internal-security-psp

HR and Personnel Security

2023.3

JupiterOne is committed to ensuring all employees and contractors actively address security and compliance in their various roles JupiterOne. Employees and contractors are collectively referred to as ‘workforce members’. We encourage self management and reward the right behaviors. This policy specifies acceptable use of end-user computing devices and technology. Additionally, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

Policy Statements

In addition to the duties stated earlier in Roles, Responsibilities and Training, JupiterOne policy requires all workforce members to comply with all applicable policies defined below.

JupiterOne policy requires that:

(a) Background verification checks on all workforce members may be carried out in accordance with relevant laws, regulations, and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risk. All workforce members must sign a non-disclosure agreement (NDA). Generally, all candidates for full-time employment and contractors with system access should undergo background checks and sign an NDA before receiving system access. At the discretion of the Security Officer, agencies may conduct contractor background checks on behalf of JupiterOne.

(b) Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, and comply with Acceptable Use Policies (AUPs).

(c) Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures JupiterOne has in place. Employees will also have ongoing security awareness training that is audited.

(d) Employee offboarding will include reiterating any duties and responsibilities still valid after termination, verifying that access to any JupiterOne systems has been removed, as well as ensuring that all company-owned assets are returned.

(e) JupiterOne and its employees will take reasonable measures to ensure that NO data classified Internal or higher is transmitted via digital communications such as email or posted on social media outlets.

(f) JupiterOne will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.

(g) A fair disciplinary process will be utilized for employees that are suspected of committing breaches of security. Multiple factors will be considered when deciding the response such as whether or not this was a first offense, training, business contracts, etc. JupiterOne reserves the right to terminate employees in the case of serious cases of misconduct.

Controls and Procedures

HR Management and Reporting

JupiterOne uses JustWorks to manage its workforce personnel records.

Organization Structure

A reporting structure has been established that aligns with the organization’s business lines and/or individual’s functional roles. The organizational chart is available to all employees via the JustWorks Directory.

Job Functions and Descriptions

Position / Job descriptions are documented and updated as needed that define the skills, responsibilities, and knowledge levels required for certain jobs.

Performance Reviews and Feedback

Employees receive regular feedback and acknowledgement from their manager and peers. Formal performance reviews are conducted annually and stored in JustWorks. Performance measures, incentives, and other rewards are established by management according to responsibilities at all levels, reflecting appropriate dimensions of performance and expected standards of conduct.

Acceptable Use Policy for End-user Computing

JupiterOne requires all workforce members to comply with the following acceptable use requirements and procedures, such that:

(a) Per JupiterOne’s security model and architecture, all workforce members, including those physically in JupiterOne offices, are treated as remote users, and must follow all system access control requirements and procedures for remote access.

(b) Use of JupiterOne computing systems and devices, including approved BYOD devices, and activities on such devices are subject to monitoring by the JupiterOne Security Team.

(c) All laptops, workstations, computing systems, and devices used to access company data or systems must be configured to comply with the following:

• Whole/full disk encryption
• Endpoint security agent
• Malware protection
• Local firewall enabled
• Password-protected screensaver
• Automatic security patching enabled

(d) All data storage devices and media will be managed according to the JupiterOne Data Classification specifications and Data Handling procedures.

(e) Workforce members WILL:

• Read, comply with, and acknowledge yearly the company security policies and procedures, sanction policies, and this Acceptable Use Policy (AUP).
• Protect all devices used to perform work for JupiterOne at remote locations.
• Use only approved and legal software with a valid license either online or on devices.
• Follow documented policies and procedures to protect sensitive and confidential data.
• Encrypt all email messages containing sensitive or confidential data.
• Keep all access credentials (usernames, passwords, MFA, etc.) confidential.
• Regularly backup business data on the devices used for JupiterOne work to approved data storage media/repositories such as the company Google Drive.
• Report any incident or suspicious activity to the Security team and/or management.
• Report any suspected criminal activity such as money laundering or antitrust violations following the reporting guidelines laid out in the employee handbook.

(f) Workforce members will NOT:

• Leave unattended in public areas computing systems or devices (including laptops and smart devices) used for business purposes, whether company-owned or BYOD.
• Use personal software for business purposes or business software for personal use.
• Post sensitive or confidential data in blogs, support tickets, chat rooms, or other public forums without approval from management for a need for technical support. If there is a need for technical support and with approval from management, data must be sanitized to remove any sensitive or confidential information prior to posting.
• Send sensitive or confidential data by email, chat, or similar public communication channels.
• Store sensitive or confidential data in online file shares such as Google Drive, Sharepoint, or DropBox, in logs, or in source code.
• Discuss customer information in public
• Download or store any JupiterOne customer data on end-user computing devices including laptops, workstations, and mobile devices, or store/print such data on paper, or transmit such data by fax.
• Connect directly to JupiterOne production environments with mobile devices.
• Share individual user credentials with others.
• Use shared/generic, guest/anonymous, emergency, or temporary accounts without explicit approval.

Employee Screening Procedures

JupiterOne publishes job descriptions for available positions and conducts interviews to assess a candidate’s technical skills, aptitude, and culture fit prior to hiring.

Background checks of an employee or contractor may be performed by HR/operations and/or the hiring team prior to the start date of employment, per JupiterOne’s high-level policy.

Employee Onboarding Procedures

A master checklist for employee onboarding is maintained by HR. It is published in JustWorks or the HR folder on JupiterOne’s Google Drive.

The HR Manager is responsible to create an Issue in the Jira ServiceDesk to initiate and track the onboarding process. The onboarding process should include the following items:

1. Training

   • New workforce members are provided training on JupiterOne security policy, acceptable use policy, security awareness, and given access to the Employee Handbook.
   • Records of training and policy acceptance are kept in JustWorks and/or the JupiterOne Platform.
   • The training and acceptance must be completed within 30 days of employment. _HR1

2. Access

   • Standard access is provisioned according to the job role and approval as specified in the HR onboarding Jira ServiceDesk Issue.
   • Non-standard access requires additional approval following the access request procedures.
   • Request for modifications of access for any JupiterOne employee can be made using the instructions outlined in the Access Establishment, Modification and Termination procedures.

3. System Configuration

   • The end-user computing device (e.g. workstation or laptop) may be provisioned by JupiterOne to install necessary software, malware protection, security agents, and set system configurations.
   • Users in a technical role, such as Development, may choose to self configure their system. In this case, the user is given configuration guidelines defined by Security. The system must have the required security configuration and endpoint agents installed for monitoring and to ensure compliance.

Employee Exiting/Termination Procedures

A master checklist for employee existing/termination is maintained by HR. It is published in JustWorks or the HR folder on [JupiterOne’s Google Drive.

1. The Human Resources Department (or other designated department), users, and their supervisors (HR) are required to notify the Security Team upon completion and/or termination of access needs and facilitating completion of the “Termination Checklist”.

2. HR are required to notify the Security Team to terminate a user’s access rights if there is evidence or reason to believe the following (these incidents are also reported on an incident report and is filed with the Security Officer):

   • A user has been using their access rights inappropriately.
   • A user’s password has been compromised (a new password may be provided to the user if the user is not identified as the individual compromising the original password).
   • An unauthorized individual is utilizing a user’s User Login ID and password (a new password may be provided to the user if the user is not identified as providing the unauthorized individual with the User Login ID and password).
3. The Security Team will terminate users’ access rights immediately upon notification, and will coordinate with the appropriate JupiterOne employees to terminate access to any non-production systems managed by those employees.
4. The Security Team audits and may terminate access of users that have not logged into organization’s information systems/applications for an extended period of time.

Employee Issue Escalation

JupiterOne workforce members are to escalate issues using the procedures outlined in the Employee Handbook. Issues escalated in this way are assigned an owner by the Security Incident Response Team (SIRT).

Security incidents, particularly those involving customer data, are handled using the Incident Management Process.

If the incident involves a data breach, the Security Officer will manage the incident using the Breach Investigation Process.

Refer to the Incident Response Classification section for a list of sample items that can trigger JupiterOne’s incident response procedures; if you are unsure whether the issue is a security incident, contact the Security Team immediately.

It is the duty of the SIRT incident owner to follow the process outlined below:

1. Create an Issue in the JIRA SEC Project.
2. The Issue is investigated, documented, and, when a conclusion or remediation is reached, it undergoes review.
3. The Issue is reviewed by another member of the SIRT. If the Issue is rejected, it goes back for further evaluation and review.
4. If the Issue is approved, it is marked as Done, adding any pertinent notes required.
5. The workforce member that initiated the process is notified of the outcome via email, and/or the SIRT findings Issue from the JIRA SEC Project are linked to in the initiating Issue from the Jira ServiceDesk.

Whistleblower Policy and Process

JupiterOne requires all workforce members to observe high standards of business and personal ethics in the conduct of their duties and responsibilities. All workforce members must practice honesty and integrity in fulfilling their responsibilities and comply with all applicable laws and regulations.

(a) Reporting Responsibility. Each workforce member is required and encouraged to report serious concerns so that JupiterOne can address and correct inappropriate internal conduct and actions. This includes

• questionable or improper accounting or auditing matters,
• violations or suspected violations of company policies or ethics, or
• suspected violations of law or regulations that govern JupiterOne’s operations

(b) Acting in Good Faith. Anyone filing a written complaint concerning a violation or suspected violation must be acting in good faith and have reasonable grounds for believing the information disclosed indicates a violation. Any allegations that prove not to be substantiated and which prove to have been made maliciously or knowingly to be false will be viewed as a serious disciplinary offense.

(c) Confidentiality. Insofar as possible, the confidentiality of the whistleblower will be maintained. However, identity may have to be disclosed to conduct a thorough investigation, to comply with the law, and to provide accused individuals their legal rights of defense.

(d) No Retaliation. Workforce members, in good faith, reporting a concern under the Whistleblower Policy shall NOT be subject to retaliation or adverse employment consequences. Moreover, any workforce member who retaliates against someone who has reported a concern in good faith is subject to disciplinary actions up to and including termination of employment.

(e) Reporting. Reports of concerns may be filed directly with the company CEO, COO, and/or the Security Officer. Additional reporting procedure details can be found in the Employee Handbook.

Employee Performance Review Process

Formal performance reviews are conducted annually using JustWorks.

• 360 feedback is collected from team members working directly with the employee.
• Each employee provides their own self assessment for both performance outcome and behavior.
• Managers review all employee self-assessments and peer feedback, and document their final review and rating.
• The final review and rating is reviewed and signed by both the employee and their manager.

Employee Incentives and Rewards

JupiterOne encourages employees to go above and beyond to contribute to the business objectives and help their peers and customers. Employees are recognized and rewarded for positive behavior on a regular basis via peer recognition, appreciation, feedback, and rewards.

Continuous Education and Skills Development

JupiterOne provides employees the opportunity to attend conferences, trade shows, and/or ongoing training/studies relevant to their job function and business objectives.

Non-Compliance Investigation and Sanctions

Workforce members shall report non-compliance of JupiterOne’s policies and procedures to the Security Officer (or their delegate). Individuals that report violations in good faith may not be subjected to intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence.

1. The Security Officer promptly facilitates a thorough investigation of all reported violations of JupiterOne’s security policies and procedures. The Security Officer may request assistance from others in this task.

   • Complete an audit trail/log to identify and verify the violation and sequence of events.
   • Interview any individual that may be aware of or involved in the incident.
   • All individuals are required to cooperate with the investigation process and provide factual information to those conducting the investigation.
   • Provide individuals suspected of non-compliance of the Security rule and/or JupiterOne’s policies and procedures the opportunity to explain their actions.
   • The investigator thoroughly documents the investigation as the investigation occurs. This documentation must include a list of all employees involved in the violation.

2. Violation of any security policy or procedure by workforce members may result in corrective disciplinary action, up to and including termination of employment. Violation of this policy and procedures by others, including business associates, customers, and partners may result in termination of the relationship and/or associated privileges. Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations.

   • A violation resulting in a breach of Confidentiality, Integrity or Availability of sensitive data requires immediate termination of the workforce member from JupiterOne. Examples of such activity may include, but are not limited to:

     • release of customer data to an unauthorized party.
     • unauthorized modification or change of customer data.
     • Denial-of-Service or intentionally preventing a customer from accessing their data.
   • A fair disciplinary process will be utilized for employees are suspected of committing breaches of security. Multiple factors will be considered when deciding the response such as whether or not this was a first offense, training, business contracts, etc.
   • JupiterOne reserves the right to terminate employees in the case of serious cases of misconduct.

3. The Security Officer facilitates taking appropriate steps to prevent recurrence of the violation (when possible and feasible).

4. In the case of an insider threat, the Security Officer will set up a team to investigate and mitigate the risk of insider malicious activity. JupiterOne workforce members are encouraged to come forward with information about insider threats, and can do so anonymously.

5. The Security Officer maintains all documentation of the investigation, sanctions provided, and actions taken to prevent reoccurrence for a minimum of seven years after the conclusion of the investigation.

6. When the Security Officer identifies a violation and begins a formal sanction process, they will notify the appropriate management or supervisors within 24 hours. That notification will include 1) identifying the individual sanctioned, 2) the reason for the sanction, and 3) specific procedures for service or account restriction / revocation or other disciplinary actions as required.

Warning Notice Template

Clean Desk Procedures

Employees must secure all sensitive/confidential information in their workspace at the conclusion of the work day and when away from their workspace. This includes both electronic and physical information such as:

• computer workstations, laptops, and tablets
• removable storage devices including CDs, DVDs, USB drives, and external hard drives
• printed materials

Computer workstations/laptops must be locked (password protected) when physically unattended. Portable devices such as laptops and tablets should be taken home at the conclusion of the work day.

Removable storage devices and printed documents must be treated as sensitive material and locked in a drawer or similar when not in use. Printed materials must be immediately removed from printers or fax machines. Passwords must not be written down or stored physically.

Keys and access cards used for access to sensitive or restricted information/areas must not be left unattended anywhere in the office.