provisioning.
CC7.1
The entity uses detection and monitoring procedures to identify changes to configurations that could introduce new vulnerabilities or susceptibilities.
CC8.1
The entity authorizes, designs, develops, tests, approves, and implements changes to infrastructure, data, and software under a controlled process.
How the suite assists
Supports access de-provisioning and least privilege (CC6.2, CC6.3) by enumerating every object a departing user owns, reassigning that content to a required steward through a server-side risk gate, and reclaiming the seat only after reassignment completes, which helps evidence timely and controlled removal of access.
Evidence producedA secrets-free JSON and Markdown offboarding audit capturing who was offboarded, what content they owned, the reassignment steward, the approver, and the timestamp, providing direct evidence of authorized access removal.
Helps operationalize change management for promotions (CC8.1) with deterministic quality checks and a true semantic UAT-vs-PROD diff behind a PASS-only, typed, dual-signed approval gate, so production changes are tested and formally authorized before release.
Evidence producedA downloadable promotion compliance record and audit listing the approver, dual signatures, source and target, the semantic diff outcome, and a PASS result, providing a contemporaneous approved-change artifact for auditors.
Helps operationalize change management (CC8.1) for Server-to-Cloud migrations by running a dry-run with a deterministic risk preview and requiring explicit human approval before any publish, so the migration is authorized, tested, and approved rather than ad hoc.
Evidence producedA downloadable, secrets-free migration compliance audit in JSON and Markdown recording exactly what migrated, the user and project mappings, the risk preview, and the approving human, serving as a contemporaneous change record for a Type 2 review period.
Produces the audit evidence SOC 2 Type 2 examiners request by parsing a workbook with an XXE-safe reader into SHA-256-sealed, secrets-redacted, byte-reproducible artifacts, giving testers tamper-evident proof of system content and configuration that supports change-management evidencing (CC8.1) and detection of configuration changes (CC7.1) across the review period.
Evidence producedContent-hashed, secrets-redacted, byte-reproducible evidence files (.xlsx, JSON, NDJSON) with SHA-256 seals, providing tamper-evident audit evidence explicitly positioned as evidence rather than a legal certification.
These tools assist with SOC 2 readiness and produce audit evidence mapped to the Trust Services Criteria; they do not make you SOC 2 compliant, attest, or certify. A SOC 2 report can only be issued by an independent CPA following an examination of your controls.
HIPAA · Health Insurance Portability and Accountability Act (Security Rule, 45 CFR Part 164)
The U.S. federal rule that requires covered entities and their business associates to safeguard electronic protected health information (ePHI).
HIPAA is a U.S. law whose Security Rule (45 CFR Part 164, Subpart C) sets administrative, physical, and technical safeguards for the confidentiality, integrity, and availability of electronic protected health information (ePHI). It applies to covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and to the business associates that handle ePHI on their behalf. The Privacy Rule additionally defines how PHI can be de-identified (§164.514(b)) so that data falls outside HIPAA's restrictions.
For your Tableau estateA Tableau estate that connects to clinical, claims, or member data routinely surfaces ePHI inside field names, captions, calculations, and published data sources, and a Server-to-Cloud move relocates that ePHI across a trust boundary. HIPAA holds the covered entity accountable for knowing where ePHI lives, controlling who can access it, and being able to show that every change to that environment was deliberate and authorized.
Control areas it touches
§164.312(a)(1)
Requires technical policies and procedures that allow only authorized persons or software to access ePHI.
§164.308(a)(1)(ii)(A)
Requires an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI the organization holds.
§164.308(a)(4)
Requires policies for authorizing, establishing, and modifying a workforce member's access to ePHI consistent with their role.
§164.312(b)
Requires hardware, software, or procedural mechanisms that record and examine activity in systems that contain or use ePHI.
§164.514(b)
Defines the 18 identifiers that must be located and removed for data to be considered de-identified and no longer protected health information.
How the suite assists
TabMigrate operationalizes a controlled relocation of ePHI-bearing content from Tableau Server to Cloud by requiring a dry-run, a deterministic risk preview, and explicit human approval before any publish, which supports the access-authorization intent of §164.308(a)(4) through its user and project scoping and produces records that help evidence the audit-control requirement of §164.312(b), so movement of ePHI is deliberate and recorded rather than a one-shot bulk transfer.
Evidence producedA downloadable, secrets-free compliance audit in JSON and Markdown recording who ran the migration, exactly what content moved, what was skipped and why, and the human approver, with PAT names and credentials never recorded.
TabRisk supports the §164.308(a)(1)(ii)(A) risk-analysis duty by deterministically scanning the Tableau metadata surface read-only for indicators of PHI, including a validator-backed US_NPI detector alongside SSN, email, and phone detectors, and it assists §164.514(b) de-identification review by helping locate candidate identifiers that a human must verify before data can be treated as de-identified; every finding is stamped "possible PII/PHI, requires human verification," and the tool never certifies de-identification or compliance.
Evidence producedA masked, secrets-free findings export (CSV/JSONL) with evidence redacted (e.g. ***-**-1234), a transparent reproducible risk score (confidence × sensitivity × prevalence × exposure) with the scoring methodology emitted verbatim, and a ledger in which AI can never confirm a finding, suitable as defensible evidence for a human-led risk assessment.
These tools assist with HIPAA Security Rule and de-identification obligations and produce audit evidence for a human-led review; they do not make an organization HIPAA-compliant, do not certify or attest compliance, and cannot confirm that data has been de-identified under §164.514(b). Every PHI finding is flagged as possible and requires human verification, and all writes are human-approved. Compliance remains the determination of the covered entity, its business associates, and their auditors.
ISO/IEC 27001:2022 · Information Security Management Systems
The international standard for building, operating, and certifying an organization's information security management system (ISMS) against a defined set of requirements, with a control catalogue in Annex A.
ISO/IEC 27001:2022 specifies the requirements for establishing, operating, and continually improving an information security management system, supported by 93 controls organized into four themes in Annex A (organizational, people, physical, technological). Certification is granted by an accredited certification body after a Stage 1 and Stage 2 audit and is maintained through surveillance audits, so organizations must show working controls and documented evidence on an ongoing basis. It applies to any organization that wants to demonstrate a managed, auditable approach to protecting the confidentiality, integrity, and availability of information.
For your Tableau estateA Tableau estate concentrates sensitive data, access entitlements, and downstream dependencies that fall squarely inside an ISMS scope, so Annex A controls for access management, asset and data handling, change control, and operational security must be evidenced for the analytics platform like any other system. These tools generate deterministic, reproducible evidence an ISO 27001 auditor expects for the Tableau-specific portion of the Statement of Applicability.
Control areas it touches
A.5.9
An inventory of information and associated assets, including owners, must be developed and maintained.
A.5.18
Access rights to information and assets must be provisioned, reviewed, modified, and removed in accordance with the organization's access control policy, including on termination or change of role.
A.5.33
Records must be protected from loss, destruction, falsification, unauthorized access, and unauthorized release, preserving their integrity, authenticity, and reliability.
A.8.12
Data leakage prevention measures must be applied to systems, networks, and devices that process, store, or transmit sensitive information.
A.8.28
Secure coding principles must be applied to software development to reduce vulnerabilities such as injection flaws in code and queries.
A.8.32
Changes to information processing facilities and systems must be subject to change management procedures, including review and approval before deployment.
How the suite assists
Operationalizes the de-provisioning side of A.5.18 by discovering everything a departing user owns, enforcing reassignment to a named steward through a server-side risk gate, and reassigning content before the seat is reclaimed, with content owners realigned in support of A.5.9 asset and owner records.
Evidence producedA secrets-free JSON and Markdown offboarding audit recording who owned what, the reassignment plan and steward, the approver, and timestamps, evidencing timely removal of access rights for A.5.18 and maintained owner records for A.5.9.
Supports A.8.32 change management for analytics content by gating UAT-to-PROD promotion behind deterministic, PASS-only quality checks and a typed, dual-signed approval, with a true semantic diff that catches a calculation silently swapped for a same-named direct field before publish.
Evidence producedA downloadable promotion compliance record naming the approver, signature, source, target, and outcome, plus the audit of quality checks and the semantic PROD-versus-UAT diff, evidencing reviewed and approved change for A.8.32.
Brings Server-to-Cloud migration under A.8.32 change management and supports A.5.18 access provisioning by running on the official Migration SDK with cherry-picked scope, user and project mapping, a deterministic dry-run risk preview, and explicit human approval required before any publish.
Evidence producedA downloadable secrets-free migration compliance audit in JSON and Markdown capturing the scope migrated, user and project mappings, the risk preview, and the human approval, evidencing controlled change for A.8.32 and access provisioning to the destination for A.5.18.
Supports A.5.9 asset inventory and informs A.8.32 change impact by merging up to four reference points into one deterministic, read-only lineage graph with column-level Catalog lineage and blast-radius analysis showing what breaks if a table changes.
Evidence producedDownloadable lineage evidence and the deterministic dependency graph with column-level lineage and blast-radius output, supporting asset and dependency records for A.5.9 and change-impact assessment for A.8.32.
Supports A.5.33 protection of records by converting a workbook, parsed with an XXE-safe reader, into tamper-evident, byte-reproducible records with secrets redacted, so the resulting evidence is protected against falsification and preserves integrity and authenticity.
Evidence producedSHA-256-sealed, secrets-redacted, byte-reproducible evidence files (.xlsx, JSON, NDJSON) that are read-only and tamper-evident, providing protected, integrity-preserved records in support of A.5.33.
Supports A.8.12 data leakage prevention and A.8.28 secure coding by running a read-only estate scan that deterministically detects embedded secrets and injectable SQL across every workbook, data source, and flow, with each finding tagged to a CIS Controls v8.1 Safeguard and a NIST CSF 2.0 function.
Evidence producedExportable SARIF, CSV, JSON, and PDF reports where each finding carries a rule ID, redacted evidence, severity, and control mapping, explicitly framed as audit evidence and not a certification of compliance, supporting A.8.12 for embedded secrets and A.8.28 for injectable SQL.
These tools assist with ISO/IEC 27001:2022 and produce audit evidence mapped to specific Annex A controls; they do not certify, attest to, or guarantee compliance. ISO 27001 certification is granted only by an accredited certification body following a Stage 1 and Stage 2 audit, and a qualified auditor must verify every finding. AI is never in the write path and can never confirm or certify a control.
GDPR · EU General Data Protection Regulation (Regulation (EU) 2016/679)
The EU's data-protection law governing how organisations handle the personal data of people in the EU.
The GDPR is the European Union regulation that sets the rules for processing the personal data of individuals in the EU, built on principles such as lawfulness, data minimisation, accuracy, storage limitation, integrity and confidentiality. It applies to any controller or processor that handles EU personal data regardless of where the organisation is located, and is enforced by national supervisory authorities with administrative fines for non-compliance. It obliges organisations to know what personal data they hold, to secure it appropriately, and to be able to demonstrate accountability for how it is processed.
For your Tableau estateA Tableau estate concentrates personal data inside published data sources, workbook fields, captions and calculations, where it is easy to lose track of and hard to audit by hand. Knowing exactly where personal data sits across that estate is the foundation for the GDPR security, minimisation, records-of-processing and DPIA obligations.
Control areas it touches
Art.30
Controllers and processors must maintain a record of processing activities, including the categories of personal data being processed.
Art.32
Organisations must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to personal data.
Art.5(1)(c)
Personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed.
Art.5(2)
The controller is responsible for, and must be able to demonstrate, compliance with the data-protection principles.
Art.35
Processing likely to result in a high risk to individuals requires a DPIA that assesses the risks and the measures to address them.
Art.9
Processing of special-category data, such as health data, is prohibited unless a specific Article 9 condition applies, and such data warrants heightened protection.
How the suite assists
TabRisk runs a read-only, deterministic scan of the Tableau metadata surface to locate where personal data such as national identifiers, payment-card numbers, emails and phone numbers is exposed. This helps operationalise the Art.30 duty to know the categories of personal data processed, supports the Art.32 risk-appropriate security obligation by surfacing exposure for human assessment, helps evidence Art.5(1)(c) data minimisation by showing where personal data resides, and produces a candidate input artifact for an Art.35 DPIA. It does not certify or confirm compliance, and it stamps every finding as requiring human verification.
Evidence producedA secrets-free, masked findings export (CSV/JSONL) with evidence redacted (***-**-1234), each finding labelled 'possible PII/PHI, requires human verification', plus the transparent risk score (confidence × sensitivity × prevalence × exposure) and the verbatim scoring methodology so a reviewer can reproduce every score by hand.
TabRisk assists with GDPR by producing audit-ready evidence of where personal data is exposed across a Tableau estate. It does not make an organisation GDPR-compliant, does not certify or attest compliance, and does not perform de-identification. Every finding is flagged as possible personal data requiring human verification, and the optional AI is advisory only and can never confirm or certify a finding.
PCI DSS v4.0 · Payment Card Industry Data Security Standard (PCI Security Standards Council)
The mandatory security standard for any organization that stores, processes, or transmits payment card data.
PCI DSS v4.0 is the Payment Card Industry Data Security Standard maintained by the PCI Security Standards Council and enforced by the card brands. It sets twelve requirements covering how cardholder data and sensitive authentication data must be protected across the cardholder data environment. Any merchant, processor, or service provider that stores, processes, or transmits primary account numbers (PAN) must validate against it, with the assessment rigor scaling by transaction volume from self-assessment questionnaires up to a Report on Compliance signed by a Qualified Security Assessor.
For your Tableau estateTableau dashboards built for payments, fraud, chargeback, or revenue analytics routinely pull from systems that carry account data, so a workbook or its embedded extract can quietly become part of the cardholder data environment. PCI DSS expects you to know where account data lives, restrict who can reach it, and keep tamper-evident records of access and changes, which is hard to prove by hand across a sprawling Tableau estate.
Control areas it touches
Req.3
Account data must not be stored unless there is a documented business need, and its presence and location must be known and minimized.
Req.7
Access to system components and cardholder data must be limited to the least privilege required for a person's job function.
Req.8
Each user must have a unique identity and access must be promptly removed or revoked when no longer required, including for terminated and inactive accounts.
Req.10
Audit logs must record who did what and when, and be retained and protected so access and changes to in-scope content are reconstructable for an assessor.
Req.12.5.1
An accurate, current inventory of components and data flows in scope for PCI DSS must be kept to define and confirm the cardholder data environment.
How the suite assists
Operationalizes least-privilege and account lifecycle hygiene (Req.7, Req.8) by reassigning a departing user's Tableau content to a required steward and reclaiming the seat only after reassignment, so access to in-scope dashboards is removed promptly under explicit human approval rather than left orphaned.
Evidence producedA secrets-free JSON and Markdown offboarding audit recording the departing identity, every object reassigned, the receiving steward, the risk gate outcomes, the approver, and timestamps, attachable to a change ticket as Req.8 deprovisioning and Req.10 access-change evidence.
Supports the duty to know and minimize stored account data and to help confirm what is in scope (Req.3, Req.12.5.1) by scanning Tableau metadata read-only with a Luhn-validated credit card detector alongside SSN, email, phone, and US_NPI detectors, surfacing where possible PAN may be exposed across the estate so the cardholder data environment can be scoped.
Evidence producedA masked, secrets-free CSV/JSONL findings export (evidence shown as ***-**-1234) with a reproducible transparent risk score and every finding stamped "possible PII/PHI, requires human verification," producing defensible discovery evidence that informs scoping of the cardholder data environment without ever certifying compliance or making a final scope determination.
Produces the tamper-evident audit artifacts an assessor expects (Req.10, Req.3) by extracting exactly what a workbook contains into reproducible, content-hashed evidence, so the in-scope state of a dashboard, including any account data it carries, is documentable and any later change is detectable.
Evidence producedA SHA-256-sealed, byte-reproducible evidence pack (.xlsx/JSON/NDJSON) with embedded secrets redacted at parse time, serving as tamper-evident assessment evidence; it is explicitly evidence, not a legal certification of compliance.
TabTotal GRC tools assist your PCI DSS v4.0 program and produce audit-ready evidence for specific requirements; they do not make you PCI compliant, do not certify or attest compliance, and do not replace a Qualified Security Assessor or a self-assessment questionnaire. PAN-discovery findings are deterministic indicators marked for required human verification, not a certified scope determination.
California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq.)
A California privacy law that gives consumers rights over their personal information and requires businesses to know, inventory, and disclose the personal information they collect.
The CCPA, expanded by the CPRA, is a state privacy statute that grants California consumers rights to know, access, correct, and delete the personal information a business holds about them, and to opt out of its sale or sharing. It applies to for-profit businesses that handle California residents' personal information above defined revenue or data-volume thresholds, and it introduces a heightened category of "sensitive personal information." A business cannot reliably honor an access, deletion, or disclosure request, or apply the data-minimisation principle, unless it first knows where personal and sensitive personal information actually resides across its systems.
For your Tableau estateA Tableau estate is a common blind spot for personal information: consumer identifiers, contact details, and sensitive fields routinely flow into workbook fields, calculated columns, captions, and data source extracts where a privacy team cannot easily see them. Locating that personal information across published content supports answering CCPA right-to-know requests and building the data inventory the law assumes a business maintains.
Control areas it touches
§1798.100
A business must be able to identify the categories of personal information it has collected about a consumer, which presupposes knowing where personal information lives across its systems.
§1798.110
On a verifiable consumer request, a business must disclose the specific pieces of personal information it has collected about that consumer.
§1798.130
A business must have processes to locate, compile, and disclose a consumer's personal information across its records when responding to a verifiable request.
§1798.140(ae)
The CPRA defines a heightened category, including government identifiers such as SSN and financial account data, that triggers additional consumer rights and handling duties and that a discovery scan can help locate.
§1798.100(c)
Collection, use, and retention of personal information must be reasonably necessary and proportionate, which requires knowing what personal information is actually held and where.
How the suite assists
TabRisk read-only scans the Tableau estate's metadata surface (field names, captions, descriptions, and calculation formulas) with deterministic, validator-backed detectors for personal and sensitive personal information, helping a privacy team build the inventory of where CCPA-covered data may reside that §1798.100 and §1798.110 presuppose and that informs the §1798.100(c) minimisation duty.
Evidence producedA secrets-free CSV/JSONL findings export in which every potential identifier is masked (for example ***-**-1234), each finding carries a transparent risk score (confidence times sensitivity times prevalence times exposure) with the methodology emitted verbatim, and each row is stamped "possible PII/PHI, requires human verification" for analyst review.
TabRisk assists with CCPA/CPRA by helping locate and evidence where personal and sensitive personal information may reside across a Tableau estate; it produces audit-ready evidence for human review and does not make a business CCPA-compliant, certify compliance, or perform de-identification. Every finding is flagged "possible PII/PHI, requires human verification," and only a human or a deterministic validator (never the optional AI) can confirm a finding.
CIS Controls v8.1 Safeguards (published by the Center for Internet Security, listed under the CIS Benchmarks label)
A prioritized, prescriptive set of defensive cybersecurity Safeguards that an organization can implement and measure to reduce its real-world attack surface.
The Center for Internet Security publishes two related bodies of guidance: the CIS Benchmarks (configuration hardening guides for specific platforms) and the CIS Controls v8.1, a prioritized set of 153 Safeguards grouped into 18 Controls and three Implementation Groups. TabTotal lists its security mapping under the "CIS Benchmarks" label, but to be precise the references TabGuard actually produces are CIS Controls v8.1 Safeguards. They are voluntary best practice rather than a regulated mandate, but are widely adopted by security teams as a measurable baseline and are frequently cited as evidence within SOC 2, ISO 27001, and insurance assessments.
For your Tableau estateA Tableau estate routinely accumulates embedded database credentials and hand-written SQL inside packaged workbooks and data sources, exactly the credential-hygiene and application-security weaknesses that several CIS Controls v8.1 Safeguards exist to reduce, yet these artifacts are zipped, distributed, and rarely reviewed by security teams. Mapping each finding to a named Safeguard lets a Tableau estate be assessed against the same baseline as the rest of the environment.
Control areas it touches
Safeguard 16.12
Calls for static and dynamic analysis within the application life cycle to verify secure coding, which TabGuard operationalizes as a deterministic read-only scan of every workbook and data source for injectable-SQL patterns in Initial SQL, Custom SQL, and RAWSQL_/SCRIPT_ pass-throughs.
Safeguard 16.11
Promotes reusing vetted, standardized security components rather than hand-rolling them; TabGuard contributes by surfacing the hand-written pass-through SQL that bypasses parameterized, vetted data-access patterns this Safeguard encourages.
Safeguard 5.2
Sits within Account Management (Control 5) and requires credentials be managed rather than left weak or hard-coded; TabGuard supports it by flagging embedded AWS, GitHub, Slack, Stripe, Google, and PEM secrets and connection-string passwords carried inside distributed workbooks.
Safeguard 1.1
Requires an accurate inventory of enterprise assets, which TabGuard contributes to by enumerating every workbook, data source, and flow across the estate from a single read-only connection.
Safeguard 2.1
Requires an inventory of the software and artifacts in use, which TabGuard supports by cataloguing the packaged workbooks and data sources it unpacks and scans across the estate.
How the suite assists
TabGuard runs a deterministic, read-only security sweep of the Tableau estate and deterministically tags every embedded-secret (SECRET-*) and injectable-SQL (SQL-*) finding to a specific CIS Controls v8.1 Safeguard, mapping injectable SQL to Safeguards 16.12 and 16.11 and embedded credentials to Safeguard 5.2 within Account Management, helping operationalize those Safeguards rather than certifying conformance to them.
Evidence producedA secrets-free posture report plus SARIF / CSV / JSON / JSONL / PDF exports in which each finding carries a rule ID, a masked evidence snippet and location, a severity, remediation text, and a pre-attached CIS v8.1 Safeguard tag, version-stamped to the ruleset so two auditors get a byte-identical floor. The artifact is audit evidence for human review, not a certification of compliance.
TabGuard assists with the CIS Controls v8.1 by producing reproducible, Safeguard-tagged audit evidence of credential-exposure and injectable-SQL weaknesses across a Tableau estate. It does not certify, guarantee, or make an organization "CIS compliant," it does not assess the platform-hardening CIS Benchmarks themselves, and no tool here covers ISO 27017. Every finding is evidence for human review, and AI is optional, advisory only, and never in the write path.
NIST SP 800-53 Rev. 5 · Security and Privacy Controls for Information Systems and Organizations
NIST 800-53 Rev. 5 is the U.S. federal catalog of security and privacy controls that organizations select and implement to protect information systems.
NIST Special Publication 800-53 Revision 5 is a comprehensive catalog of security and privacy controls organized into families such as Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), and Risk Assessment (RA). It is mandatory for U.S. federal agencies and their contractors under FISMA and the Risk Management Framework, and it is widely adopted by state, local, and private-sector organizations as a baseline for FedRAMP, CMMC, and general security programs. Organizations select control baselines, tailor them to their system, implement them, and produce assessment evidence demonstrating each control is operating.
For your Tableau estateA Tableau estate concentrates accounts, content ownership, data connections, and change activity that map directly to AC, AU, and CM controls, yet Tableau provides no native, control-tagged evidence trail. The TabTotal GRC tools assist by operationalizing specific 800-53 controls on the estate and producing the deterministic, secrets-free artifacts an assessor needs to evidence them.
Control areas it touches
AC-2
The organization manages information system accounts, including establishment, assignment, modification, review, and removal, with reassignment of access and content when a user is offboarded.
AC-6
The organization employs the principle of least privilege, allowing only authorized access necessary to accomplish assigned tasks and removing access that is no longer required.
AU-2 / AU-12
The system identifies events to be logged and generates audit records that capture who performed an action, what was affected, when, and the approving authority.
AU-9
The organization protects audit information and audit records from unauthorized modification, including tamper-evident sealing so that alteration of an evidence record is detectable.
CM-3
The organization reviews, approves, and documents proposed changes to the system with explicit approval before changes are deployed to a production environment.
CM-4
The organization analyzes changes to the system to determine potential security and privacy impacts prior to approving and implementing the change.
RA-5
The organization scans for vulnerabilities and information exposures in the system and its hosted content and remediates findings based on assessed risk.
SI-12
The organization manages and retains information within the system in accordance with applicable requirements, including reproducible audit and evidence records.
How the suite assists
Assists AC-2 (account management) and AC-6 (least privilege) by performing read-only discovery of every object a departing user owns, executing a human-approved reassignment to a required steward, and reclaiming the seat only after content is transferred, while the dual artifact supports AU-2/AU-12.
Evidence producedA secrets-free JSON+Markdown offboarding audit recording who was offboarded, what objects were reassigned, when, and which approver authorized each write.
Assists CM-3 (configuration change control) by gating every Server-to-Cloud publish behind a dry-run validation, a deterministic risk preview, and explicit human approval, and assists AC-2 through governed user/project mapping during migration.
Evidence producedA downloadable, secrets-free migration compliance audit (JSON+Markdown) capturing the cherry-picked scope, user/project mappings, risk preview, and the human approval before any publish.
Assists CM-4 (impact analysis) and CM-3 (configuration change control) by providing read-only, column-level cross-server lineage and deterministic blast-radius analysis so the impact of a proposed change is assessed before it is approved.
Evidence producedA downloadable deterministic lineage graph and blast-radius report identifying, for a proposed table or source change, the downstream workbooks and data sources affected.
Assists SI-12 (information management and retention) and AU-9 (protection of audit information) by converting a workbook through an XXE-safe, read-only reader into reproducible evidence records and SHA-256 sealing them so any later tampering is detectable for retention.
Evidence producedSHA-256-sealed, secrets-redacted, byte-reproducible evidence files (.xlsx/JSON/NDJSON) suitable as retained audit evidence for an 800-53 assessment.
Assists RA-5 (vulnerability monitoring and scanning) by performing a read-only, deterministic estate scan for embedded secrets and injectable SQL, with each finding deterministically tagged to a control reference for traceability.
Evidence producedSARIF/CSV/JSON/PDF scan reports where every finding carries a rule ID, redacted evidence, severity, and a CIS Controls v8.1 Safeguard plus NIST CSF 2.0 function tag, exported as audit evidence (explicitly not a certification of compliance).
Assists CM-3 (configuration change control) by enforcing a PASS-only, typed, dual-signed approval gate on UAT-to-PROD promotion, backed by a true semantic diff that catches a calculation silently swapped for a same-named direct field.
Evidence producedA downloadable promotion compliance record capturing the approver, signature, source, target, and outcome, plus the deterministic quality-check and semantic-diff audit.
These tools assist with NIST 800-53 Rev. 5 and produce audit evidence for specific controls; they do not certify, attest to, or guarantee compliance, and they do not constitute a control assessment. Determination that a control is implemented and effective remains the responsibility of the organization and its assessing authority, with a human in the loop on every write.
NIST Cybersecurity Framework (CSF) 2.0
A voluntary, outcome-based framework that organizes cybersecurity work into six functions: Govern, Identify, Protect, Detect, Respond, and Recover.
NIST CSF 2.0, published by the U.S. National Institute of Standards and Technology in 2024, is a voluntary framework that expresses desired cybersecurity outcomes as Functions, Categories, and Subcategories rather than prescriptive controls. It is widely adopted by U.S. and global organizations of any size to structure, communicate, and improve a cybersecurity program, and it is increasingly used as the common language to map across SOC 2, ISO 27001, and NIST 800-53. It is not certifiable; an organization assesses and reports its own posture against the Functions and selects implementation tiers and profiles.
For your Tableau estateA Tableau estate concentrates data assets, embedded credentials, and lineage that often sit outside a central security review, leaving CSF outcomes for asset identification (IDENTIFY), data security (PROTECT), and threat detection (DETECT) unevidenced for the analytics layer. The TabTotal tools surface that estate read-only and produce deterministic, function-tagged evidence so a Tableau program can be assessed against CSF 2.0 alongside the rest of the enterprise.
Control areas it touches
ID.AM
Inventory and map the data, software assets, and their relationships so that exposure can be reasoned about across the estate.
ID.RA
Understand the cybersecurity risk and impact to assets, including how a change to one object propagates across dependent content.
PR.DS
Protect data in storage and in use, including managing embedded secrets and preventing leakage of sensitive information.
PR.PS
Manage software securely across its lifecycle, including secure configuration and disciplined change before promotion to production.
DE.CM
Monitor assets to find anomalies and security-relevant weaknesses such as exposed credentials and injection vectors.
DE.AE
Analyze detected security findings to characterize and prioritize them, including severity grading before remediation.
GV.RR
Establish and enforce who is accountable for cybersecurity decisions, so that approvals such as production change sign-off are documented and auditable.
How the suite assists
TabGuard performs a read-only estate security and threat scan whose every finding is deterministically tagged to a NIST CSF 2.0 function (and a CIS Controls v8.1 Safeguard) via the shipped rules/cis_csf_map.yaml, operationalizing DETECT outcomes for continuous monitoring (DE.CM) and characterizing and prioritizing those findings for adverse-event analysis (DE.AE), and supporting PROTECT data-security outcomes (PR.DS) by surfacing embedded secrets and injectable SQL.
Evidence producedA function-tagged posture report and SARIF/CSV/JSON/PDF exports where each finding carries a rule ID, redacted evidence, severity, CIS Controls v8.1 Safeguard, NIST CSF 2.0 function, and remediation text, stamped with the ruleset version; labeled audit evidence, explicitly not a certification of compliance.
TabLineage merges up to four reference points across servers into one deterministic, read-only data lineage graph with column-level Catalog lineage and blast-radius analysis, supporting IDENTIFY asset-management outcomes (ID.AM) by mapping data assets and their relationships and IDENTIFY risk-assessment outcomes (ID.RA) by showing the impact and exposure if a given table or data source changes.
Evidence producedA downloadable deterministic lineage graph and exported lineage evidence, including the merged node/edge set, column-level relationships, and per-node upstream/downstream blast-radius mapping, produced with no write path.
TabQuality runs deterministic quality checks and a true semantic UAT-vs-PROD diff and gates promotion behind a typed, dual-signed, PASS-only approval, supporting PROTECT platform-security outcomes for secure software lifecycle and change discipline (PR.PS) and GOVERN accountability (GV.RR) by ensuring changes to production workbooks are reviewed and approved by an accountable signer.
Evidence producedA downloadable QA audit (HTML/text/JSON) plus a promotion compliance record capturing approver, signature, source, target, outcome, and any waived advisories; this is audit evidence, not a certification of compliance.
These tools assist with NIST CSF 2.0 by producing deterministic, read-only evidence that maps to specific CSF Functions and Categories. NIST CSF is a voluntary, self-assessed framework that cannot be certified, and no tool here certifies, guarantees, or ensures CSF conformance. The outputs are audit evidence to inform human review and your own posture assessment; only the named tools above apply to this framework.
ISO/IEC 27017 · Cloud service security controls
ISO 27017 extends ISO 27001 with security controls specific to cloud service providers and their customers. No tool in the suite assists with it, so we deliberately leave it off every claim. That is the whole point of the moat: 9 of 10, never an inflated 10.
Evidence your Tableau estate.
One secure login, nine governed tools, and audit-ready evidence mapped to the frameworks you answer to. We assist and evidence. Your auditor certifies.