internal-security-psp

Index of JupiterOne-Defined Review Periods

2022.2

Several policies and procedures define periodic review actions to be taken by one or more JupiterOne staff members. Below is a comprehensive index of these review items, cross-referenced by section.

ID Review/Action Item Review Period Reviewer(s)
PROG1 Full PSP documents Annually Cross-functional Team
ACC1 All system access for a given user Annually User’s manager
ACC2 Admin/privileged production access Weekly System Owner
ACC3 Temporary and/or inactive accounts Every 60d System Owner
ACC4 Employees with access to unsanitized customer data Every 30d Director of Engineering
RAR1 Employee security training requirements met Annually Security Officer
RISK1 Conduct risk assessment Annually Security Team
RISK2 Quarterly risk-mgmt compliance review Every 90d Security Team
RISK3 Financial and account auditing Annually KSM Business Services
RISK4 Executive review of plan and revenue Every 30d Executive Team
AUDT1 External audit of security controls Annually External audit/assessor
AUDT2 Review of non J1-monitored systems Every 90d User’s manager and system owner
AUDT3 Review of sanctioned countries Annually Security Team
AUDT4 Review of specific-cause audit data, if any Every 30d Designated staff member(s)
HR1 Ensure new-hire training and AUP complete Every 30d HR Manager and Security Team
FAC1 Audit of physical access records Annually Security Team
FAC2 Audit of special physical access records Every 90d Security Team
SDLC1 Security code review of JupiterOne Platform Every 90d Security Team
SDLC2 External pentest of the JupiterOne Platform Annually Security Team or Other
CCM1 Manual review/inspection of PRODCM artifacts Every 90d Security Team
VULN1 Product systems vulnerability scan Every 90d Security Team
VULN2 Internal penetration testing Annually Security Team
VULN3 Assess validity of documented Exceptions Every 180d Security Team
BCDR1 Validate/test the BCDR plan Annually Director of Engineering
BCDR2 Test system status notification process Every 90d Director of Engineering and Security Team
IR1 Test Incident Response plan Annually Security and Development Teams
VEND1 Review list of approved vendors/partners Annually Security Officer
VEND2 Review all vendor contracts, if any Annually Director of Finance
VEND3 Review vendor service provider SLAs vs uptime Every 90d Director of Engineering or delegate