JupiterOne Policies, Standards, and Procedures

Risk Management

2020.1

This policy establishes the scope, objectives, and procedures of JupiterOne’s information security risk management process. The risk management process is intended to support and protect the organization and its ability to fulfill its mission.

Policy Statements

JupiterOne policy requires that:

(a) A thorough risk assessment must be conducted to evaluate the potential threats and vulnerabilities to the confidentiality, integrity, and availability of customer data (and other confidential and proprietary electronic information) stored, transmitted, and/or processed by JupiterOne’s production systems.

(b) Risk assessments must be performed with any major change to JupiterOne’s business or technical operations and/or supporting infrastructure, no less than once per year. RISK1

(c) Strategies shall be developed to mitigate or accept the risks identified in the risk assessment process.

(d) JupiterOne will maintain documentation of all risk assessment, risk management, and risk mitigation efforts for a minimum of seven years.

Controls and Procedures

Risk Management Objectives

JupiterOne has established formal risk analysis and risk management processes to:

Unmitigated risk above the pre-defined acceptable level must be reviewed, approved and accepted by senior management.

Acceptable Risk Levels

Risks that are either low impact or low probability, based on the scoring mechanism defined in risk assessment process, are generally considered acceptable.

All other risks must be individually reviewed and managed according to the risk management process.

Risk Management Process

Risk analysis and risk management are recognized as important components of JupiterOne’s corporate compliance program and information security program.

Risk assessments are performed before the integration of new system technologies and before changes are made to JupiterOne logical and technical safeguards.

!!! important

 Note: these changes do not include routine updates to existing systems,
 deployments of new systems whose design is based on previously configured
 systems, deployments of new Customers, or new code developed for
 operations and management of the JupiterOne Platform.

JupiterOne implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:

  1. Ensure the confidentiality, integrity, and availability of all data JupiterOne receives, maintains, processes, and/or transmits for its Customers.
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of Customer data.
  3. Protect against any reasonably anticipated uses or disclosures of Customer data that are not permitted or required.
  4. Ensure compliance by all workforce members.

Risk Management Process Requirements

JupiterOne’s risk management process requires that:

  1. Any risk remaining (residual) after other risk controls have been applied, requires sign off by the senior management and JupiterOne’s Security Officer.
  2. All JupiterOne workforce members are expected to fully cooperate with all persons charged with doing risk management work, including contractors and audit personnel. Any workforce member that violates this policy will be subject to disciplinary action based on the severity of the violation, as outlined in §Roles, Responsibilities and Training.
  3. The implementation, execution, and maintenance of the information security risk analysis and risk management process is the responsibility of JupiterOne’s Security Officer (or other designated employee), and the identified Risk Management Team.
  4. All risk management efforts, including decisions made on what controls to put in place as well as those to not put into place, are documented and the documentation is maintained for seven years.
  5. The details of the Risk Management Process, including risk assessment, discovery, and mitigation, are outlined in detail below. The process is tracked, measured, and monitored using the following procedures:

    1. The Security Officer initiates the Risk Management Procedures by creating an Issue in the JupiterOne internal-security repo.
    2. The Security Officer is assigned to carry out the Risk Management Procedures.
    3. All findings are documented and linked to the Issue.
    4. Once the Risk Assessment steps are complete, along with corresponding documentation, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
    5. If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
  6. The Risk Management Procedure is monitored on a quarterly basis using JupiterOne Platform reporting to assess compliance with above policy. RISK2

Third party risk management details including procurement and systems acquisition can be found in §vendor.

Risk Management Schedule

The two principle components of the risk management process - risk assessment and risk mitigation - will be carried out according to the following schedule to ensure the continued adequacy and continuous improvement of JupiterOne’s information security program:

Risk Assessment and Analysis

The intent of completing a risk assessment is to determine potential threats and vulnerabilities and the likelihood and impact should they occur. The output of this process helps to identify appropriate controls for reducing or eliminating risk.

Throughout the steps below, the definitions of impact labels like low, medium, and high are as found in NIST publication FIPS-199.

Step 1. System Characterization

Step 2. Threat Identification

Step 3. Vulnerability Identification

Step 4. Control Analysis

Step 5. Likelihood Determination

Step 6. Impact Analysis

Step 7. Risk Determination

Step 8. Control Recommendations

Step 9. Results Documentation

Risk Mitigation and Monitoring

Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the Risk Assessment process to ensure the confidentiality, integrity and availability of JupiterOne Platform data. Determination of appropriate controls to reduce risk is dependent upon the risk tolerance of the organization consistent with its goals and mission.

Step 1. Prioritize Actions

Step 3. Conduct Cost-Benefit Analysis

Step 4. Select Control(s)

Step 5. Assign Responsibility

Step 6. Develop Safeguard Implementation Plan

Step 7. Implement Selected Controls

Risk Registry

JupiterOne Security Team maintains a registry of risks, captured and kept updated:

The risk registry includes all risks and threats identified during annual risk assessment and all interim reviews. RISK1

Cyber Liability Insurance

JupiterOne holds cyber liability insurance with sufficient coverage based on the organization’s risk profile.

Our current cyber policy is covered by Lloyds America, Inc.

Fraud Risks

Due to its transparent culture, team size and operating model, including separation of duties, comprehensive controls, continuous monitoring and auditing, JupiterOne considers its fraud-related risk to be very low.

JupiterOne hires KSM Business Services to perform accounting services and annual financial audits. RISK3

Fraud risk is re-evaluated as part of the organization’s annual risk assessment. RISK1

The assessment considers the following aspects of fraud:

Financial-related fraud assessment is led by the COO/CFO.

IT-related fraud assessment is led by the Security Officer.

Potential Frauds and Likelihood

Fraud Risk Likelihood In Place Controls/Monitors
Fraudulent Financial Reporting Low Monthly executive team reviews of business plan and revenue RISK4 Financial review by external accounting firm
Misappropriation of Assets Low Expense reporting and asset tracking in place
Regulatory and Legal Misconduct Low Audit and compliance policies and processes, including whistleblower procedures; engage external law firm to review legal conduct
Payroll Fraud Low Payroll is reviewed by at least two people internally as well as by external accounting firm
Kickbacks / Conflict of Interest Low Team-based vendor review and selection process
Misuse of Cloud Resources Low Continuous resource monitoring for all cloud accounts and regions and expense monitoring
Other IT Fraud Low IT assets and resources tracking

Anti-Money Laundering

It is the policy of JupiterOne to prohibit and actively prevent money laundering and any activity that facilitates money laundering or the funding of terrorist or criminal activities.

Antitrust Compliance

All employees of JupiterOne must comply strictly and in good faith with the letter and spirit of all antitrust laws in any location in which JupiterOne transacts business. Antitrust laws are designed to protect and promote free and open competition, a policy which JupiterOne believes is in the best interest of the Company, its competitors and suppliers, and its customers.