JupiterOne platform follows this data structure to make connections between written policies and compliance standards:
|-- IMPLEMENTS -> security_policy | security_procedure | |-- IMPLEMENTS -> compliance requirement or control
See this article for the full GRC graph data model.
The mapping between a security procedure (i.e. written documentation describing a security control or process) and a compliance requirement is done via a JSON configuration file.
An example mapping is provided here:
This JSON can be edited to meet your organization's policy procedures and compliance specifications, and then uploaded to the JupiterOne Compliance app:
- Go to https://apps.us.jupiterone.io/compliance
- Click Edit mapping
- Copy/paste your "Policy Procedures to Compliance Mapping" JSON
See the schema documented here.