internal-security-psp

Employee Handbook and Policy Quick Reference

2020.1

This is an abridged version of JupiterOne’s security policy that all workforce members are required to be familiar with and comply with.

Your Responsibilities

You are assumed to have read and fully understood the corporate security and privacy policies, standards, guidelines, controls and procedures even if you haven’t. This handbook is meant to serve as a “Getting Started” guide and quick reference.

Security is everyone’s responsibility. If this is not your first job, don’t do anything that might get you in trouble at your previous workplace. When in doubt, stop and ask.

Acceptable Use Policy (AUP) for end-user computing

All employees and contractors of JupiterOne must agree to and comply with the JupiterOne Acceptable Use Policy (AUP)

!!! Important Compliance with JupiterOne’s AUP is mandatory, regardless of level-of-employment or job function!

Training

You will be prompted as part of onboarding, and periodically going forward, to complete the following security training:

• General security policy and procedures training, including

  • Roles, Responsibilities and Training
  • HR and Personnel Security
  • Data Classification and Handling

• Ongoing security awareness training (a monthly series, currently provided by KnowBe4)

• Role-based security training

  • all members of the Development/Engineering team must carefully review the following policies and procedures

    • Product Security and Secure Software Development
    • Data Management
    • Data Protection
    • Configuration and Change Management

  • all members of the Administrative, Marketing and Procurement teams must review the following policies and procedures

    • Third Party Security, Vendor Risk Management and Systems/Services Acquisition

  • all members of the Administrative and Senior Leadership/Executive teams must review the following policies and procedures

    • Business Continuity and Disaster Recovery
    • Compliance Audits and External Communications
    • Risk Management

  • all members of the HR and Facilities teams must review the following policies and procedures

    • HR and Personnel Security
    • Facility Access and Physical Security

  • all team members responsible for Product Management and Business Development must review the following policies and procedures

    • Privacy and Consent

  • all members of the Security, Compliance and IT teams must review all policies and procedures in its entirety

Your responsibilities for computing devices

JupiterOne provides company-issued laptops and workstations to all employees. JupiterOne currently does not require or support employees bringing their own computing devices.

The laptops and/or workstations assigned to you are yours to configure and manage according to company security policy and standards. You are responsible to

• configure the system to meeting the configuration and management requirements, including password policy, screen protection timeout, host firewall, etc.;

• ensure the required anti-malware protection and security monitoring agent is installed and running; and

• install the latest security patches timely or enable auto-update.

IT and Security provides automated scripts for end-user system configurations and/or technical assistance as needed.

You are also responsible for maintaining a backup copy of the business files local on your laptop/workstation to the appropriate location on JupiterOne file sharing / team site (e.g. Google Drive). Examples of business files include, but are not limited to:

• Documents (e.g. product specs, business plans)
• Presentations
• Reports and spreadsheets
• Design files/images/diagrams
• Meeting notes/recordings
• Important records (e.g. approval notes)

!!! important

DO NOT backup critical data such as eCustomer data or PII to file sharing sites.
If you have such critical data locally on your device, contact IT and
Security for the appropriate data management and protection solution.

Unless the local workstation/device has access to Critical data, backups of user workstations/devices are self managed by the device owner. Backups may be stored on an external hard drive or using a cloud service such as iCloud if and only if the data is both encrypted and password protected (passwords must meet JupiterOne requirements).

Getting help

Support for most of our business applications are self-service, such as password reset via Google G Suite.

If needed, users may use our internal service desk to request IT and Security support. Common requests include:

• Password reset and access requests
• Request new software and hardware
• Technical support
• Recommend changes to policies and processes

How to report an incident or suspicious activity

You are responsible to report all suspicious activities and security-related incidents immediately to the Information Security team, by one of the following channels:

• (preferred) “Report a security incident” by creating an issue in the Jira ServiceDesk.

• If access to the Jira ServiceDesk is not available, employees may send an email to security@jupiterone.com

• For non-sensitive, non-confidential security issues and concerns, employees may post questions on JupiterOne’s #security Slack channel.

• Additionally, employees may report the incident to their direct manager.

• To report a concern under the Whistleblower Policy, you may first discuss the concerns with your immediate manager, or report it directly to the CEO, COO, or CISO. If anonymity is desired, look up the appropriate contact person’s phone number in JustWorks and send an anonymous SMS message via an alternate phone or via a free web-to-sms gateway like SendAnonymousSMS.

  See the Whistleblower Policy section in the HR Security Policy for additional details.