JupiterOne Policies, Standards, and Procedures

Index of JupiterOne-Defined Review Periods

2020.1

Several policies and procedures define periodic review actions to be taken by one or more JupiterOne staff members. Below is a comprehensive index of these review items, cross-referenced by section.

ID Review/Action Item Review Period Reviewer(s)
PROG1 Full PSP documents Annually Cross-functional team
ACC1 All system access Annually Security team member
ACC2 Admin/privileged production access Every 60d Security team member
ACC3 Temporary and/or inactive accounts Every 60d Security team member
ACC4 Employees with access to customer data Every 30d Director of Engineering
RAR1 Employee training requirements met Every 30d Security Officer
RISK1 Conduct risk assessment Annually Security Team
RISK2 Quarterly risk-mgmt compliance review Every 90d Security Team
RISK3 Financial and account auditing Annually KSM Business Services
RISK4 Executive review of plan and revenue Every 30d Executive Team
AUDT1 External audit of security controls Annually External audit/assessor
AUDT2 Review of non J1-monitored systems Every 90d Security Team
AUDT3 Review of exceptional net connections Annually Security Team
AUDT4 Review of specific-cause audit data, if any Every 30d Designated staff member(s)
HR1 Ensure new-hire training and AUP complete Every 30d HR Manager
FAC1 Audit of physical access records Annually Security Team
FAC2 Audit of special physical access records Every 90d Security Team
SDLC1 Security code review of JupiterOne Platform Every 90d Security Team
SDLC2 External pentest of the JupiterOne Platform Annually Security Team or Other
CCM1 Manual review/inspection of PRODCM artifacts Every 90d Security Team
VULN1 Product systems vulnerability scan Every 90d Security Team
VULN2 Internal penetration testing Every 90d Security Team
VULN3 Assess validity of documented Exceptions Every 180d Security Team
BCDR1 Validate/test the BCDR plan Annually Director of Engineering
BCDR2 Test system status notification process Every 90d Director of Engineering and Security Team
IR1 Test Incident Response plan Annually Security and Development Teams
VEND1 Review list of approved vendors/partners Annually Security Officer
VEND2 Review all vendor contracts, if any Annually Security Officer
VEND3 Review vendor service provider SLAs vs uptime Every 90d Director of Engineering or delegate