Managing Policies and Procedures on JupiterOne

JupiterOne provides a Policies app that allows users to generate and manage corporate security policies and procedures. It has the following capabilities:

• Generating policies and procedures from templates
• Managing policies and procedures online via the webapp
• Mapping controls/procedures to compliance requirements
• Policy Builder CLI

Generating policies and procedures from templates

JupiterOne's Policies app provides a set of over 120 policy and procedure templates to help your organization build your security program and operations from scratch. These templates are derived from our own internal policies and procedures, and have been through several rounds of compliance assessments.

To get started, simply navigate to the Policies app, fill in the following three sections of information in the web form:

• Company information
• Key personnel information (such as your Security and Privacy Officer)
• Security and DevOps tooling information

It may take a few minutes for the policy and procedure documents to be generated for the first time.

Managing policies and procedures online via the webapp

Similar to the concept of "micro-services", the policies and procedures are written as "micro-docs". Each policy and procedure document is written in its own individual file, in Markdown format, and linked together via configuration.

The templates are open source and you can check out more details in this repo: https://github.com/JupiterOne/security-policy-templates

The web app allows you to edit a policy or procedure directly online. Simply click the "Edit" button at the upper corner of a policy or procedure document to bring up the Markdown editor.

You need to have Administrator access to your JupiterOne account in order to edit or export policies.

Variables

Note that the Markdown text contains both global and local variables -- in this format: {{variableName}}. It is best not to edit the variables in the templates since they would be auto-replaced by the relevant text.

A Procedure document may contain an optional local {{provider}} variable. This allows you to configure the control provider that implements or has been designated the responsibility to fulfill that procedure. For example, the provider for "Single Sign On" could be "Okta", "OneLogin", "JumpCloud", "Google", etc. This provider value can be entered near the top of the document editor when it is open, right below the Document Title.

The procedure editor also presents you a short summary guidance description. Additionally, you may toggle the "Adopted" flag on or off depending on your readiness to adopt a particular procedure.

Versioning

Edits to policies and procedure documents are automatically versioned upon save. The {{defaultRevision}} variable will be populated with the date the document was last edited.

Currently the web app does not have a UI to view previous versions of documents.

Download / export policy and procedure documents

The "Export / Download Zip" button at the upper right corner of the screen will generate a zip file containing the following three sets of files:

• templates in Markdown format
• final policies and procedures in Markdown format
• final policies and procedures in HTML format

Policy Builder CLI

JupiterOne provides an offline CLI that allows you to manage your policies and procedures offline (for example, as code in a git repo), and publish to your JupiterOne account as needed.

Detailed usage can be found in the jupiter-policy-builder repo and README: https://github.com/JupiterOne/jupiter-policy-builder

Using your own existing policies

JupiterOne Policies app is an optional component of the platform. It is not a prerequisite for the rest of the platform. The JupiterOne Compliance app is the only app that depends on it for proper mapping to compliance framework requirements and controls.

You are not required to use JupiterOne provided policy/procedure templates. If your organization already has written documents for security policies and procedures, and you would like to take advantage of JupiterOne Compliance app and its mapping capabilities, you can transform your existing policies and publish them to JupiterOne.

The structure is defined here: https://github.com/JupiterOne/security-policy-templates