Compliance status
The JupiterOne Compliance Status view provides measurements and status indicators at four different maturity levels for each compliance framework and its requirements and controls:
- Documented policies and procedures
- Implementation evidence, either via data-driven queries or external evidence
- Gap analysis between fulfilled requirements and outstanding remediation
- Continuous monitoring and remediation
Requirements and Evidences Statuses
Compliance is measured by requirements and evidence that you have met those requirements. The different statuses indicate where action and attention is needed.
Compliance is measured by requirements and evidence that you have met those requirements. The different statuses indicate where action and attention is needed.
| Symbol | Meaning |
|---|---|
| ⚠️ Attention | Potential remediation is needed because J1 has detected a potential gap in compliance. |
| ✓ Evidences (Blue) | Linked evidence files provide proof of compliance. |
| Evidences (Grey) | No linked evidence files to prove compliance. |
| Unknown | A manual review of a compliance issue is necessary. |
| Gap | There are gaps in your compliance that you must remove. |
| Tested | The framework requirement is complete and being monitoring. |
| ✓ Policies (Green) | The framework requirement is linked to one or more policies. |
| Policies (Grey) | The framework requirement is not currently linked to any policies. |
Click any of these symbols from the frameworks view to see more details about the status.
If you see the Scoped symbol next to a framework, it indicates that filters are applied to this framework to narrow the scope of what the linked evidence looks at.
Query Statuses
If there are compliance gaps in the results of any of the queries in linked questions, these gaps also have color-coded statuses.
| Symbol | Meaning |
|---|---|
| Attention | You may potentially have items to remediate. |
| Gap | You must remove these gaps in your compliance. |
| Fulfilled | All controls are in place and being monitored by J1. |
| Unknown | Manual review of a compliance issue is necessary. |
You can also use J1QL to query each framework requirement or control, which return similar statuses:
TESTEDThe framework requirement is complete and being monitoring.
ATTENTIONPotential remediation is needed because J1 has detected a potential gap, with a mix of properly configured resources and misconfigurations, such as partially fulfilled.
GAPA control gap is detected with no properly configured resources identified.
UNKNOWNManual review is needed because J1 was unable to auto-determine the status with the queries provided.
This status also appears when the requirement or control has no mapped query question and no external evidence provided.
Export Compliance Artifacts
JupiterOne provides an compliance artifacts summary package for you to download. You have the ability to download either a summary or the all evidence as it relates to a particular framework.
From the details view of a security framework in the JupiterOne Compliance app, click the download icon. JupiterOne builds an evidence package which can take several minutes to prepare.
The compliance artifact export is an asynchronous background job. The download icon turns green when the evidence package finishes building in the background, and JupiterOne will initiate a download for the zip file to your computer. You can leave the app while JupiterOne is generating the package.
Compliance Summary
The summary artifact is a zip package containing these two files:
complete-policies-and-procedures-listing.csvA list of all policies and procedures, and the summary text of each procedure.
summary.csvA list of all compliance requirements / controls and the status of each item.
All Evidence
The All Evidence artifact is a zip package containing the summary and the evidence output, in this folder structure:
<standard_name>_evidence.zip
|____<standard_name>_evidence
| |____<standard_name> Requirements
| | |____<section_title>
| | | |____<ref> <title>
| | | | |____policies-and-procedures.csv
| | | | |____links.md
| | | | |____note_0_<timestamp>.md
| | | | |____note_1_<timestamp>.md
| | | | |____0_<title_of_first_mapped_question>
| | | | | |____0_<first_query_in_question>.csv
| | | | | |____1_<second_query_in_question>.csv
| | | | |____1_<title_of_second_mapped_question>
| | | | | |____0_<first_query_in_question>.csv
| | | | | |____1_<second_query_in_question>.csv
| | | | |____...
| | | | | |____...
| |____complete-policies-and-procedures-listing.csv
| |____summary.csv
Note: the output of each query is limited to a sample of up to 250 results.
PDF Compliance Report
In addition to exporting evidence for a framework, you can also generate a PDF report to generate a handout on the current status of the framework. This can be customized and edited.
Adjusting report variables
You can adjust the variables for the report around penetration testing to ensure the report reflects your company's penetration test schedule. The variables include:
- Frequency of penetration testing
- Date of last penetration test
- Entity who preformed the penetration test
- Date of next scheduled penetration test
Editing in markdown
In addition to the editable variables of the report, you can also edit the format and content of the report directly via markdown. Select the Edit icon to alter the report contents. While in the edit view, you can select the Preview icon to preview your changes before exporting the PDF.