Policies and procedures
JupiterOne Policies provides over 120 policy and procedure templates to help your organization build your security program and operations from zero. These templates are derived from the JupiterOne internal policies and procedures, and have been through several iterations of compliance assessments.
JupiterOne Policies enables you to:
- Generate corporate security policies and procedures from templates
- Manage all policies and procedures
- Map controls/procedures to compliance requirements
- Use the Policy Builder CLI to manage policies
- Leverage existing policies within JupiterOne's Compliance app
Generating Policies and Procedures
To create a policy from a template:
Click Policies in the JupiterOne workspace.
In the left column, select the policy template you want to use and customize.
From the three-dot menu in the top-right corner of a selected policy, click Edit Policy. You can also edit controls and procedures by selecting the edit option for the respective menu.
From the modal, you can edit the Policy name, ID, and JSON Metadata.
After making the desired changes, selecting Publish will push those changes into effect, while Save Draft will store those changes which can be published at a later time.
You must have Administrator access to your JupiterOne account to edit or export policies.
It may take a few minutes for the policy and procedure documents to be generated for the first time. After you create documents, members of your team must review and accept them. Reviewers must have the Person entity class with an associated email address. If the reviewer does not that the Person entity, you can add it from within JupiterOne Assets.
Manage Policies and Procedures
Similar to the concept of micro-services, the policies and procedures are written as micro-docs. Each policy and procedure document is written in its own individual file, in Markdown format, and linked together via a configuration.
These templates are open source and can be found in our GitHub repo here.
Variables
The Markdown text contains both global and local variables in this format: {{variableName}}. Do not edit the variables in the templates because they would be auto-replaced by the relevant text.
A procedure document may contain an optional local {{provider}} variable. This variable allows you to configure the control provider that implements or has been designated the responsibility to fulfill that procedure. For example, the provider for "Single Sign On" could be "Okta", "OneLogin", "JumpCloud", "Google", etc. This provider value can be entered near the top of the document editor when it is open, right below the Document Title field.
The procedure editor also presents you a short summary guidance description. Additionally, you may toggle the Adopted flag on or off depending on your readiness to adopt a particular procedure.
Versioning
Edits to policies and procedure documents are automatically versioned upon save. The {{defaultRevision}} variable is populated with the date the document was last edited.
Using the Policy Builder CLI
JupiterOne provides an offline CLI that enables you to manage your policies and procedures offline (for example, as code in a Git repo), and publish to your JupiterOne account, as needed. For more information see our Policy Builder CLI guide.
Additionally, detailed usage can be found in the jupiter-policy-builder repo and README
Using existing policies
JupiterOne Policies is an optional component of the JupiterOne platform. It is not a prerequisite for the rest of the platform. JupiterOne Compliance is the only app that depends on JupiterOne Policies for appropriate mappings to compliance framework requirements and controls.
You are not required to use the JupiterOne-provided policy/procedure templates. If your organization already has written documents for security policies and procedures, and you would like to take advantage of JupiterOne Compliance and its mapping capabilities, you can transform your existing policies and publish them to JupiterOne.
To learn more about how to bring in your own existing policies into JupiterOne, see our security-policy-template repo.
Exporting Policies
As needed, policies can be exported from JupiterOne for use and reference elsewhere. To export a policy:
- Navigate to the Policies tab.
- Select the policy you would like to export.
- Click the three dot icon and choose the desired export format from the drop-down.
JupiterOne supports exporting polices as PDF, HTML, or ZIP files.
You can also download the policy's audit history from the same drop-down.