JupiterOne compliance platform is capable of performing automated gap analysis based on the query or queries saved in mapped questions. Here is how it works.
Queries saved in a question can be named as follow to trigger gap analysis:
Results from a "good" query indicates expected configuration is present.
For example, a list of critical data stores that are encrypted.
Find DataStore with classification='critical' and encrypted=true
Results from a "bad" query indicates gaps or misconfigurations.
For example, a list of critical data stores that are not encrypted.
Find DataStore with classification='critical' and encrypted!=true
Results from an "unknown" query indicates resources with an unknown scope or state.
For example, a list of data stores that do not have classification tags.
Find DataStore with classification=undefined
A question can have one or all of the above named queries.
The gap analysis status of each requirement of control may be one of the following:
Requirement is "fulfilled and monitoring".
"Attention - potential remediation needed" because a potential gap has been detected, with a mix of properly configured resources and misconfigurations (i.e. partially fulfilled).
"Gap detected" with no properly configured resources identified, indicating a full control gap.
"Manual review needed" because the platform was unable to auto-determine the status with the queries provided.
This status appears also when the requirement or control has no mapped query question and no external evidence provided.
The status is determined by the presence and output of the named queries in the mapped question(s), as seen in the following matrix:
Note: A single query in a question with any name or without a name is implicitly interpreted as a