JupiterOne shall audit, monitor, and assess the access and activity of systems and applications that process or store production and/or sensitive data such as customer data in order to ensure compliance.
Audit activities may be limited by application, system, and/or network auditing capabilities and resources. JupiterOne shall make reasonable and good-faith efforts to safeguard information privacy and security through a well-thought-out approach to auditing that is consistent with available resources.
It is the policy of JupiterOne to safeguard the confidentiality, integrity, and availability of applications, systems, and networks. To ensure that appropriate safeguards are in place and effective, JupiterOne shall audit access and activity to detect, report, and guard against:
This policy applies to all JupiterOne systems that store, transmit, or process customer data.
JupiterOne policy requires that:
(a) All critical computing systems and software, both virtual and physical, must enable audit logging.
(b) Audit logs must include sufficient information to identify who did what, when, where.
(c) An annual audit of JupiterOne security controls must be conducted, either by a designated internal audit team or a qualified external audit firm. AUDT1
JupiterOne’s auditing processes include the following:
This refers to the logging, monitoring, scanning and alerting of a system, account, or environment, which may be achieved using real-time automated scripts/software or a manual review/testing. This type of auditing is performed continuously as part of JupiterOne operations.
!!! tip “Examples include:”
* User: User and account-level audit trails generally monitor and log all commands directly initiated by the user, all identification and authentication attempts, and data and services accessed. * Application: Application-level audit trails generally monitor and log all user activities, including data accessed and modified and specific actions. * System: System-level audit trails generally monitor and log user activities, applications accessed, file integrity, and other system-defined specific actions. * Network: Network-level scans or audit trails generally monitor information on what is operating, perform penetrations, and identify vulnerabilities. * Traffic: Incoming and outgoing traffic to into and out of production/restricted environments. For example, firewall logs or VPC flow logs in AWS. * Data: This includes all successful and failed attempts at production data access and editing.
Data associated with above events will include origin, destination, action performed, timestamp, and other relevant details available.
This refers to the review of all user and service accounts and permissions across JupiterOne operational environments, including on-premise systems, cloud environments such as AWS accounts, and other accounts such as Google G Suite-managed applications.
This refers to the audit performed against the Technical, Administrative, and/or Physical controls as defined in JupiterOne policies and procedures, to measure their adoption and effectiveness. This type of auditing is typically performed by either a designated internal audit team or an external audit firm, at defined intervals or prompted by a trigger event.
!!! tip “Potential trigger events include:”
* Scheduled compliance audit/assessment <sub>[AUDT1](/defined-review-periods.html)</sub> * High risk or problem prone incidents or events, or as part of post-incident activities * Business associate, customer, or partner complaints * Identification of significant security vulnerabilities * Atypical patterns of activity * Failed authentication attempts * Remote access use and activity * Activity post termination * Random audits
Security logs, events, and audit trails are reviewed by the Security Team with the assistance of automated systems and processes.
Additional manual reviews, such as user accounts and access auditing, may be necessary from time to time. These activities may be triggered by the events listed above.
Manual audits and reviews activities are tracked in the JIRA SEC Project.
Auditing, reviews and testing may be carried out internally or provided through an external third-party vendor. Whenever possible, a third party auditing vendor should not be providing the organization IT oversight services (e.g., vendors providing IT services should not be auditing their own services to ensure separation of duties).
All connections to the JupiterOne Platform are monitored. Access is limited to certain services, ports, and destinations, including a deny-all policy on access for OFAC-sanctioned countries. Exceptions to these rules, if created, are reviewed on an annual basis. AUDT3
Responsibility for audit activity is assigned to JupiterOne’s Security Officer.
The Security Officer shall:
The manual audit process shall define and include:
A request may be made for an audit for a specific cause. The request may come from a variety of sources including, but not limited to, Security Officer, Customer, Partner, or an Application owner or application user.
A request for an audit for specific cause must include time frame, frequency, and nature of the request.
A request for an audit must be reviewed and approved by JupiterOne’s Security Officer before proceeding. Under no circumstances shall detailed audit information be shared with parties without proper permissions and access to see such data.
Audit information that is gathered for specific-cause must be reviewed in a timely manner, at least monthly, by the responsible workforce member(s). AUDT4 Additional reviews are performed as needed to assure the proper data is being captured and retained.
The reporting process shall allow for meaningful communication of the audit findings to relevant workforce members, Customers, or Partners.
Reports of audit results shall be limited to internal use on a minimum necessary/need-to-know basis. Audit results shall not be disclosed externally without administrative and/or legal counsel approval.
Security audits constitute an internal, confidential monitoring practice that may be included in JupiterOne’s performance improvement activities and reporting. Care shall be taken to ensure that the results of the audits are disclosed to administrative-level oversight structures only and that information which may further expose organizational risk is shared with extreme caution. Generic security audit information may be included in organizational reports (individually-identifiable information shall not be included in the reports).
Whenever indicated through evaluation and reporting, appropriate corrective actions must be undertaken. These actions shall be documented and shared with the responsible workforce members, Customers, and/or Partners.
Most controls are continuously monitored and reported via automation on the JupiterOne Platform.
Control deficiencies identified as a result of an internal or external system audit are documented and reviewed with management.
The Security Team works with the corresponding control owner to prioritize and mitigate the control deficiency, including applying corrective actions, implementating additional controls or adjusting existing controls as needed.
JupiterOne logging standards requires application and system logs to contain sufficient information to determine who did what, when, where to ensure recording of security and audit events and to generate evidence for unauthorized activities.
All systems and software developed at JupiterOne must have security events logging enabled as part of or in addition to standard application logging.
Security events and audit logs MUST:
All security log events must have the following attributes at minimum:
The following types of security events must be logged at minimum:
All application and system logs must remove or mask:
Any sensitive information, such as personally identifiable information (PII)
Authentication and session tokens, or user credentials
Examples of recommended application events for logging and their auditing purpose:
|Client requests and server responses||forensics and debugging - details level is defined by application|
|Successful and unsuccessful login attempts||authentication|
|Successful and failed access to application resources||authorization, escalation of privileges|
|Excessive amount of requests from the client||brute-forcing, malicious bots, denial of service attacks|
|E-mails sent by an application||spamming, social engineering|
Details and guidance for logging configuration in JupiterOne systems is documented at:
Whenever possible, audit logs shall be stored on a separate system to minimize the impact auditing may have on the privacy system and to prevent access to audit trails by those with system administrator privileges.
JupiterOne’s Security Officer is authorized to select and use assessment tools that are designed to detect vulnerabilities and intrusions. For example, vulnerability testing software may be used to probe the network to identify what is running (e.g., operating system or product versions in place), whether publicly-known vulnerabilities have been corrected, and evaluate whether the system can withstand attacks aimed at circumventing security controls.
Use of such tools against JupiterOne systems and environments are prohibited by others, including Customers and Partners, without the explicit authorization of the Security Officer. These tools may include, but are not limited to: