JupiterOne Policies, Standards, and Procedures

Asset Inventory Management

2020.1

You can’t protect what you can’t see. Therefore, it is imperative for JupiterOne to maintain an accurate and up-to-date inventory of both its physical and digital assets.

More details on data inventory and data lifecycle management is documented separately in §Data Management.

Policy Statements

JupiterOne policy requires that:

(a) The Security Team must maintain an inventory of all critical company assets, both physical and logical.

(b) All assets should have identified owners and be tagged with a risk/data classification.

(c) All physical assets must be labeled with a company property tag.

Controls and Procedures

Physical Asset Inventory

JupiterOne Security Team leverages the JupiterOne Platform to maintain inventory of all company-owned physical computing equipment, including but not limited to:

Each record includes details of the physical device such as manufacturer, model as well as ownership details and property tag ID.

The movement of computing hardware and electronic media is maintained as part of the records, including media re-use and ownership reassignment.

The Security Officer (or a designated staff member) is responsible for ensuring each physical asset is supplied with a JupiterOne-issued property tag, and an up-to-date record is maintained in the asset management system.

Digital Asset Inventory

JupiterOne Security Team uses the JupiterOne Platform to query across our cloud-based infrastructure, including but is not limited to AWS, to obtain detailed records of all digital assets, including but not limited to:

Records are tagged with owner/project and classification when applicable. All records are kept up to date via automated integration with JupiterOne’s service providers.

Paper Records

JupiterOne does not use paper records for any sensitive information. Use of paper for recording and storing sensitive data is against JupiterOne policies.