Security and compliance is everyone’s responsibility. JupiterOne is committed to ensuring all workforce members actively address security and compliance in their roles. Statistically, cybersecurity breaches typically start with compromise of end-user computing devices, social engineering, human error or insider threat. Therefore, users are the first line of defense and yet usually the weakest link. As such, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.
In this and all related policy documents, the term “employees” and “workforce members” may be used interchangeably to include all full-time and part-time employees in all job roles, contractors and subcontractors, volunteers, interns, managers and executives at JupiterOne.
The Security Officer is responsible for facilitating the development, testing, implementation, training, and oversight of all activities pertaining to JupiterOne’s efforts to be compliant with security and compliance frameworks such as SOC2 Security. The intent of the Security Officer’s responsibilities is to maintain the confidentiality, integrity, and availability of customer data. The Security Officer is appointed by and reports to the Board of Directors and/or the CEO.
JupiterOne has appointed Sounil Yu as the Security Officer. The security committee is chaired by the Security Officer, and represented by the select members of the senior leadership team (Security Officer, Director of Engineering, and Director of Security Engineering).
JupiterOne policy requires that:
(a) A Security Officer must be appointed to assist in maintaining and enforcing safeguards towards security and compliance.
(b) Security and compliance is the responsibility of all workforce members (including employees, contractors, interns, and managers/executives). All workforce members are required to:
Complete all required security trainings, including onboarding training, annual regulatory compliance training and additional training as part of the ongoing security awareness program.
Complete additional role-based training in secure code techniques and incident response, such as specialized training for security champions, developers and testers, during onboarding and again at least annually as required by the information security team.
Follow all security requirements set forth in JupiterOne security policy and procedures, including but is not limited to access control policies and procedures and acceptable use policy for end-user computing.
See something, say something: follow the incident reporting procedure to report all suspicious activities to the security team.
(c) All workforce members are required to report non-compliance of JupiterOne’s policies and procedures to the Security Officer or designee. Individuals that report violations in good faith may not be subjected to intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence.
(d) All workforce members are required to cooperate with federal, state and local law enforcement activities and legal investigations. It is strictly prohibited to interfere with investigations through willful misrepresentation, omission of facts, or by the use of threats against any person.
(e) Workforce members found to be in violation of this policy will be subject to sanctions.
(f) Segregation of Duties shall be maintained when applicable to ensure proper checks and balances and minimize conflict of interests. This helps reduces the possibility of fraud and insider threat considerably, and eliminates single points of compromise to critical systems.
JupiterOne has appointed Sounil Yu as the Security Officer and Deputy Privacy Officer.
The Security Committee is chaired by the Security Officer, and represented by the select members of the senior leadership team, including the Security Officer, Director of Engineering, and Director of Security Engineering.
The Risk Management Team is formed from members of the Security Committee, including the Security Officer, Director of Engineering, and Director of Security Engineering.
Several of these role functions participate in regular review actions, which may be referenced in §Defined Review Periods.
The authority and accountability for JupiterOne’s information security program and privacy program is delegated to the Security Officer. The Security Officer and the security team are required to perform or delegate the following responsibilities:
Although the Security Officer is responsible for implementing and overseeing all activities related to maintaining compliance, it is everyone’s responsibility (i.e. team leaders, supervisors, managers, co-workers, etc.) to supervise all workforce members and any other user of JupiterOne’s systems, applications, servers, workstations, etc. that contain sensitive data.
JupiterOne has dedicated personnel who have been assigned the job function of security and compliance. Segregation of duties is achieved via a combination of assignment of roles and responsibilities to different personnel, and automated enforcement for software-defined processes.
Segregation of duties and cross-functional review and approval processes serve as a “checks and balances” system: Whenever applicable, reviews and approvals must be obtained from designated personnel separate from the individual performing work on a JupiterOne system or process.
The Security Officer facilitates the security training of all workforce members as follows:
The Security Officer reviews the above training requirements annually. RAR1
Documentation of the training session materials and attendees is retained for a minimum of 2 years.
The training sessions focus on, but are not limited to, the following subjects defined in JupiterOne’s security policies and procedures:
JupiterOne leverages KnowBe4 to deliver innovative, fun and engaging security awareness content to all employees monthly. Progress is tracked individually for each employee and reported on KnowBe4’s cloud-managed learning platform.
JupiterOne holds a company-wide roundtable on a bi-weekly basis (other than holidays and other exceptions) to communicate updates across all aspects of business operations, performance and objectives.
Senior management sends out additional company-wide announcement as appropriate through pre-established internal communication channels such as email or messaging (e.g. Slack #general channel).
Regular performance and status updates are communicated by each department, functional team, and/or designated individuals through pre-established channels.
Additionally, each project team maintains team updates at their own committed cadence and channel – for example, daily development standups/scrum or weekly team meetings.