figma guide
Designing security posture dashboard and compliance checklist UI in Figma: scores, gaps, and handoff
Design security posture dashboard and compliance checklist UI in Figma with health score, control gaps, remediation links, framework mapping, and Dev Mode specs for enterprise Security admin.
- Published
- Updated
- Jul 17, 2026
- Read time
- 7 min
- Level
- Intermediate
Quick answer
A security posture dashboard gives org admins one view of control health—typically the default landing under Organization → Security. Design a posture score with trend sparkline (not gamified); control checklist grouped by domain (identity, network, data, integrations); gap cards with severity, affected member count, and deep-link to fix settings; framework mapping (SOC 2, ISO 27001) as optional overlay; remediation queue assignable to Security Admin; and export snapshot for auditors tied to compliance exports. Start from the Figma guides hub and pair with SSO, 2FA, DLP, IP allowlist, and Dev Mode handoff.
Who this is for
- Product designers building enterprise Security admin home, compliance reporting, and executive summary views.
- Design system teams aligning score widgets with cards, badges, and progress indicators.
- Engineers implementing control evaluation jobs, framework tag mapping, and snapshot PDF generation.
Dashboard layout and information hierarchy
| Zone | Content | Priority |
|---|---|---|
| Header | Org name, last evaluated timestamp, refresh | Always visible |
| Score summary | Posture score + 30-day trend | Above fold |
| Critical gaps | 0–3 highest-severity items | Above fold |
| Control domains | Identity, Network, Data, Integrations, Audit | Scroll |
| Framework view | Optional SOC 2 / ISO toggle | Tab or filter |
| Activity feed | Recent security config changes | Sidebar or bottom |
SecurityPostureDashboard
├── Header: Acme Org · Evaluated 12 min ago · [ Refresh ] [ Export snapshot ]
├── ScoreCard: 78 / 100 · ▲ +4 vs last week · "3 critical gaps"
├── CriticalGapsStrip: [ Enforce MFA ] [ Enable IP allowlist ] [ Review pending apps ]
├── DomainAccordion: Identity · Network · Data · Integrations · Audit
└── ActivityFeed: bob enabled SSO enforce · jane added DLP rule
Verdict: lead with actionable gaps, not a vanity score—executives want “what to fix,” not a green badge with hidden risks.
Posture score methodology (transparent UI)
Show how the score is calculated—link to /how-we-recommend-tools/ style methodology page if your product has one:
| Factor | Weight | Example signal |
|---|---|---|
| Identity hardening | 25% | SSO enforced, MFA coverage % |
| Network boundaries | 20% | IP allowlist enforced |
| Data protection | 25% | DLP enforce mode, classification coverage |
| Integration governance | 15% | App allowlist, no shadow API keys |
| Audit readiness | 15% | Export configured, legal hold tested |
ScoreBreakdownDrawer
├── Identity: 82% — "12% members without MFA"
├── Network: 60% — "Allowlist in monitor mode"
├── Data: 91% — "DLP enforced on Confidential"
├── Integrations: 70% — "8 pending app approvals"
└── Audit: 88% — "Last export 45 days ago"
Avoid red/green only—use score + explanation text for accessibility. Trend line: 30-day sparkline, not leaderboard.
Control checklist by domain
Identity
| Control | Status UI | Fix deep-link |
|---|---|---|
| SSO enforced | ✓ / ⚠ / ✗ | SSO settings |
| MFA required for admins | ✓ / ⚠ / ✗ | 2FA policy |
| MFA org-wide coverage | Progress bar % | Member nudge campaign |
| Passkeys encouraged | Optional badge | Security settings |
| Session timeout ≤ 8 hr | ✓ / ✗ | Session policy |
| Break-glass tested ≤ 90 days | ✓ / ✗ | Run tabletop |
Network
| Control | Status | Fix link |
|---|---|---|
| IP allowlist enforced | Monitor / Enforce | Network settings |
| No overly broad CIDR rules | Warning if /8 | Rule review |
| SCIM healthy sync | Last sync timestamp | Directory sync |
Data
| Control | Status | Fix link |
|---|---|---|
| Classification coverage | % files labeled | Classification hub |
| DLP enforce mode | Monitor / Enforce | DLP settings |
| Retention policies active | Count of rules | Retention admin |
| External share default | Restricted / Open | Sharing policy |
Integrations
| Control | Status | Fix link |
|---|---|---|
| App allowlist enabled | ✓ / ✗ | Apps settings |
| Pending app requests | Count badge | Approval queue |
| API keys policy | Restricted / Open | Token policy |
| Scope drift apps | Count | App drift dashboard |
Audit
| Control | Status | Fix link |
|---|---|---|
| Audit log retention | Days configured | Audit settings |
| Compliance export scheduled | ✓ / ✗ | Export jobs |
| Legal hold tested | ✓ / ✗ | Legal hold wizard |
Each row: status icon, control name, one-line rationale, [ Fix ] button routing to exact settings page.
Gap cards and remediation queue
Critical gaps render as actionable cards—not toast notifications:
GapCard — Critical
├── Enforce MFA for all members
├── Impact: 847 members without MFA · Increases account takeover risk
├── Framework: SOC 2 CC6.1 · ISO A.9.4
├── Suggested owner: Security Admin
└── [ Go to MFA settings ] [ Assign ] [ Snooze 7 days ]
| Severity | Color token | Max shown above fold |
|---|---|---|
| Critical | Error | 3 |
| High | Warning | Collapsed list |
| Medium | Info | Domain accordion only |
| Low | Neutral | Optional “Improve” section |
Snooze requires reason and logs to audit—prevents permanent dismissal. Assign sends email to designated team role holder.
Framework mapping overlay
Toggle View by framework to regroup controls:
| Framework | Control ID | Maps to product control |
|---|---|---|
| SOC 2 CC6.1 | Logical access | MFA, SSO, roles |
| SOC 2 CC6.6 | Boundary protection | IP allowlist |
| SOC 2 C1.2 | Confidentiality | DLP, classification |
| ISO A.9.2 | User access management | SCIM, offboarding |
| ISO A.12.4 | Logging | Audit log, exports |
FrameworkFilterBar
├── (•) All controls ( ) SOC 2 Type II ( ) ISO 27001
└── Coverage: 34 / 41 SOC 2 mapped controls passing
Export framework gap report PDF for auditor handoff—include evaluation timestamp and org id.
Comparison: posture vs audit log vs compliance export
| Surface | Purpose | Update frequency |
|---|---|---|
| Posture dashboard | Proactive fix list | Hourly evaluation job |
| Audit log | Reactive event stream | Real-time |
| Compliance export | Point-in-time evidence bundle | On schedule / demand |
Cross-link all three from dashboard header—admins confuse them during audit season.
Executive summary view
Optional compact view for Owner who does not manage day-to-day Security:
ExecutiveSummaryCard
├── Posture: 78 · 3 critical gaps
├── Top risk: MFA not enforced org-wide
├── Last incident: 0 break-glass uses this quarter
└── [ View full dashboard ] [ Email me weekly digest ]
Weekly digest checkbox ties to notification preferences—Security Admin vs Owner roles get different digests.
Common mistakes
| Mistake | Why it hurts | Fix |
|---|---|---|
| Score without explanation | Admins dismiss or gaming | Breakdown drawer |
| Gamified leaderboard | Wrong incentive | Trend only, no ranks |
| Fix button lands on wrong page | Remediation abandoned | Deep-link to exact toggle |
| All gaps same severity | Alert fatigue | Critical strip + collapsed rest |
| No framework mapping | Audit prep painful | SOC 2 / ISO overlay |
| Snooze without audit | Gaps hidden forever | Reason + logged snooze |
| Posture ignores app drift | Integration risk invisible | Integrations domain |
| Stale “evaluated” timestamp | Trust collapse | Show job time + manual refresh |
| Dashboard duplicates audit log | Two sources of truth | Clear role split in copy |
| Export snapshot missing score | Auditor asks for screen | PDF includes score + gap list |
Recommended workflow
- Design dashboard shell with score card, critical gaps strip, and domain accordion.
- Build control checklist rows with status icons and deep-link Fix buttons for each domain.
- Add gap cards with severity, framework tags, assign, and snooze flows.
- Create framework overlay filter for SOC 2 and ISO mapping.
- Wire activity feed to recent Security setting changes from audit stream.
- Add export snapshot and executive summary variants.
- Annotate evaluation job cadence and score weights in Dev Mode.
FAQ
Does posture score affect billing or access?
No—copy should state score is advisory; org function is never disabled based on score alone.
How often should controls re-evaluate?
Hourly for most checks; real-time for critical events (SSO toggled, allowlist mode changed). Show last evaluated time prominently.
Can teams have separate posture scores?
Org-level only in v1—team-level gaps (e.g., one team disables guest restrictions) appear as drill-down, not separate score.
Link to break-glass usage?
Yes—show quarterly break-glass count as informational signal; frequent use suggests policy misconfiguration.
Difference from privacy settings?
Posture is admin Security health; privacy is member data rights UI—cross-link but separate nav entries.
Next steps
- Design audit log and security activity UI in Figma — event stream behind activity feed
- Design compliance exports and legal hold UI in Figma — auditor snapshot export
- Design two-factor authentication and security settings UI in Figma — top identity gap remediation
- Design DLP and external sharing restrictions UI in Figma — data domain controls
- Design break-glass emergency access and account recovery UI in Figma — posture signal for emergency usage
§ Keep reading