A security compliance framework is a structured set of guidelines that details the processes and procedures your organization implements to be in accordance with established regulations, specifications or legislation. Frameworks can include communication processes, risk controls, and governance practices for maintaining compliance.
The first step in compliance management is to select the frameworks with which you want to be compliant. You can select the preset standards provided by JupiterOne or import your own configuration.
You must have the admin Compliance permission to be able to import frameworks.
To add a compliance framework:
- From within the JupiterOne dashboard, navigate to the Compliance tab.
- Select Frameworks from the left column and select Add Framework.
- Choose one of the templates that JupiterOne provides
- If you wish to import your own framework, click Import JSON/CSV and paste your compliance framework file in JSON or CSV format. Follow this schema for JSON.
See these example framework files for you to use as references.
It is important to note that you must have the necessary license and permission to use a framework for your organization. Licensing is not provided by JupiterOne, except for CIS Controls and Benchmarks.
If you want to import a compliance standard specification from a CSV file, the CSV header must contain the following as column headers:
Filter on Scope
Scoping frameworks allows you to control against which assets you want to evaluate your framework within your environment, giving you control over the level of detail you see. At its most basic level, setting the scope means filtering a framework to only look and evaluate against the things you want it to, saving time and resources. Some examples of scoping include specific integration instances,
_class, and other filters.
Before You Begin:
- You must have Administrator privileges to JupiterOne Compliance.
- Depending on your filter value, you must know the
_tagvalue as this is not automatically populated.
- You can set levels of filters. Be aware that the filters are hierarchical, and all other filters are inherent in the values of the first set of filters.
To set the scope of a framework:
- From the JupiterOne Compliance tab, select the framework you'd like to scope, and click Set Scope Filters.
- Within the Set Scope Filter dialog, press the
- To select permission filters, click the Permission tab in the window. From the dropdown menu, select a permission filter.
You can filter on the following:
- `type`: Type of asset, such as datastore or persons
- `_class`: Class of asset, such as requirement or image
- `_integrationClass`: Category of integration, such as Data Loss Prevention or App Hosting
- `_integrationType`: Type of integration, such as Jira or GovCloud
- `integrationInstanceId`: Your integration account ID
- A custom filter of your own
- To set scope filters using
_tagvalues, choose the Tag tab. This allows you to filter frameworks to assets with that tag. This feature is useful if you are using critical assets or tags to manage your integrations. Enter the name of the tag you want to use and the values that pertain to the tag you are using.
- Press Save to finalize your changes to the scope filters.
After you set the filters, they take effect the next time JupiterOne evaluates the framework requirements.
Editing framework requirements
You have the ability to edit requirements within a given framework. When viewing a requirement, click the three dot icon in order to bring up the actions menu for that requirement. From this menu, you can:
- Create a Jira ticket
- Move the requirement up
- Move the requirement down
- Mark the requirement as not applicable
- Edit the requirement
- Delete the requirement