config.json

{
  "organization": {
    "companyFullName": "Above Property LLC.",
    "companyShortName": "APS",
    "companyEmailDomain": "aboveproperty.com",
    "companyWebsiteURL": "https://www.aboveproperty.com",
    "companyMailingAddress": "3555 Kraft Road, Suite 400 Naples Fl 34105 USA",
    "companyOverview": "An advanced, multi-tenant, rules based global travel solution.",
    "contactPhoneNumber": "(239) 263-7406",
    "ceoName": "Aaron Shepherd",
    "ceoEmail": "aaron.shepherd@aboveproperty.com",
    "cooName": "Steve Lapekas",
    "cooEmail": "steve.lapekas@aboveproperty.com",
    "ctoName": "Tim Kieschnick",
    "ctoEmail": "tim.kieschnick@aboveproperty.com",
    "securityOfficerName": "Pete Ehlke",
    "securityOfficerEmail": "pete.ehlke@aboveproperty.com",
    "privacyOfficerName": "Pete Ehlke",
    "privacyOfficerEmail": "pete.ehlke@aboveproperty.com",
    "securityCommitteeMembers": "Security Officer, CTO, CIO, COO, CEO",
    "wantCustomMkdocsTemplate": false,
    "mkdocsLogoURL": "",
    "mkdocsThemeColorPrimary": "",
    "mkdocsThemeColorAccent": "",
    "securityPolicyURL": "https://compliance.aboveproperty.com",
    "privacyPolicyURL": "https://compliance.aboveproperty.com/privacy-policy/",
    "cookiePolicyURL": "https://compliance.aboveproperty.com/cookie-policy",
    "sourceControl": "GitHub",
    "ticketingSystem": "Rally",
    "internalHelpdeskURL": "mailto:helpdesk@aboveproperty.com",
    "policyRepoURL": "https://github.com/aboveproperty/security-policies",
    "cmPortal": "https://rally1.rallydev.com",
    "ciSystem": "Jenkins",
    "hrSystem": "TriNet",
    "supportBYODandMDM": true,
    "haveSecurityScorecard": false,
    "securityScorecardPeriod": "none",
    "securityScorecardURL": "N/A",
    "expenseReporting": "",
    "devWikiURL": "",
    "hipaaTrainingURL": "",
    "statusPageURL": "",
    "securityAwarenessTrainingProvider": "GLS On Demand",
    "onCallPagingProvider": "PagerDuty",
    "IdP": "",
    "CPA": "",
    "needStandardHIPAA": false,
    "needStandardHITRUST": false,
    "needStandardGDPR": true,
    "needStandardNIST": true,
    "needStandardPCI": true,
    "needWhistleblower": false,
    "isServiceProvider": true,
    "isHIPAACoveredEntity": false,
    "isHIPAABusinessAssociate": false,
    "isHIPAAGovernmentEntity": false,
    "isHIPAAPlanSponsor": false,
    "isHIPAAHealthcareClearinghouse": false,
    "currentRevision": "Last Reviewed: 2024-09-11:08:37:16-MST"
  },
  "standards": [
    {
      "id": "hipaa",
      "file": "st-hipaa.md",
      "name": "HIPAA",
      "type": "compliance",
      "supported": true,
      "adopted": false
    },
    {
      "id": "hitrust-csf",
      "file": "st-hitrust.md",
      "name": "HITRUST Common Security Framework",
      "type": "certification",
      "supported": true,
      "adopted": false
    },
    {
      "id": "nist-csf",
      "file": "st-nist.md",
      "name": "NIST Cybersecurity Framework",
      "type": "standard",
      "supported": false,
      "adopted": false
    },
    {
      "id": "iso2700x",
      "file": "st-iso2700x.md",
      "name": "ISO 27001/27002",
      "type": "standard",
      "supported": false,
      "adopted": false
    },
    {
      "id": "cis",
      "file": "st-cis.md",
      "name": "CIS Critical Security Controls",
      "type": "standard",
      "supported": true,
      "adopted": true
    },
    {
      "id": "owasp",
      "file": "st-owasp.md",
      "name": "OWASP Top Ten",
      "type": "best-practice",
      "supported": false,
      "adopted": true
    },
    {
      "id": "pci",
      "file": "st-pci.md",
      "name": "PCI-DSS",
      "type": "compliance",
      "supported": true,
      "adopted": true
    },
    {
      "id": "gdpr",
      "file": "st-gdpr.md",
      "name": "EU General Data Protection Regulation (GDPR)",
      "type": "compliance",
      "supported": false,
      "adopted": false
    }
  ],
  "domains": [
    {
      "id": "AI",
      "name": "Assets and Infrastructure",
      "policies": [
        "asset-mgmt",
        "ccm",
        "mdm"
      ],
      "procedures": []
    },
    {
      "id": "PA",
      "name": "People and Access",
      "policies": [
        "access",
        "hr",
        "rar"
      ],
      "procedures": []
    },
    {
      "id": "VM",
      "name": "Vulnerability Management",
      "policies": [
        "vuln-mgmt"
      ],
      "procedures": []
    },
    {
      "id": "SD",
      "name": "Software Development",
      "policies": [
        "sdlc"
      ],
      "procedures": []
    },
    {
      "id": "DA",
      "name": "Data and Applications",
      "policies": [
        "data-mgmt",
        "data-protection"
      ],
      "procedures": []
    },
    {
      "id": "OR",
      "name": "Operations and Response",
      "policies": [
        "model",
        "bcdr",
        "breach",
        "system-audit",
        "threat"
      ],
      "procedures": []
    },
    {
      "id": "PS",
      "name": "Physical and Datacenter Security",
      "policies": [
        "facility"
      ],
      "procedures": []
    },
    {
      "id": "GRC",
      "name": "Governance, Risk and Compliance",
      "policies": [
        "bcdr",
        "compliance-audit",
        "corp-gov",
        "policy-mgmt",
        "privacy",
        "rar",
        "risk-mgmt",
        "vendor"
      ],
      "procedures": []
    }
  ],
  "policies": [
    {
      "id": "program",
      "file": "policies/program.md",
      "name": "Security Program Overview",
      "adopted": true,
      "procedures": [
        "cp-ism-scope",
        "cp-ism-policies",
        "cp-ism-reporting"
      ]
    },
    {
      "id": "corp-gov",
      "file": "policies/corp-gov.md",
      "name": "Corporate Governance",
      "adopted": true,
      "procedures": [
        "cp-gov-bod"
      ]
    },
    {
      "id": "policy-mgmt",
      "file": "policies/policy-mgmt.md",
      "name": "Policy Management",
      "adopted": true,
      "procedures": [
        "cp-policy-framework",
        "cp-policy-mgmt"
      ]
    },
    {
      "id": "model",
      "file": "policies/model.md",
      "name": "Security Architecture and Operating Model",
      "adopted": true,
      "procedures": [
        "cp-model-principles",
        "cp-model-architecture",
        "cp-model-metrics",
        "cp-model-quality"
      ]
    },
    {
      "id": "rar",
      "file": "policies/rar.md",
      "name": "Roles, Responsibilities and Training",
      "adopted": true,
      "procedures": [
        "cp-role-assignment",
        "cp-training-policy",
        "cp-training-awareness",
        "cp-training-hipaa",
        "cp-internal-comms"
      ]
    },
    {
      "id": "risk-mgmt",
      "file": "policies/risk-mgmt.md",
      "name": "Risk Management and Risk Assessment Process",
      "adopted": true,
      "procedures": [
        "cp-risk-mgmt-objectives",
        "cp-risk-mgmt",
        "cp-risk-assess",
        "cp-risk-mitigation",
        "cp-risk-registry",
        "cp-risk-insurance",
        "cp-risk-fraud"
      ]
    },
    {
      "id": "compliance-audit",
      "file": "policies/compliance-audit.md",
      "name": "Compliance Audits and External Communications",
      "adopted": true,
      "procedures": [
        "cp-compliance-mgmt",
        "cp-compliance-requests",
        "cp-compliance-monitor"
      ]
    },
    {
      "id": "system-audit",
      "file": "policies/system-audit.md",
      "name": "System Audits, Monitoring and Assessments",
      "adopted": true,
      "procedures": [
        "cp-audit-types",
        "cp-events-analysis",
        "cp-audit-internal",
        "cp-audit-request",
        "cp-audit-review",
        "cp-audit-control-deficiency",
        "cp-audit-trails",
        "cp-audit-trails-integrity",
        "cp-audit-customers",
        "cp-audit-tools",
        "cp-audit-training"
      ]
    },
    {
      "id": "hr",
      "file": "policies/hr.md",
      "name": "HR and Personnel Security",
      "adopted": true,
      "procedures": [
        "cp-hr-mgmt",
        "cp-employee-acceptable-use",
        "cp-employee-screening",
        "cp-employee-onboarding",
        "cp-employee-exiting",
        "cp-employee-escalation",
        "cp-employee-whistleblower",
        "cp-employee-performance",
        "cp-employee-recognition",
        "cp-employee-development",
        "cp-sanctions"
      ]
    },
    {
      "id": "access",
      "file": "policies/access.md",
      "name": "Access",
      "adopted": true,
      "procedures": [
        "cp-access-standards",
        "cp-access-password",
        "cp-access-sso",
        "cp-access-mfa",
        "cp-access-passkey",
        "cp-access-rbac",
        "cp-access-aws",
        "cp-access-vpn",
        "cp-access-phi",
        "cp-access-customer",
        "cp-access-change",
        "cp-access-review",
        "cp-access-privileged",
        "cp-access-service",
        "cp-access-endpoints",
        "cp-access-wifi",
        "cp-access-prod",
        "cp-access-prod-data",
        "cp-access-reset"
      ]
    },
    {
      "id": "facility",
      "file": "policies/facility.md",
      "name": "Facility Access and Physical Security",
      "adopted": true,
      "procedures": [
        "cp-physical",
        "cp-physical-datacenter",
        "cp-physical-cleandesk"
      ]
    },
    {
      "id": "asset-mgmt",
      "file": "policies/asset-mgmt.md",
      "name": "Asset Inventory Management",
      "adopted": true,
      "procedures": [
        "cp-asset-physical",
        "cp-asset-digital",
        "cp-asset-paper"
      ]
    },
    {
      "id": "data-mgmt",
      "file": "policies/data-mgmt.md",
      "name": "Data Management",
      "adopted": true,
      "procedures": [
        "cp-data-classification",
        "cp-data-handling",
        "cp-data-lifecycle",
        "cp-data-backup",
        "cp-data-deletion"
      ]
    },
    {
      "id": "data-protection",
      "file": "policies/data-protection.md",
      "name": "Data Protection",
      "adopted": true,
      "procedures": [
        "cp-data-protection",
        "cp-data-protection-at-rest",
        "cp-data-protection-in-transit",
        "cp-data-protection-in-use",
        "cp-data-protection-kms",
        "cp-data-protection-cert",
        "cp-data-protection-integrity"
      ]
    },
    {
      "id": "sdlc",
      "file": "policies/sdlc.md",
      "name": "Secure Software Development and Product Security",
      "adopted": true,
      "procedures": [
        "cp-sdlc-dev",
        "cp-sdlc-scm",
        "cp-sdlc-appsec-req",
        "cp-sdlc-design",
        "cp-sdlc-iaaa",
        "cp-sdlc-foss",
        "cp-sdlc-sast",
        "cp-sdlc-dast",
        "cp-sdlc-pentest",
        "cp-sdlc-bugbounty",
        "cp-sdlc-outsourcing",
        "cp-sdlc-hipaa",
        "cp-sdlc-monitor"
      ]
    },
    {
      "id": "ccm",
      "file": "policies/ccm.md",
      "name": "Configuration and Change Management",
      "adopted": true,
      "procedures": [
        "cp-ccm-config",
        "cp-ccm-monitor",
        "cp-ccm-provision-prod",
        "cp-ccm-provision-endpoint",
        "cp-ccm-provision-server",
        "cp-ccm-provision-mgmt",
        "cp-ccm-network",
        "cp-ccm-aws",
        "cp-ccm-aws-deploy",
        "cp-ccm-patch",
        "cp-ccm-prodcm",
        "cp-ccm-emergency"
      ]
    },
    {
      "id": "threat",
      "file": "policies/threat.md",
      "name": "Threat Detection and Prevention",
      "adopted": true,
      "procedures": [
        "cp-threat-malware",
        "cp-threat-firewall",
        "cp-threat-nids",
        "cp-threat-hids",
        "cp-threat-webapp",
        "cp-threat-siem",
        "cp-threat-intel"
      ]
    },
    {
      "id": "vuln-mgmt",
      "file": "policies/vuln-mgmt.md",
      "name": "Vulnerability Management",
      "adopted": true,
      "procedures": [
        "cp-vuln-scan",
        "cp-vuln-remediation"
      ]
    },
    {
      "id": "mdm",
      "file": "policies/mdm.md",
      "name": "Mobile Device Security and Media Management",
      "adopted": true,
      "procedures": [
        "cp-mdm-disposal",
        "cp-mdm-usb",
        "cp-mdm-byod"
      ]
    },
    {
      "id": "bcdr",
      "file": "policies/bcdr.md",
      "name": "Business Continuity and Disaster Recovery",
      "adopted": true,
      "procedures": [
        "cp-bcdr",
        "cp-bcdr-recovery",
        "cp-bcdr-test",
        "cp-bcdr-site",
        "cp-bcdr-app",
        "cp-bcdr-data"
      ]
    },
    {
      "id": "ir",
      "file": "policies/ir.md",
      "name": "Incident Response",
      "adopted": true,
      "procedures": [
        "cp-ir-sirt",
        "cp-ir-process",
        "cp-ir-playbook",
        "cp-ir-emergency",
        "cp-ir-tabletop",
        "cp-ir-records"
      ]
    },
    {
      "id": "breach",
      "file": "policies/breach.md",
      "name": "Breach Investigation and Notification",
      "adopted": true,
      "procedures": [
        "cp-breach-investigate",
        "cp-breach-customer",
        "cp-breach-letter",
        "cp-breach-authorities"
      ]
    },
    {
      "id": "vendor",
      "file": "policies/vendor.md",
      "name": "Third Party Security and Vendor Risk Management",
      "adopted": true,
      "procedures": [
        "cp-vendor-vtr",
        "cp-vendor-contracts",
        "cp-vendor-monitor",
        "cp-vendor-ssa"
      ]
    },
    {
      "id": "privacy",
      "file": "policies/privacy.md",
      "name": "Privacy Practice and Consent",
      "adopted": true,
      "procedures": [
        "cp-privacy-notices"
      ]
    },
    {
      "id": "genAI",
      "file": "policies/artificial-intelligence.md",
      "name": "Use of Generative AI",
      "adopted": true,
      "procedures": []
    }
  ],
  "procedures": [
    {
      "id": "cp-pci-charter",
      "file": "procedures/cp-pci-charter.md",
      "name": "PCI DSS Charter",
      "type": "informational",
      "provider": "Above Property",
      "summary": "The organization has an established PCI DSS compliance program with appropriate controls that are aligned to the organization's objectives and risk posture.",
      "guidance": "This describes the organization's PCI DSS Program Charter, high level controls, and program management processes.",
      "considerations": [
        "Which standards, domains, frameworks, etc. does your security program address?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-pci-dss4-notes",
      "file": "procedures/cp-pci-dss4-notes.md",
      "name": "PCI DSS4 Notes",
      "type": "informational",
      "provider": "Above Property",
      "summary": "The organization has documented all exception items from the DSS 4 standard",
      "guidance": "This describes the organizations required exceptions documentation.",
      "considerations": [
        ""
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ism-scope",
      "file": "procedures/cp-ism-scope.md",
      "name": "Information Security Program and Scope",
      "type": "informational",
      "provider": "Above Property",
      "summary": "The organization has an established security program with appropriate controls that are aligned to the organization's objectives and risk posture.",
      "guidance": "This describes the organization's information security program scope, high level controls, and program management processes.",
      "considerations": [
        "Which standards, domains, frameworks, etc. does your security program address?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ism-policies",
      "file": "procedures/cp-ism-policies.md",
      "name": "Understanding the Policies and Controls/Procedures",
      "type": "informational",
      "provider": "Above Property",
      "summary": "The organization's security program maintains documentation of high level policies and lower level controls and procedures. The policies and procedures cover the design, development, implementation, operation, maintenance and monitoring of in-scope systems.",
      "guidance": "This describes how information security policies are structured.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ism-reporting",
      "file": "procedures/cp-ism-reporting.md",
      "name": "Review and Reporting",
      "type": "informational",
      "provider": "Above Property",
      "summary": "Metrics are defined to measure the effectiveness of controls and they are reported to/reviewed by senior management.",
      "guidance": "This describes the key metrics and high level reporting process for the information security management program.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-gov-bod",
      "file": "procedures/cp-gov-bod.md",
      "name": "Board of Directors Responsibilities",
      "type": "administrative",
      "summary": "A board of directors is established that demonstrates independence from management and exercises oversight of the organization's development, performance, and internal controls.",
      "guidance": "Establishing a board of directors with clearly defined responsibilities is instrumental to the effective corporate governance and executive oversight. It helps maintain organizational transparency, ensure ethical business operations, and protect stakeholder interests.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-model-principles",
      "file": "procedures/cp-model-principles.md",
      "name": "Security Principles",
      "type": "informational",
      "provider": "",
      "summary": "The organization incorporates best practices such as least-privilege or zero-trust in its security operating model.",
      "guidance": "This describes the high level operating principles of a DevOps oriented security program. The cloud-native, zero-trust approach enables a modern security operating model and eliminates the need for certain legacy security controls.",
      "considerations": [
        "Do you use a microservice architecture?",
        "Do your employees receive regular ongoing security awareness training more than once a year?",
        "Do you have a bug bounty or public vulnerability disclosure program?",
        "Is your organization subject to regulatory compliance such as HIPAA or FISMA?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-model-quality",
      "file": "procedures/cp-model-quality.md",
      "name": "System Quality",
      "type": "informational",
      "provider": "",
      "summary": "The organization communicates its commitment to quality of service to its users and customers.",
      "guidance": "This describes at a high level how system quality assurance is managed and provides references to further documentation",
      "considerations": [
        "Where do you publish the status of external facing customer applications (uptime)?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-model-architecture",
      "file": "procedures/cp-model-architecture.md",
      "name": "Security Architecture",
      "type": "technical",
      "provider": "Above Property",
      "summary": "Security architecture is documented, including system and infrastructure security diagrams.",
      "guidance": "A good security architecture is the starting point of a strong program foundation. You will need to maintain an up to date architecture diagram for security reviews with customers and auditors. Above Property can help automate the generation of network and application architecture diagrams in your cloud environments, so you don't have to spend time maintaining and updating it every time something changes.",
      "considerations": [
        "Which cloud service provider & corresponding products/services do you use?"
      ],
      "applicable": true,
      "adopted": true,
      "resources": [
        {
          "name": "AWS Security Whitepaper",
          "link": "https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf"
        }
      ]
    },
    {
      "id": "cp-model-metrics",
      "file": "procedures/cp-model-metrics.md",
      "name": "Metrics, Measurements and Continuous Monitoring",
      "type": "operational",
      "provider": "Above Property",
      "summary": "Metrics are defined to measure the effectiveness of controls and they are continuously monitored.",
      "guidance": "You will need to define a set of KPIs and metrics for monitoring and reporting on the effectiveness of the security controls. You can leverage Above Property's querying/reporting capability to automate the reporting process.",
      "considerations": [
        "How frequently will scorecards be produced?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-role-assignment",
      "file": "procedures/cp-role-assignment.md",
      "name": "Assignment of Roles and the Security Committee",
      "type": "administrative",
      "provider": "Above Property",
      "summary": "Security and compliance roles and responsibilities are clearly defined to ensure segregation of duties.",
      "guidance": "Regulatory compliance frameworks, such as HIPAA, require formal assignment of security and privacy responsibilities to someone in your organization. As your organization expands and matures, you may want to form an executive level security committee to meet this requirement. Often, such a committee is a requirement of security certifications. You can manage this role assignment manually (I.E. in this documented policy/control procedure) or in the Above Property's app. Using Above Property, you can almost always avoid implementing a complicated enterprise GRC system.",
      "considerations": [
        "What responsibilities will you commit to?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-training-policy",
      "file": "procedures/cp-training-policy.md",
      "name": "Policy and Compliance Training",
      "type": "administrative",
      "provider": "Above Property",
      "summary": "Employees and contractors receive training on the organization's security policies and procedures.",
      "guidance": "You will need to ensure all your employees are properly trained on the security policies and procedures. You may leverage a full featured learning management system (LMS) to develop, distribute, and track this training. Above Property also supports a simple process that allows your employees to access your security policies and procedures, and capture their acknowledgement.",
      "considerations": [
        "What is your current employee training program for policies and compliance?",
        "What is your retention duration of materials?",
        "Which compliance frameworks do you cover?",
        "What is your inactivity duration before log off for applications that store sensitive data?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-training-awareness",
      "file": "procedures/cp-training-awareness.md",
      "name": "Ongoing Security Awareness Training",
      "type": "administrative",
      "provider": "KnowBe4",
      "summary": "Employees and contractors receive ongoing security awareness training at least annually.",
      "guidance": "Ongoing security awareness training is foundational to the overall risk reduction for any organization, not to mention is a compliance requirement almost universally. Our recommendation is to leverage a vendor, Ataata, who provides a low-cost and engaging way to keep your folks trained. All it takes is less than 5 minutes of everyone's time to watch a fun video and take a quiz every month.",
      "considerations": [
        "What tooling is used for security awareness and what topics are covered?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-training-hipaa",
      "file": "procedures/cp-training-hipaa.md",
      "name": "Annual HIPAA Awareness Training",
      "type": "administrative",
      "provider": "KnowBe4",
      "summary": "Employees and contractors working with patient data and protected health information (PHI) are required to take HIPAA awareness training within 30 days of onboarding and annually thereafter.",
      "guidance": "If your organization is subject to HIPAA compliance, you must ensure all workforce members take a HIPAA awareness training annually. You may sign up with a vendor like Ataata to access training content, or alternatively, you may leverage an open-source training Above Property provides as a start.",
      "considerations": [
        "What tooling do you use for HIPAA or FISMA Awareness Training?",
        "What interval do employees to have to complete training?"
      ],
      "applicable": false,
      "adopted": false,
      "resources": [
        {
          "name": "View/download HIPAA awareness training package",
          "link": "https://github.com/JupiterOne/security-training-templates"
        }
      ]
    },
    {
      "id": "cp-internal-comms",
      "file": "procedures/cp-internal-comms.md",
      "name": "Internal Business Communications",
      "type": "administrative",
      "provider": "",
      "summary": "Management and each individual department/team holds regular company-wide / departmental / team meetings to review and discuss various aspects of business performance and objectives.",
      "guidance": "It is important to keep everyone on team / in the company regularly updated on the overall business strategy, goals and performance. One example is weekly/monthly roundtable or townhalls. At the individual team level, this could be the daily development standups/scrum sessions. This helps fosture an engaging, transparent and fast-moving culture.",
      "considerations": [
        "What is your company-wide communication frequency?"
      ],
      "applicable": false,
      "adopted": false,
      "resources": []
    },
    {
      "id": "cp-policy-framework",
      "file": "procedures/cp-policy-framework.md",
      "name": "Policies and Controls Framework",
      "type": "administrative",
      "provider": "Above Property",
      "summary": "The organization maintains a set of policies and controls that captures standards, regulatory, legal, and statutory requirements relevant to the business needs. The framework and its contents are reviewed at least annually.",
      "guidance": "There should be a defined structure to maintain policies and controls. A process and/or governance tooling should be implemented to manage the policies, standards, and controls applicable to the organization and its business.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-policy-mgmt",
      "file": "procedures/cp-policy-mgmt.md",
      "name": "Policy Management Process",
      "type": "administrative",
      "provider": "AWS SecurityHub",
      "summary": "A formal process is in place to maintain and update security policies, controls and procedures. Policies, controls and procedures are reviewed at least annually.",
      "guidance": "Your security policies and procedures are living documents.  They should be reviewed, updated, and distributed on a regular basis.  Our recommendation is to manage policy as code (e.g. as a git repo), and this procedure provides the details on how to do that.",
      "considerations": [
        "What frameworks do you use and how long do you retain them and associated documentation?",
        "What is your documents revision process?",
        "Where are your backup policies and procedures stored?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-risk-mgmt-objectives",
      "file": "procedures/cp-risk-mgmt-objectives.md",
      "name": "Risk Management Objectives",
      "type": "administrative",
      "provider": "",
      "summary": "Risk management objectives and acceptable risk levels are defined.",
      "guidance": "Ensure high level risk management objectives are defined and aligned with your organization's mission, business model, and risk tolerance.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-risk-mgmt",
      "file": "procedures/cp-risk-mgmt.md",
      "name": "Risk Management Process",
      "type": "administrative",
      "provider": "JupiterOne",
      "summary": "The organization has a risk management policy and defined process for managing risks - including risk identification, mitigation, monitoring, review and approval.",
      "guidance": "Risk management involves conducting risk assessment, risk analysis, risk mitigation and the continuous monitoring and management of risks. Risk management is a continuous process.",
      "considerations": [
        "Can you commit to the risk management process detailed by the 7 procedures?",
        "Is your organization subject to regulatory compliance such as HIPAA or FISMA?",
        "How long is documentation retained for?",
        "How often is this procedure monitored?",
        "What tooling do you use to track risks?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-risk-assess",
      "file": "procedures/cp-risk-assess.md",
      "name": "Risk Assessment and Analysis",
      "type": "administrative",
      "provider": "JupiterOne",
      "summary": "Risk assessments are conducted annually using a defined methodology that identifies the threat, impact, probability, actor and assets targeted/impacted.",
      "guidance": "At least annually, a risk assessment should be conducted for your organization. A well established process helps your team perform the assessment and manage the outcome. The assessment itself is often performed manually, supported by tools for the assessment of technical risks, and management tools to help document and track the issues identified. You may document the issues directly in an issue tracking system such as Jira, or preferably, add the identified risks as objects in JupiterOne so that they can be visualized in context with the rest of your operational ecosystem.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-risk-mitigation",
      "file": "procedures/cp-risk-mitigation.md",
      "name": "Risk Mitigation and Monitoring",
      "type": "administrative",
      "provider": "JupiterOne",
      "summary": "A process is defined to guide the prioritization and implementation of risk mitigating controls including but not limited to controls over technology, and to evaluate residual risk.",
      "guidance": "Once the risks are identified and analyzed, they need to be addressed with appropriate mitigation plans and implementation of controls. The mitigating controls and residual risks should be continuously monitored and kept up-to-date.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-risk-registry",
      "file": "procedures/cp-risk-registry.md",
      "name": "Risk Registry",
      "type": "administrative",
      "provider": "JupiterOne",
      "summary": "Risks identified from each risk assessment are documented and maintained.",
      "guidance": "In many cases, the risk registry is no more than a spreadsheet that serves as the inventory of risks identified as part of each risk assessment. Most mature enterprises implement a Governance, Risk and Compliance (GRC) solution to manage this process.  However, a full blown GRC solution is complex and often overkill for a SaaS company.  Instead, use JupiterOne to inventory and track your risks.",
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-risk-insurance",
      "file": "procedures/cp-risk-insurance.md",
      "name": "Cyber Liability Insurance",
      "type": "administrative",
      "provider": "Acord",
      "summary": "The organization holds cyber liability insurance with sufficient coverage based on its risk profile",
      "guidance": "Many organizations require their vendor/supplier to have cyber liability insurance to cover damage from potential incidents and breaches. You should always consider insurance as a risk transfer mechanism to offset the financial impact of a risk materializing.",
      "considerations": [
        "Do you have cyber liability insurance?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-risk-fraud",
      "file": "procedures/cp-risk-fraud.md",
      "name": "Fraud Risks",
      "type": "administrative",
      "provider": "",
      "summary": "The organization considers both financial and IT fraud risks as part of its risk assessment process, including the pressures/incentives, opportunities and rationalities of people and/or department to commit fraud.",
      "guidance": "Many organizations require their vendor/supplier to have cyber liability insurance to cover damage from potential incidents and breaches. You should always consider insurance as a risk transfer mechanism to offset the financial impact of a risk materializing.",
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-compliance-mgmt",
      "file": "procedures/cp-compliance-mgmt.md",
      "name": "Compliance Program Management",
      "type": "administrative",
      "provider": "",
      "summary": "The organization has a program and defined process to manage compliance to applicable regulatory requirements and contractual obligations.",
      "guidance": "Your organization needs to define and document a process to identify and ensure compliance with applicable statutory, regulatory, and contractual requirements.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-compliance-requests",
      "file": "procedures/cp-compliance-requests.md",
      "name": "Requesting Audit and Compliance Reports",
      "type": "administrative",
      "provider": "",
      "summary": "Process and channels are established to communicate the compliance status to external stakeholders.",
      "guidance": "You should have a pre-defined process for external entities to request audit and compliance reports.",
      "considerations": [
        "What email address do you provide to customers for reporting incidents, vulnerabilities, or other security inquiries?",
        "What email address do you provide to customers for privacy concerns, including violations reporting?",
        "What email address do you provide to customers for compliance issues including requests of audit reports?",
        "Is your organization subject to regulatory compliance such as HIPAA or FISMA?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-compliance-monitor",
      "file": "procedures/cp-compliance-monitor.md",
      "name": "Continuous Compliance Monitoring",
      "type": "administrative",
      "provider": "AWS SecurityHub",
      "summary": "Compliance status is tracked and monitored using an enterprise compliance tool.",
      "guidance": "You should implement a mechanism to track the status of regulatory compliance. This can be done using the JupiterOne compliance app instead of manually tracking.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-audit-types",
      "file": "procedures/cp-audit-types.md",
      "name": "Types of System Audits",
      "type": "informational",
      "provider": "",
      "summary": "The organization has defined auditing processes including system configuration monitoring, activity monitoring, access review, and controls compliance audit.",
      "guidance": "There are several forms of system audits and they are defined here.",
      "considerations": [
        "Which cloud services do you allow employees to access?",
        "Which IdP do you use?",
        "How do you protect network access?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-events-analysis",
      "file": "procedures/cp-events-analysis.md",
      "name": "Security Event Analysis",
      "type": "technical",
      "provider": "JupiterOne",
      "summary": "The security team monitors system security events and logs via a combination of automated tools and manual reviews.",
      "guidance": "Security logs, events, and audit trails should be reviewed on a regular basis.  In a mature security practice, this is a major effort of the daily security operations.  It should be monitored proactively instead of when a breach occurs. The sheer volume of events can quickly result in alert fatigue.  JupiterOne's automated event analysis capability can help without the need of a dedicated and expensive Security Information and Event Management (SIEM).",
      "considerations": [
        "Where do security events get alerted to?",
        "What is your SLA for analysis/reponse/investigation/triage of security events?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-audit-internal",
      "file": "procedures/cp-audit-internal.md",
      "name": "Manual Internal Auditing Activities",
      "type": "administrative",
      "provider": "JupiterOne",
      "summary": "The organization performs manual testing and reviews of systems, accounts and controls as needed. The audit may be performed by internal teams or external auditors.",
      "guidance": "From time to time, an internal audit may be needed on controls and processes that are not already covered via automated monitoring. This process is defined here.",
      "considerations": [
        "How are manual internal audit and review activities tracked?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-audit-request",
      "file": "procedures/cp-audit-request.md",
      "name": "Audit Requests",
      "type": "administrative",
      "provider": "",
      "summary": "A process and channels have been established for internal teams and external entities (such as a customer) to request security reviews or audits.",
      "guidance": "The procedure documents how audit requests are handled.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-audit-review",
      "file": "procedures/cp-audit-review.md",
      "name": "Review and Reporting of Audit Findings",
      "type": "administrative",
      "provider": "JupiterOne",
      "summary": "Results of each security assessment or audit are reviewed by security team, senior management, and other designated personnel.",
      "guidance": "Upon completion of an audit or assessment, the report and findings should be analyzed so that follow up on actions can be taken accordingly.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-audit-control-deficiency",
      "file": "procedures/cp-audit-control-deficiency.md",
      "name": "Remediation of Control Deficiencies",
      "type": "administrative",
      "provider": "Jira",
      "summary": "Identified control deficiencies are communicated to parties responsible for taking corrective action. Remediation plans are proposed and monitored through resolution.",
      "guidance": "Control deficiencies must be reviewed, prioritized, and mitigated.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-audit-trails",
      "file": "procedures/cp-audit-trails.md",
      "name": "Audit Trails - System and Application Security Events Logging Standard",
      "type": "technical",
      "provider": "AWS CloudTrail",
      "summary": "Security events and logs from production systems and applications are captured as audit trails. Audit trails include sufficient data such as timestamp, user id, action taken to establish who did what, when, how.",
      "guidance": "Your systems and applications should be configured/developed to follow a pre-defined, pre-approved set of standards for logging. This document captures the details, while it is up to your engineering team to follow in actual implementation. This can be enforced by other procedures such as configuration management and code reviews.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-audit-trails-integrity",
      "file": "procedures/cp-audit-trails-integrity.md",
      "name": "Audit Trail Integrity - Security Controls and Log Retention",
      "type": "technical",
      "provider": "AWS CloudTrail",
      "summary": "Audit trails are protected against modification and unauthorized access.",
      "guidance": "Audit trails should be immutable. It is crucial to protect audit trails for record keeping and forensic analysis. Audit logs shall be retained according to your business needs and regulatory compliance requirements.",
      "considerations": [
        "Are system logs encrypted?",
        "What logging tools do you use?",
        "Where are system logs retained?",
        "How long are system logs retained?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-audit-customers",
      "file": "procedures/cp-audit-customers.md",
      "name": "Auditing Customer and Partner Activity",
      "type": "administrative",
      "provider": "manual process",
      "summary": "The organization implements security monitors for customers and partners on its hosted software platform and/or connected environments according to terms and agreements.",
      "guidance": "You may want to have a process defined to monitor the security logs and account access activities for the customers of your product.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-audit-tools",
      "file": "procedures/cp-audit-tools.md",
      "name": "Tools Used for Auditing and Security Assessments",
      "type": "informational",
      "provider": "JupiterOne",
      "summary": "A set of tools are made available for the security and compliance personnel to conduct assessments, system scans, security testing and audits.",
      "guidance": "This is a documentation of certain tools your team may choose to use for performing security audits and assessments (such as an internal vulnerability scan).",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-audit-training",
      "file": "procedures/cp-audit-training.md",
      "name": "Audit Related Training, Education, Awareness and Responsibilities",
      "type": "administrative",
      "provider": "",
      "summary": "Employees and contractors are informed and trained on the organization's monitoring and auditing process.",
      "guidance": "Workforce members (and customers, if applicable) shall be informed and trained on the system auditing processes.",
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-hr-mgmt",
      "file": "procedures/cp-hr-mgmt.md",
      "name": "HR Management and Reporting",
      "type": "administrative",
      "provider": "TriNet",
      "summary": "Organizational structure as well as individual job functions are established and communicated to all employees.",
      "guidance": "",
      "considerations": [
        "What tooling do you use for performance reviews?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-employee-acceptable-use",
      "file": "procedures/cp-employee-acceptable-use.md",
      "name": "Acceptable Use of End-user Computing",
      "type": "administrative",
      "provider": "JupiterOne",
      "summary": "Acceptable use policy is in place to guide the organization's personnel on the proper use of information assets and their roles and responsibilities.",
      "guidance": "The acceptable use policy should be distributed to all employees. Employee review and acceptance of the acceptable user policy should be captured.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-employee-screening",
      "file": "procedures/cp-employee-screening.md",
      "name": "Employee Screening Procedures",
      "type": "administrative",
      "provider": "manual process",
      "summary": "Interviews and background checks are conducted prior to hiring to ensure qualification and security.",
      "guidance": "Background checks should be conducted as part of the hiring process, prior to an employee/contractor starting.",
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-employee-onboarding",
      "file": "procedures/cp-employee-onboarding.md",
      "name": "Employee Onboarding Procedures",
      "type": "administrative",
      "provider": "manual process",
      "summary": "Employee onboarding is coordinated between HR, IT and Security to ensure the appropriate training, access provisioning and system configurations are in place for each new hire.",
      "guidance": "When new employees join your organization, a set of activities are required as part of their onboarding, such as training, access provisioning, and configuration of their workstations. This procedure documents that process, while the actual implementation of them are covered by their corresponding procedures and controls.",
      "considerations": [
        "Which HR System do you use to keep records of training and policy acceptance?",
        "Is your organization subject to training for regulatory compliance such as HIPAA or FISMA?",
        "What is the timeframe for completing training?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-employee-exiting",
      "file": "procedures/cp-employee-exiting.md",
      "name": "Employee Exiting/Termination Procedures",
      "type": "administrative",
      "provider": "manual process",
      "summary": "Employee exiting is coordinated between HR, IT and Security to ensure proper access termination and return of equipment.",
      "guidance": "Similar to employee onboarding, when someone leaves your organization, a set of actions shall be performed.  This may include termination of access, return of equipment, etc.",
      "considerations": [
        "What is your employee termination process?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-employee-escalation",
      "file": "procedures/cp-employee-escalation.md",
      "name": "Employee Issue Escalation",
      "type": "administrative",
      "provider": "manual process",
      "summary": "Employees are provided a safe channel and process to escalate workplace issues to HR and/or senior management if needed.",
      "guidance": "As part of your HR operations, you should have a defined process for an employee to safely escalate an issue that might arise in the workplace.",
      "considerations": [
        "Where can employees escalate a security incident that needs action?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-employee-whistleblower",
      "file": "procedures/cp-employee-whistleblower.md",
      "name": "Whistleblower Policy and Process",
      "type": "administrative",
      "provider": "manual process",
      "summary": "Employees are provided a safe channel and process to report concerns and violations with respect to standards of business and personal ethics and conduct.",
      "guidance": "Your organization should define policies and procedures to ensure a proper channel is established for reporting concerns and violations with respect to standards of business and personal ethics and conduct.",
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-employee-performance",
      "file": "procedures/cp-employee-performance.md",
      "name": "Employee Performance Review Process",
      "type": "administrative",
      "provider": "Small Improvements",
      "summary": "Performance reviews are conducted annually to evaluate performance of employees against expected levels.",
      "guidance": "You should document the process and tool used to conduct employee performance reviews. This demonstrates your organization holds individuals accountable for their roles and responsibilities.",
      "considerations": [
        "What is your employee performance review process?"
      ],
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-employee-recognition",
      "file": "procedures/cp-employee-recognition.md",
      "name": "Employee Incentives and Rewards",
      "type": "administrative",
      "provider": "Motivosity",
      "summary": "Employees receive regular peer recognition, feedback and rewards for positive behavior and impact.",
      "guidance": "Regular feedback, encouragement and recognition help create a culture of motivated employees.",
      "considerations": [
        "Do you have an incentive or rewards program/tool?"
      ],
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-employee-development",
      "file": "procedures/cp-employee-development.md",
      "name": "Continuous Education and Skills Development",
      "type": "administrative",
      "provider": "",
      "summary": "The organization provides employees the opportunity to attend conferences, trade shows, and access to training courses and studies to maintain and further advance their skills relevant to their job functions and business objectives.",
      "guidance": "Organizations should continue to invest in the education and skills development of their workforce. This can be done by sending employees to conferences and trade shows, and/or providing employees access to online training courses and studies. It demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-sanctions",
      "file": "procedures/cp-sanctions.md",
      "name": "Non-Compliance Investigation and Sanctions",
      "type": "administrative",
      "provider": "manual process",
      "summary": "Policies and processes are in place to investigate and take appropriate actions on any non-compliance to the organization's policies and procedures.",
      "guidance": "All workforce members should be trained on and accept your organizational security policies and procedures. In the case of a violation, there should be a pre-defined procedure to identify, investigate, and fairly treat each incident.",
      "considerations": [
        "Do you have an employee warning notice template?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-access-sso",
      "file": "procedures/cp-access-sso.md",
      "name": "Centralized Access Control and Single Sign On",
      "type": "technical",
      "provider": "Google Workspaces",
      "function": "SSO",
      "summary": "Access to business systems and applications is centrally managed via single sign on (SSO) when possible.",
      "guidance": "Your organization most likely relies on multiple business applications to support its operations. This may include end-user systems, collaboration tools, development and production environments, etc. Managing access to all of your business applications and systems centrally ensures consistent access policy and auditing. Being a cloud-native organization, we highly recommend using a cloud-based identity provider, such as Google Workspaces, OneLogin, Google and others for centralized access control and single sign on.",
      "considerations": [
        "Which IdP/SSO tool do you use?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-access-mfa",
      "file": "procedures/cp-access-mfa.md",
      "name": "Multi-factor Authentication",
      "type": "technical",
      "provider": "Google Workspaces",
      "function": "MFA",
      "summary": "Multi-factor authentication (MFA) is required for all users with access to business critical systems.",
      "guidance": "Passwords are hard to remember but easy to compromise. Even with long and complex passwords, it is no longer sufficient by itself as the only control to prevent unauthorized access to critical systems and data. Google Workspaces and other similar IdP vendors provide multi-factor authentication (MFA) capability as part of their offering, and it is very easy to enable especially if you already use it for single sign on.",
      "considerations": [
        "Which MFA provider do you use?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-access-passkey",
      "file": "procedures/cp-access-passkey.md",
      "name": "Passkey Authentication",
      "type": "technical",
      "provider": "Google Workspaces",
      "function": "MFA",
      "summary": "Multi-factor authentication (MFA) is required for all users with access to business critical systems.",
      "guidance": "Passwords are hard to remember but easy to compromise. Even with long and complex passwords, it is no longer sufficient by itself as the only control to prevent unauthorized access to critical systems and data. Google Workspaces and other similar IdP vendors provide multi-factor authentication (MFA) capability as part of their offering, and it is very easy to enable especially if you already use it for single sign on.",
      "considerations": [
        "Which MFA provider do you use?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-access-rbac",
      "file": "procedures/cp-access-rbac.md",
      "name": "Role Based Access Control (RBAC)",
      "type": "technical",
      "provider": "Google Workspaces",
      "summary": "Access to systems and applications are provisioned based on a user's role / group.",
      "guidance": "Role based access control (RBAC) is an industry standard method for implementing access authorization to users. This is supported by most identity and access systems as 'Groups' and assigning users to the 'Groups' that match their job function/role.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-access-aws",
      "file": "procedures/cp-access-aws.md",
      "name": "Temporary Access to AWS Accounts and Resources",
      "type": "technical",
      "provider": "AWS IAM and Google Workspaces",
      "function": "IAM",
      "summary": "Access to AWS cloud infrastructure is configured single sign on roles and temporary trusts. No persistent end-user access is configured.",
      "guidance": "We highly recommend leveraging the assume-role capability in AWS to gain temporary access to resources, combined with a cloud-native IdP for single-sign-on. This removes the need to provision IAM users directly within each of your AWS accounts.",
      "considerations": [
        "Do you use AWS? If not, remove/replace procedure."
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-access-vpn",
      "file": "procedures/cp-access-vpn.md",
      "name": "VPN Remote Access",
      "type": "technical",
      "provider": "AWS VPN",
      "function": "VPN",
      "summary": "Remote access to private and internal systems are configured via encrypted VPN channels.",
      "guidance": "Remote access is typically secured via VPN. This could be implemented as a EC2 instance running in your private subnet/VPC instead AWS, or a server on whatever private network in your hosted or internal environment. Pritunl is a lightweight, OpenVPN based solution that is free to start, and can scale as you grow. WireGuard is a good open-source option as well.",
      "considerations": [
        "Which VPN provider do you use?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-access-phi",
      "file": "procedures/cp-access-phi.md",
      "name": "Access to PHI/ePHI",
      "type": "operational",
      "provider": "AWS IAM and Google Workspaces",
      "function": "IAM",
      "summary": "Access to PHI/ePHI is restricted to only individuals with business need and protected by strong access control.",
      "guidance": "Access to PHI/ePHI should be limited to those with a business need only, and protected by strong access control and auditing. We recommend using a combination of the native AWS IAM policies and single sign on (e.g. Google Workspaces) for access enforcement. Additionally, an extra layer of protection may be added to restrict risky or privileged actions.  This can be implemented using Explicit Deny actions in the AWS IAM policies.  A tool like Dome9 can help automate that process.",
      "considerations": [
        "Do you store any sensitive data such as PII, PHI, or credit card/financial data?"
      ],
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-access-customer",
      "file": "procedures/cp-access-customer.md",
      "name": "Platform Customer Access to Systems",
      "type": "technical",
      "provider": "AWS IAM",
      "function": "IAM",
      "summary": "Customers are granted access to their accounts and data only after successful authentication and authorization through the appropriate applications, either through the web interface or API.",
      "guidance": "We strongly recommend against any direct customer access to systems, other than through the application interface, such as an authenticated Web UI or API interface. Depending on the nature of your solution, you will need to document how customers access their data and if they have direct access to the systems that host/process their data.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-access-change",
      "file": "procedures/cp-access-change.md",
      "name": "Access Establishment, Modification and Termination",
      "type": "operational",
      "provider": "Google Workspaces",
      "function": "SSO",
      "summary": "Changes to pre-established access (configured as part of onboarding) must be requested and approved by the employee's manager or security team prior to granting access. Non-standard access is revoked when no longer needed.",
      "guidance": "From time to time, you may need to add, change, or remove access to certain resources for an employee/contractor. It is required you have a process to capture the request, approval, and provisioning of such actions. If you already use an issue management tool like Jira, it is pretty straightforward to create a Service Desk project and manage it there.",
      "considerations": [
        "What are the standard/default accounts new employees receive access to?",
        "What tooling do for managing access?",
        "What is the access review frequency?",
        "Are inactive accounts removed and when?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-access-privileged",
      "file": "procedures/cp-access-privileged.md",
      "name": "Privileged Access",
      "type": "technical",
      "provider": "AWS IAM and Google Workspaces",
      "function": "PAM",
      "summary": "Privileged access to production systems and/or data must be requested, reviewed, and approved each time. Privileged access is granted on a temporary basis, typically no more than 24 hours.",
      "guidance": "A privileged user is someone who has administrative access to critical systems or data. This type of access should be highly restricted and managed with a more controlled process than typical/non-privileged user access. There are security solutions dedicated to privileged access management. However, you might not need to purchase and implement a separate tool if you follow our recommended procedure using cloud-native SSO, AWS IAM, enable IAM policy guard rails and leverage explicit Deny rules in certain policies.",
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-access-service",
      "file": "procedures/cp-access-service.md",
      "name": "Service Accounts",
      "type": "technical",
      "provider": "AWS IAM and CloudFormation",
      "function": [
        "IAM",
        "PAM",
        "secret-management"
      ],
      "summary": "Service accounts and application credentials are securely managed.",
      "guidance": "In AWS, access given to application services and components are achieved using IAM roles, policies, and assume-role capability. The provisioning of such access should be managed as code.  We find it simple and flexible to use Infrastructure as Code to describe and provision infrastructure-as-code.",
      "considerations": [
        "What tooling is used for service accounts?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-access-review",
      "file": "procedures/cp-access-review.md",
      "name": "Access Reviews",
      "type": "operational",
      "provider": "JupiterOne",
      "function": "access-review",
      "summary": "User access permissions are reviewed as part of ongoing security monitoring and whenever an employee's role changes.",
      "guidance": "Your security/audit/compliance team should perform regular access reviews to understand who has access to what.  This is done in order to maintain the minimum need-to-know best practices when provisioning access. The access should be documented and updated regularly.  Access no longer needed should be removed.  This process typically involves a manual review of all business applications, systems, cloud accounts and mapping the level of access to each user and/or service. It can take days, if not weeks, to complete.  JupiterOne helps streamline this process by automatically analyzing the access control relationships across the providers connected to the JupiterOne platform, and generate reports and visualization on demand.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-access-standards",
      "file": "procedures/cp-access-standards.md",
      "name": "Standards for Access Provisioning",
      "type": "technical",
      "provider": "AWS Cognito",
      "summary": "The organization incorporates security best practices and standards for provisioning access including unique user identification, automatic logoff, and least-privileged access.",
      "guidance": "You need to be able describe how your access control is implemented.  For example, using role-based access control, unique account/ID for each user, automatic log on/log off, etc. These should match the configuration of your identity provider or access control system such as Google Workspaces.",
      "considerations": [
        "What authentication tool do you use?",
        "Do you disable/lock default accounts on production systems?",
        "Can users share accounts?",
        "How long after inactivity are systems locked?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-access-endpoints",
      "file": "procedures/cp-access-endpoints.md",
      "name": "Employee Workstation / Endpoints Usage",
      "type": "administrative",
      "provider": "JupiterOne",
      "summary": "The organization provides standard endpoint computing devices to employees that are configured according to company security standards, including disk encryption, host firewall, malware protection, and malicious activity detection.",
      "guidance": "A set of standards and guidelines should be established so that employees understand their responsibility and limitation in using their company-provided computers. This is also referenced in the Employee Handbook. Technical controls should be in place to handle the monitoring and protection of employee computers, which is covered in a separate control/procedure.",
      "considerations": [
        "What tooling is used to encrypt endpoint hard drives?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-access-wifi",
      "file": "procedures/cp-access-wifi.md",
      "name": "Office Network and Wifi Access",
      "type": "technical",
      "provider": "Cisco Meraki",
      "function": [
        "wifi",
        "networking"
      ],
      "summary": "Office networks, including wireless access, are protected for internal business use only. Guest wireless access is provided on a separate logical network.",
      "guidance": "Network access should be protected for your internal/office environments, especially wireless access. We highly recommended not building physical walls around your critical/production data and leveraging cloud instead.  Therefore, there should be no critical/production system or data on your office networks. This greatly reduces risk in your internal user environments. You still should have proper encryption for your wireless network.  This can be done using something like Cisco Meraki, which provides API access for you to integrate with JupiterOne, or something as simple as Google Wifi.",
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-access-password",
      "file": "procedures/cp-access-password.md",
      "name": "Password Management",
      "type": "technical",
      "provider": "Google Workspaces",
      "function": "password-management",
      "summary": "Strong password management policy is in place.",
      "guidance": "You need to have policies/standards around password length, complexity, age, etc. Enough said.",
      "considerations": [
        "What password requirements do you use?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-access-prod",
      "file": "procedures/cp-access-prod.md",
      "name": "Production Access and Secrets Management",
      "type": "technical",
      "provider": "AWS KMS and SSM",
      "function": [
        "key-management",
        "secret-management"
      ],
      "summary": "Production keys and secrets are securely stored and protected.",
      "guidance": "In additional to privileged user access, how do your applications and services gain access to keys and secrets in production? You need tools and controls around that. If you are in AWS, we find it best to use AWS Key Management Service (KMS) to manage data encryption keys, and AWS Systems Manager (SSM) Parameter Store to store secrets such as API keys. You will need to read up on their corresponding documentation on how to implement for your applications.",
      "considerations": [
        "What tooling is used to store production secrets?"
      ],
      "applicable": true,
      "adopted": true,
      "resources": [
        {
          "name": "AWS Key Management Service Best Practices",
          "link": "https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf"
        },
        {
          "name": "The Right Way to Store Secrets using AWS SSM Parameter Store",
          "link": "https://aws.amazon.com/blogs/mt/the-right-way-to-store-secrets-using-parameter-store/"
        }
      ]
    },
    {
      "id": "cp-access-prod-data",
      "file": "procedures/cp-access-prod-data.md",
      "name": "Production Data Access",
      "type": "technical",
      "provider": "",
      "function": "PAM",
      "summary": "Access to production data is highly restricted. Access is reviewed and approved on a case-by-case basis. MFA is required.",
      "guidance": "It is worth calling out processes and controls specific production data access, which should be highly restricted and monitored. MFA should always be required when accessing production data.",
      "considerations": [
        "What is the customer data review cadence?"
      ],
      "applicable": true,
      "adopted": true,
      "resources": []
    },
    {
      "id": "cp-access-reset",
      "file": "procedures/cp-access-reset.md",
      "name": "Password Reset and other Helpdesk Requests",
      "type": "operational",
      "provider": "Jira",
      "function": "ticketing",
      "summary": "Users are provided a self-service mechanism for account access resets, and a channel to open an internal IT support request if needed.",
      "guidance": "If you are a startup, password reset is most likely self service. In any case, if there is a need for someone with Administrative access to help someone else reset their password, a process should be properly followed for audit and compliance.  This is pretty straightforward if you just implement a Service Desk project in Jira. It can be the same IT & Security service desk project that you use to manage other similar tickets.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-physical",
      "file": "procedures/cp-physical.md",
      "name": "Physical Security",
      "type": "physical",
      "provider": "Cisco Meraki",
      "function": [
        "physical-access",
        "video-surveillance"
      ],
      "summary": "Physical locations such as office spaces require badged access, visitor logs, and video surveillance.",
      "guidance": "Don't forget physical security. Even though your office environment may not have critical/production systems or data, you probably don't want strangers wandering around unescorted.  You probably need some kind of badge access, which may already be provided to you as part of your lease. You'll most likely need to edit this documentation with your facilities details. If you choose to implement video surveillance, Cisco Meraki is a pretty good choice.",
      "considerations": [
        "Where are your offices located?",
        "What tooling do you use for reporting and auditing?",
        "What is your access review cadence?",
        "How long do you store records?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-physical-datacenter",
      "file": "procedures/cp-physical-datacenter.md",
      "name": "Data Center Security",
      "type": "physical",
      "provider": "AWS",
      "function": "data-center-security",
      "summary": "Data center security is ensured by the cloud service provider.",
      "guidance": "If you host your own data center, you will need to document in detail the physical and environmental security of the data centers. Otherwise, this is most likely taken care of by your cloud security provider (e.g. AWS, Azure, GCP).",
      "considerations": [
        "What cloud service provider is used to secure your data center?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-physical-cleandesk",
      "file": "procedures/cp-physical-cleandesk.md",
      "name": "Clean Desk Policy and Procedures",
      "type": "physical",
      "provider": "",
      "summary": "Employees must secure all sensitive/confidential information in their workspace at the end of the work day and when away, including both electronic and physical media.",
      "guidance": "Securing information at the workspace (office or remote) helps reduce the risk of information theft, fraud, or a security breach caused by sensitive information being left unattended and visible in plain view.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-asset-physical",
      "file": "procedures/cp-asset-physical.md",
      "name": "Physical Asset Inventory",
      "type": "technical",
      "provider": "NetSuite",
      "function": [
        "inventory",
        "ITAM"
      ],
      "summary": "All physical computing and information processing assets, such as laptops and workstations, are maintained in an asset inventory system.",
      "guidance": "You will need to maintain an up-to-date inventory of your physical assets, such as servers, laptops, printers, networking gear, etc. You can enter those information directly into JupiterOne instead of using a spreadsheet or purchasing a separate dedicated software for it.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-asset-digital",
      "file": "procedures/cp-asset-digital.md",
      "name": "Digital Asset Inventory",
      "type": "technical",
      "provider": "JupiterOne",
      "function": [
        "inventory",
        "ITAM"
      ],
      "summary": "All digital and software-defined assets, such as virtual instances and code repositories, are discovered and maintained in an asset inventory system.",
      "guidance": "You will need to maintain an up-to-date inventory of your physical assets, such as virtual machine instances, database instances, data repositories, etc. JupiterOne can automate that for you. All you need to do is configure the providers, such as AWS, in JupiterOne and it'll take care of the rest.",
      "considerations": [
        "What tooling is used to store digital assets?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-asset-paper",
      "file": "procedures/cp-asset-paper.md",
      "name": "Paper Records",
      "type": "physical",
      "provider": "manual process",
      "summary": "All records are kept electronically, no physical paper records are kept as part of core business operations.",
      "guidance": "We are in the age of the cloud, are we not?  Let's not use paper records for any sensitive data, and this procedure indicates so.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-data-classification",
      "file": "procedures/cp-data-classification.md",
      "name": "Data Classification Model",
      "type": "administrative",
      "provider": "JupiterOne",
      "function": "data-classification",
      "summary": "Data classification model is defined to differentiate public, non-public, confidental/sensitive and critical data or information asset.",
      "guidance": "How do you know what data to protect and how to protect it accordingly? Taking a one-size-fits-all approach is not the best approach to data security. Treating all data the same way is like saying I'm going to put the strongest lock on every door of my house, but whoever needs access, I'll just hand over the same key. Having a good data classification is paramount to your data protection strategy. We recommend four levels of classification - Critical, Confidential, Internal, and Public. This documentation describes the details.",
      "considerations": [
        "What is your data classification model?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-data-handling",
      "file": "procedures/cp-data-handling.md",
      "name": "Data Handling Process",
      "type": "administrative",
      "provider": "JupiterOne",
      "function": [
        "data-protection",
        "data-encryption",
        "data-retention"
      ],
      "summary": "Data is handled according to its classification, including defined requirements for labeling, encryption, access control, retention and other applicable processes.",
      "guidance": "How data is handled, including the retention period and whether or not encryption of data is required, should be defined based on the company data classification model.",
      "considerations": [
        "Is the requirements matrix accurate?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-data-lifecycle",
      "file": "procedures/cp-data-lifecycle.md",
      "name": "Data Inventory and Lifecycle Management",
      "type": "technical",
      "provider": "JupiterOne",
      "function": [
        "data-protection",
        "data-encryption",
        "data-retention"
      ],
      "summary": "Data is tagged according to its classification, and its lifecycle is defined. Transient and temporary data (or cache) is purged immediately after use.",
      "guidance": "Keep an up-to-date inventory for all of your data repositories, properly tag data according to their data classification. The lifecycle of data should be tracked from its creation to deletion.",
      "considerations": [
        "What are your company/systems data repositories?"
      ],
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-data-backup",
      "file": "procedures/cp-data-backup.md",
      "name": "Data Backup and Recovery",
      "type": "technical",
      "provider": "AWS",
      "function": "data-backup",
      "summary": "All data critical to business operations, including customer data, source codes, business records and documents are backed up and fully recoverable.",
      "guidance": "AWS provides native backup and recovery capability for many of its services, such as DynamoDB, RDS, and EBS Volumes. For S3, you can copy data to a different S3 bucket in a different region/account.",
      "considerations": [
        "What are your company/system data repositories?"
      ],
      "applicable": true,
      "adopted": true,
      "resources": [
        {
          "name": "Look for data backup descriptions in the AWS Security Whitepaper",
          "link": "https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf"
        }
      ]
    },
    {
      "id": "cp-data-deletion",
      "file": "procedures/cp-data-deletion.md",
      "name": "Data Deletion Procedures",
      "type": "technical",
      "provider": "Shred and other secure deletion tools",
      "function": "data-retention",
      "summary": "Data is retained for designated periods of time according to regulatory and/or contractual requirements, and deleted when the retention period expires.",
      "guidance": "You should only keep data for as long as needed per business and/or regulatory requirements. A well defined process should be in place to securely delete data when necessary. For systems that you self manage, using a secure wipe utility such as Shred is usually sufficient. For data managed in the cloud, you should follow the documented procedures from the cloud service provider such as AWS.",
      "considerations": [
        "How long do you retain customer data?",
        "How long do you retain customer data after they leave?",
        "Do you store any sensitive data such as PII, PHI, or credit card/financial data?"
      ],
      "applicable": false,
      "adopted": false,
      "resources": [
        {
          "name": "shred - instructions",
          "link": "https://www.gnu.org/software/coreutils/manual/html_node/shred-invocation.html"
        }
      ]
    },
    {
      "id": "cp-data-protection",
      "file": "procedures/cp-data-protection.md",
      "name": "Data Protection Implementation and Processes",
      "type": "technical",
      "provider": "AWS",
      "function": "data-protection",
      "summary": "Data is protected according to its classification and storage capability, including encryption, access control, partitioning/separation, backup/recovery, and monitoring.",
      "guidance": "You need to properly document how data is protected according to its classification. This should cover controls such as encryption and access control for data at rest, data in transit, and data in use.",
      "considerations": [
        "Where is production data hosted?",
        "Are the standards/processes for Production Data accurate?",
        "What tool is used to monitor cloud resources?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-data-protection-at-rest",
      "file": "procedures/cp-data-protection-at-rest.md",
      "name": "Protecting Data At Rest",
      "type": "technical",
      "provider": "AWS KMS and data encryption",
      "function": "data-encryption",
      "summary": "Sensitive and confidential data is encrypted when stored.",
      "guidance": "Data-at-rest refers to persistent data storage, including physical media such as laptop hard drives, virtual data volumes such as Elastic Block Store (EBS) in AWS, and logical data repository such as S3 Buckets in AWS. Strong encryption, typically AES-256, and key management is typically required to protect data-at-rest.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-data-protection-in-transit",
      "file": "procedures/cp-data-protection-in-transit.md",
      "name": "Protecting Data In Transit",
      "type": "technical",
      "provider": "AWS ACM and TLS configuration",
      "function": [
        "TLS",
        "SFTP"
      ],
      "summary": "Sensitive and confidential data is encrypted when transmitted across networks.",
      "guidance": "Data-at-rest refers to data being transmitted from one system/service to another, either internally or across an open network (e.g. the Internet). Encryption is required, typically in the form of HTTPS/TLS, SSH or IPSec VPN.",
      "considerations": [
        "What encryption levels do you implement?",
        "What encryption services do you use?",
        "How frequently do you rotate encryption keys?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-data-protection-in-use",
      "file": "procedures/cp-data-protection-in-use.md",
      "name": "Protecting Data In Use",
      "type": "technical",
      "provider": "AWS CloudTrail",
      "function": [
        "auditing",
        "monitoring"
      ],
      "summary": "Audit trail is enabled to monitor data access when in use.",
      "guidance": "Data-in-use refers to active data being processed by systems and applications. Application layer security capabilities and access control mechanisms typically apply.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-data-protection-kms",
      "file": "procedures/cp-data-protection-kms.md",
      "name": "Encryption Key Management",
      "type": "technical",
      "provider": "AWS KMS",
      "function": "key-management",
      "summary": "Encryption key management process is implemented.",
      "guidance": "Encryption is only as strong as its associated key management process.",
      "considerations": [
        "What tooling do you use for encryption key management?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-data-protection-cert",
      "file": "procedures/cp-data-protection-cert.md",
      "name": "Certificate Management",
      "type": "technical",
      "provider": "AWS ACM",
      "function": "certificate-management",
      "summary": "Certificate management process is in place to manage the lifecycle of web certificates (SSL/TLS) and application certificates.",
      "guidance": "SSL/TLS certificates should be managed and monitored.",
      "considerations": [
        "What tooling do you use for certificate management?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-data-protection-integrity",
      "file": "procedures/cp-data-protection-integrity.md",
      "name": "Data Integrity Protection",
      "type": "technical",
      "provider": "AWS CloudTrail",
      "function": [
        "data-integrity",
        "FIM"
      ],
      "summary": "Data versioning, access control, auditing and deletion prevention is in place to protect the integrity of data, when appropriate.",
      "guidance": "There may be additional considerations for data integrity protection applicable to your applications and environments, in addition to data encryption.",
      "considerations": [
        "What tooling is used to protect the integrity of data?",
        "Do you store any sensitive data such as PII, PHI, or credit card/financial data?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-sdlc-dev",
      "file": "procedures/cp-sdlc-dev.md",
      "name": "Software Development Process",
      "type": "technical",
      "provider": "code",
      "function": "secure-sdlc",
      "summary": "A secure software development process, coding standards, and release strategy is established to ensure security is built-in to the products and applications.",
      "guidance": "How do you ensure security in your product development lifecycle? There are specific controls such as static application security testing (code scanning) that are documented individually. Here, you need to start with documentation the overall software development process and standards your development team follows.",
      "considerations": [
        "What tooling do you use for continuous delivery of code?",
        "Do you store any sensitive data such as PII, PHI, or credit card/financial data?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-sdlc-outsourcing",
      "file": "procedures/cp-sdlc-outsourcing.md",
      "name": "Outsourced Software Development",
      "type": "administrative",
      "provider": "vendor contract agreements",
      "function": "VRM",
      "summary": "Software development performed by contractors or outsourced vendors follow the same secure development standards and requirements.",
      "guidance": "If you leverage outsourced resources for software development, a formal set of requirements and processes must be established to ensure the quality and security of the product.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-sdlc-scm",
      "file": "procedures/cp-sdlc-scm.md",
      "name": "Source Code Management",
      "type": "technical",
      "provider": "Github",
      "function": "SCM",
      "summary": "Source code management system with version control is used to maintain software codes",
      "guidance": "A source code management system such as GitHub, Bitbucket or GitLab should be used.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-sdlc-appsec-req",
      "file": "procedures/cp-sdlc-appsec-req.md",
      "name": "High Level Application Security Requirements",
      "type": "technical",
      "provider": "code",
      "function": "appsec-requirements",
      "summary": "Application security requirements are defined following OWASP Top Ten best practices.",
      "guidance": "A set of high level application security requirements should be defined. This is the foundation for training your development team on secure coding, and it serves as the basis for security considerations throughout your product design. OWASP is referenced as a key part of the high level requirements.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-sdlc-design",
      "file": "procedures/cp-sdlc-design.md",
      "name": "Secure Design and Application Threat Modeling",
      "type": "technical",
      "provider": "code",
      "function": "appsec-threat-modeling",
      "summary": "Security considerations are mandatory as part of new system design and feature development. Threat modeling, including data flow mapping and risk analysis for new systems/products/features, is jointly performed by security and development teams as needed.",
      "guidance": "Security should be built in to your application / product as early as possible, starting from the design phase. Proper security consideration and even formal threat modeling can help dramatically reduce risk around application logic flaws, that are difficult to uncover with any scanning software, often lead to significant adverse impact, and are the most costly to fix down the road.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-sdlc-iaaa",
      "file": "procedures/cp-sdlc-iaaa.md",
      "name": "Access Control of the Application (Identification, Authentication, Authorization, Accounting)",
      "type": "technical",
      "provider": "AWS Cognito",
      "function": "user-management",
      "summary": "All external facing applications are required to have appropriate access control implementation to protect non-public user data.",
      "guidance": "If your organization develops external facing applications with access to customer data, such as PII/ePHI, you must implement and document mechanisms for user identification and access control.",
      "considerations": [
        "What tooling do you use for identity and access management?",
        "Do you allow for ABAC?",
        "Do you store any sensitive data such as PII, PHI, or credit card/financial data?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-sdlc-foss",
      "file": "procedures/cp-sdlc-foss.md",
      "name": "Free and Open Source Software (FOSS) Security",
      "type": "technical",
      "provider": "Snyk",
      "function": "SCA",
      "summary": "A code analysis tool is in place to analyze open source components for potential security vulnerabilities and licensing issues.",
      "guidance": "Modern software development is much more than first party code. The open source dependencies used in your software application should be scanned for vulnerability to ensure they do not put your offerings and customers at risk. Our recommended solution to scan for open source package vulnerabilities and licensing issues is Snyk.io. Snyk's engine also powers Javascript libraries linting in Microsoft Sonar and Google Chrome browser.",
      "considerations": [
        "What tooling do you use to manage code dependencies and FOSS?"
      ],
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-sdlc-sast",
      "file": "procedures/cp-sdlc-sast.md",
      "name": "Static Application Security Testing (SAST)",
      "type": "technical",
      "provider": "Lint and GitLeaks",
      "function": "SAST",
      "summary": "Static code scanning is performed automatically either as part of the DevOps pipeline or on a regular schedule to detect common flaws in code patterns, such as injection flaws, buffer overflows, and leaked secrets/credentials in code.",
      "guidance": "The software code written by your developers should be scanned for vulnerability before putting into production. Veracode, WhiteHat, Checkmarx, etc. are example solutions that support most modern programming languages such as Java, Javascript, Python, etc.",
      "considerations": [
        "What tooling do you use for SAST?"
      ],
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-sdlc-dast",
      "file": "procedures/cp-sdlc-dast.md",
      "name": "Dynamic Application Security Testing (DAST)",
      "type": "technical",
      "provider": "OWASP ZAP",
      "function": "DAST",
      "summary": "Dynamic application scanning is performed by the security team.",
      "guidance": "In additional to static code analysis, a dynamic application scan should be performed regularly. This is a blackbox testing of the application from an external perspective. Suitable solutions for dynamic scanning include Tenable, Veracode, Rapid7, Qualys, and OWASP Zap. Keep in mind that dynamic application scanning helps uncover many vulnerabilities but it is not a replacement for application penetration testing.",
      "considerations": [
        "What tooling do you use for DAST?"
      ],
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-sdlc-pentest",
      "file": "procedures/cp-sdlc-pentest.md",
      "name": "Application Penetration Testing",
      "type": "technical",
      "provider": "HackerOne",
      "function": "pen-test",
      "summary": "Penetration testing is performed for each product at least annually and with major feature changes.",
      "guidance": "An external penetration testing is performed at least once a year by a qualified security professional. Many compliance frameworks require this to be done by an external third party security vendor.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-sdlc-bugbounty",
      "file": "procedures/cp-sdlc-bugbounty.md",
      "name": "Responsible Disclosure and Bug Bounty Program",
      "type": "technical",
      "provider": "HackerOne",
      "function": "bug-bounty",
      "summary": "Security team maintains an external/public bug bounty program to enable continuous security testing and vulnerability reporting across major external facing products.",
      "guidance": "We strongly recommend having a public vulnerability disclosure program, often known as bug bounty, to leverage crowd-sourced security researchers to perform continuous testing of your external-facing applications. HackerOne or BugCrowd are both good solutions. Or simply having an official vulnerability disclosure / bug reporting channel published on your website is a good start.",
      "considerations": [
        "What tooling do you use for a Bug Bounty Program?"
      ],
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-sdlc-hipaa",
      "file": "procedures/cp-sdlc-hipaa.md",
      "name": "HIPAA Best Practices for Software Development",
      "type": "informational",
      "provider": "",
      "summary": "Developers are trained on requirements and best practices specific to HIPAA compliance and processing of sensitive health data.",
      "guidance": "Certain security and compliance best practices shall be communicated to the development teams, such as the requirement to use only HIPAA BAA eligible services to process ePHI in the Cloud.",
      "considerations": [
        "Is your organization subject to regulatory compliance such as HIPAA or FISMA?"
      ],
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-sdlc-monitor",
      "file": "procedures/cp-sdlc-monitor.md",
      "name": "Production System Monitoring, Incident Management, and Paging",
      "type": "operational",
      "provider": "PagerDuty",
      "function": [
        "incident-management",
        "paging"
      ],
      "summary": "On call teams are set up to receive pager notifications when a failure or error occurs in production.",
      "guidance": "After systems and/or software is deployed into production, you should set up continuous monitoring to detect errors and failures and alert the corresponding team members.",
      "considerations": [
        "How is your on call team notified about major/critical error conditions?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ccm-config",
      "file": "procedures/cp-ccm-config.md",
      "name": "Configuration Management Processes",
      "type": "technical",
      "provider": "JupiterOne",
      "function": "config-management",
      "summary": "Configuration management processes are in place to provision systems and environments according to approved security standards.",
      "guidance": "There are many approaches to configuration management. Our recommendation for a Cloud/SaaS technology organization or team is to let the users manage the devices themselves, but provide them the requirements and automation scripts as necessary, and use an endpoint audit agent to check for compliance. JupiterOne provides a 'power-up' endpoint compliance agent that is based on Netflix's Stethoscope project. Osquery is a good alternative as well.",
      "considerations": [
        "What tooling do you use for configuration management?",
        "Which cloud service provider do you use?",
        "Which container management software do you use?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ccm-monitor",
      "file": "procedures/cp-ccm-monitor.md",
      "name": "Configuration Monitoring and Auditing",
      "type": "technical",
      "provider": "AWS CloudTrail",
      "function": [
        "config-monitoring",
        "config-auditing",
        "CMDB"
      ],
      "summary": "Monitoring software is used to monitor infrastructure and software for noncompliance with established configuration standards and security best practices.",
      "guidance": "Leverage a centralized CMDB to continuously monitor and audit against misconfigurations and configuration drifts to ensure security posture of your infrastructure and systems.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ccm-network",
      "file": "procedures/cp-ccm-network.md",
      "name": "Configuration and Management of Network Controls",
      "type": "technical",
      "provider": "CloudFormation",
      "function": "provisioning",
      "scope": "networks",
      "summary": "Network devices are configured to remove vendor default security configurations. Network layer security controls are in place to enable traffic filtering/monitoring for applicable environments.",
      "guidance": "You may have a combination of cloud and on-premise networks. Certain network layer security controls should be in place, such as firewalls for traffic filtering, Subnets/VLANs for segregation, IDS/IPS, etc. For traditional on-premise networks, these controls are typically physical or virtual appliances. In the Cloud, these are often infrastructure and platform services you should enable.",
      "considerations": [
        "Which cloud service provider do you use?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ccm-aws",
      "file": "procedures/cp-ccm-aws.md",
      "name": "Provisioning AWS Accounts",
      "type": "technical",
      "provider": "CloudFormation",
      "function": "provisioning",
      "scope": "aws",
      "summary": "AWS configuration is maintained as code and provisioned via automated code deploys.",
      "guidance": "Your cloud environment should be configured using multiple types of software-defined boundaries. The cloud infrastructure should be provisioned and managed as code. In AWS, this can be done via CloudFormation.",
      "considerations": [
        "Which cloud service provider do you use?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ccm-aws-deploy",
      "file": "procedures/cp-ccm-aws-deploy.md",
      "name": "Deploying Changes to AWS",
      "type": "technical",
      "provider": "CloudFormation",
      "function": "provisioning",
      "scope": "aws",
      "summary": "Cloud infrastructure changes and software code deploys follow a defined change request process with automated and/or manual reviews and approvals.",
      "guidance": "Infrastructure-as-code is a key element of Cloud DevOps. This procedure documents the details around process and automation for deploys into AWS environments, for both infrastructure changes and application changes.",
      "considerations": [
        "Which cloud service provider do you use?"
      ],
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-ccm-patch",
      "file": "procedures/cp-ccm-patch.md",
      "name": "Patch Management Procedures",
      "type": "technical",
      "provider": "AWS Systems Manager",
      "function": "patch-management",
      "summary": "Operating systems on both end-user computing devices and server systems are required to maintain up-to-date security patches in an automated process.",
      "guidance": "The simplest way to ensure your end-user systems are patched is to enable auto-update.  You can use the same configuration compliance audit agent to ensure auto-update is turned on for all systems (Windows, macOS, Linux) in your environment. Additionally, for systems in AWS, the recommended solution is - don't patch, replace. Have a process to update your AMIs to the latest version when it's made available, and/or regularly update the AMIs approved to use in your production environment and ensure the new EC2 instances always use the latest approved AMIs.",
      "considerations": [
        "Which cloud service provider do you use?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ccm-prodcm",
      "file": "procedures/cp-ccm-prodcm.md",
      "name": "Production Deploy / Code Promotion Processes",
      "type": "technical",
      "provider": "code",
      "function": "change-management",
      "summary": "Code deploys to production require an approved change ticket with sufficent details about the code change.",
      "guidance": "Each production deploy should follow a defined process to ensure proper review, approval and traceability. This can be fully automated using the appropriate code integrated with your continuous integration / continuous deploy orchestration such as Jenkins or Travis CI.",
      "considerations": [
        "What are your production accounts and where are they located?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ccm-provision-prod",
      "file": "procedures/cp-ccm-provision-prod.md",
      "name": "Production Systems Provisioning",
      "type": "technical",
      "provider": "code",
      "function": "provisioning",
      "scope": "production",
      "summary": "Provisioning of any production system or resource requires a change request that is reviewed and approved by both engineering and security.",
      "guidance": "Defines the standards and processes for provisioning and promoting systems into production.",
      "considerations": [
        "How are new production systems provisioned?",
        "Do you store any sensitive data such as PII, PHI, or credit card/financial data?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ccm-provision-endpoint",
      "file": "procedures/cp-ccm-provision-endpoint.md",
      "name": "User Endpoint Security Controls and Configuration",
      "type": "technical",
      "provider": "code",
      "function": "provisioning",
      "scope": "endpoints",
      "summary": "End-user computing systems are configured with required baseline security controls including disk encyrption, unique user account and strong password policy, host firewall, screenlock protection, auto-update of security patches, and endpoint security agent for configuration monitoring and malware protection.",
      "guidance": "Define the security controls and configuration standards for end-user systems. A provisioning management system may be used, or this can be accomplished via a set of automation scripts that runs on each local system to handle the initial configuration.  For end-user systems that are self managed by each employee, you should provide them with the configuration standards and the automation scripts, if applicable.",
      "considerations": [
        "What security controls are applied to user endpoints?",
        "How long after inactivity before an endpoint is locked?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ccm-provision-server",
      "file": "procedures/cp-ccm-provision-server.md",
      "name": "Server Hardening Guidelines and Processes",
      "type": "technical",
      "provider": "code",
      "function": "provisioning",
      "scope": "servers",
      "summary": "Server systems are provisioned using pre-approved configurations or images approved by the security team.",
      "guidance": "Define the standards for provisioning and hardening a new server system based on its operating system and operating environment. A provisioning management system may be used, or this can be accomplished via a set of automation scripts that runs on each local system to handle the initial configuration.  For end-user systems that are self managed by each employee, you should provide them with the configuration standards and the automation scripts, if applicable.",
      "considerations": [
        "What are your hardening standards?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ccm-provision-mgmt",
      "file": "procedures/cp-ccm-provision-mgmt.md",
      "name": "Configuration and Provisioning of Management Systems",
      "type": "technical",
      "provider": "code",
      "function": "provisioning",
      "summary": "System management tools are provisioned following the same requirements and configurations as any production system.",
      "guidance": "Define the standards for provisioning and hardening a new system based on its operating system and operating environment. A provisioning management system may be used, or this can be accomplished via a set of automation scripts that runs on each local system to handle the initial configuration.  For end-user systems that are self managed by each employee, you should provide them with the configuration standards and the automation scripts, if applicable.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ccm-emergency",
      "file": "procedures/cp-ccm-emergency.md",
      "name": "Emergency Change",
      "type": "operational",
      "provider": "manual process",
      "function": "emergency-access",
      "summary": "An emergency change process is in place for break-glass procedure. Details of any emergency change are retroactively documented and approved.",
      "guidance": "Emergency conditions should be considered.  Should there be a need for an emergency change that cannot follow your typical change management process, this emergency process should be followed instead.",
      "considerations": [
        "How is your on call team notified about emergencies?",
        "What is your post emergency documentation process?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-threat-hids",
      "file": "procedures/cp-threat-hids.md",
      "name": "Host Intrusion Detection",
      "type": "technical",
      "function": "HIDS",
      "provider": "AWS Inspector",
      "summary": "Host instrusion detection and malicious activity monitoring agents are installed on endpoint hosts and servers.",
      "guidance": "AWS Inspector is a native offering that covers vulnerability scanning of EC2 instances. For agent-based host intrusion detection, we recommend OSSEC agents as a basic open-source based solution. OSSEC supports a variety of operating systems both in the cloud and on-premise. A commercial solution may be needed for Docker containers activity monitoring. For Windows and macOS end-user systems, Carbon Black Cb Defense or SentinelOne are both good next-generation endpoint protection solutions that cover intrusion detection/prevention via advanced behavior analysis as well as malware protection.",
      "considerations": [
        "What tooling do you use for host based intrusion detection?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-threat-nids",
      "file": "procedures/cp-threat-nids.md",
      "name": "Network Intrusion Detection",
      "type": "technical",
      "function": "NIDS",
      "provider": "AWS GuardDuty",
      "summary": "Network layer intrusion detection system is implemented.",
      "guidance": "AWS GuardDuty analyzes VPC flow logs, DNS logs, and CloudTrail logs for intrusion detection and threat monitoring at both the network and API layer. If you operate an internal on-premise network or your own data center, a network intrusion detection system is a must.",
      "considerations": [
        "What tooling do you use for intrusion detection on-premise?",
        "What tooling do you use for intrusion detection in the cloud?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-threat-malware",
      "file": "procedures/cp-threat-malware.md",
      "name": "Malware Protection",
      "type": "technical",
      "provider": "Jamf Protect",
      "function": "AV",
      "summary": "Malware protection agent is installed and activated at all times on endpoint devices.",
      "guidance": "Anti-malware continue to be a compliance requirement, although traditional AV solutions have been proven to be ineffective against zero-day attacks and advanced malware. Modern operating systems usually come with some basic malware defense capability, such as Windows Defender. You may also consider something like ClamAV as a free, open-source solution to meet compliance needs. But for real security, we highly recommend a next generation endpoint protection solution such as Carbon Black Cb Defense or SentinelOne.",
      "considerations": [
        "What is your endpoint agent/anti-malware software?",
        "What is your scan configuration?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-threat-firewall",
      "file": "procedures/cp-threat-firewall.md",
      "name": "Firewall Protection",
      "type": "technical",
      "provider": "AWS",
      "function": "firewall",
      "summary": "Firewall protection is enabled across network, host, and application layer.",
      "guidance": "Firewall protection should be enabled at the appropriate layers, including network, host and application.",
      "considerations": [
        "Which cloud service provider do you use?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-threat-webapp",
      "file": "procedures/cp-threat-webapp.md",
      "name": "Web Application Protection",
      "type": "technical",
      "provider": "AWS (WAF, CloudFront and/or Shield)",
      "function": "WAF",
      "summary": "Web application firewall and denial-of-service protection is enabled for external facing applications.",
      "guidance": "If you have an external web application in your product portfolio, you should definitely consider deploying a web application firewall and protection against DDoS attacks.  Luckily, AWS has you covered with some native service offerings, including AWS WAF, CloudFront rate limiting, and AWS Shield.",
      "considerations": [
        "What tooling do you use for web application protection?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-threat-intel",
      "file": "procedures/cp-threat-intel.md",
      "name": "Threat Intelligence Monitoring",
      "type": "operational",
      "provider": "RH-ISAC",
      "function": "threat-intel",
      "summary": "The security team subscribes to news, feeds, forums and special interests groups to receive updates on threat intel and updates on applicable regulations and compliance.",
      "guidance": "As part of your ongoing security operations, you need to be informed of new regulations, compliance requirements, as well as valuable external threat intel that might help your spot indicators of compromise in your own environments. A good source of intel is the various Sector-based Information Sharing and Analysis Centers (ISACs). For example, if you are in the healthcare industry, it is recommended for you to become a member of the National Health Information Sharing and Analysis Center (NH-ISAC).",
      "considerations": [
        "How do you monitor threat intelligence feeds?",
        "How do you monitor regulatory requirements updates?"
      ],
      "applicable": true,
      "adopted": true,
      "resources": [
        {
          "name": "National Council of ISACs",
          "link": "https://www.nationalisacs.org/"
        },
        {
          "name": "RH-ISAC",
          "link": "https://rhisac.org/"
        },
        {
          "name": "NH-ISAC",
          "link": "https://nhisac.org/"
        },
        {
          "name": "FS-ISAC",
          "link": "https://www.fsisac.com/"
        },
        {
          "name": "IT-ISAC",
          "link": "https://www.it-isac.org/"
        }
      ]
    },
    {
      "id": "cp-threat-siem",
      "file": "procedures/cp-threat-siem.md",
      "name": "Centralized Security Information and Event Management",
      "type": "technical",
      "provider": "AWS SecurityHub",
      "function": "SIEM",
      "summary": "Security events are logged and alerts are centrally aggregated for review and remediation.",
      "guidance": "JupiterOne provides excellent automated event analysis and alerting capability out of box. You may also choose to implement a centralized log management and/or security information and event management (SIEM) solution such as Splunk or Sumo Logic.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-vuln-scan",
      "file": "procedures/cp-vuln-scan.md",
      "name": "Vulnerability Scanning and Infrastructure Security Testing",
      "type": "technical",
      "provider": "AWS Inspector",
      "function": "VAS",
      "summary": "Vulnerability scan is performed at least quarterly for all production systems.",
      "guidance": "Vulnerability scanning for your infrastructure (not applications) is a must. OpenVAS is an excellent open source solution that you can run yourself.",
      "considerations": [
        "Which cloud service provider do you use?",
        "What is your cadence/timing for scans and tests?",
        "How long are records and findings maintained?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-vuln-remediation",
      "file": "procedures/cp-vuln-remediation.md",
      "name": "Security Findings Reporting, Tracking and Remediation",
      "type": "technical",
      "provider": "AWS SecurityHub",
      "function": "vulnerability-management",
      "summary": "All security vulnerability and findings (for both infrastructure and software) are prioritized and remediated based on its severity and impact, with a defined SLA.",
      "guidance": "Vulnerability findings can come from a variety of sources, such as open source dependency scanning, static application code analysis, dynamic application security testing, penetration testing, infrastructure vulnerability scanning, etc. Tracking the vulnerabilities and ensuring they are remediated in a timely manner can be an exhausting task if handled manually. JupiterOne can connect to the various vulnerability sources and help manage them in a consistent and automated manner. The vulnerability management program, including the detailed process and SLA levels, should be well defined.",
      "considerations": [
        "How long are records and findings maintained?",
        "What are your vulnerability SLAs?",
        "What is your process for resolving a finding?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-mdm-disposal",
      "file": "procedures/cp-mdm-disposal.md",
      "name": "Media Disposal Process",
      "type": "technical",
      "provider": "manual process",
      "function": [
        "media-disposal",
        "shredding"
      ],
      "summary": "Media containing critical / sensitive data (such as PII or ePHI) is disposed securely.",
      "guidance": "You must ensure media containing critical / sensitive data (such as ePHI) is disposed of securely.",
      "considerations": [
        "Is your organization subject to regulatory compliance such as HIPAA or FISMA?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-mdm-usb",
      "file": "procedures/cp-mdm-usb.md",
      "name": "Use of USB Flash Drive and External Storage Device",
      "type": "technical",
      "provider": "manual process",
      "function": "MDM",
      "summary": "Use of USB flash drive or similar removable storage device to store sensitive and critical data is prohibited and must be handled on an exception basis approved by security.",
      "guidance": "If removable media, such as USB flash drives, must be used to store sensitive data, security precautions must be taken. IronKey or similar devices that support hardware encryption is a good choice. However, it is much better to not to store any sensitive data on removable media devices to start with.",
      "considerations": [
        "Is data allowed on encrypted flash drives and what tooling is used?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-mdm-byod",
      "file": "procedures/cp-mdm-byod.md",
      "name": "Support and Management of BYOD Devices",
      "type": "technical",
      "provider": "Jamf",
      "function": "MDM",
      "summary": "BYOD devices are not allowed to connect to production environments containing critical data.",
      "guidance": "You may not support bring-your-own-device (BYOD) for your employees.  If you do, a mobile device management (MDM) solution should be in place to properly manage them.  If you already use Google Workspaces as your IdP, they have a lightweight MDM solution you can enable from the same vendor. Alternatively, AirWatch or Jamf (Apple devices only) are also good solutions.",
      "considerations": [
        "What tooling is used for endpoint device management?",
        "Is BYOD allowed?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-bcdr",
      "file": "procedures/cp-bcdr.md",
      "name": "BCDR Objectives and Roles",
      "type": "operational",
      "provider": "manual process",
      "function": "BCDR",
      "summary": "Management team develops contingency plans for assignment of responsibility for internal controls with clear objectives and roles.",
      "guidance": "You should have a plan and procedures for business continuity and disaster recovery. The process should be documented and tested. This is mostly a manual effort. First and foremost, clear objectives should be established and a team with specific roles and responsibilities should be assigned.",
      "considerations": [
        "Is your organization subject to regulatory compliance such as HIPAA or FISMA?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-bcdr-recovery",
      "file": "procedures/cp-bcdr-recovery.md",
      "name": "General Disaster Recovery Procedures",
      "type": "operational",
      "provider": "manual process",
      "summary": "Disaster recovery procedures are defined to cover activation, recovery and reconstitution of critical controls and resources.",
      "guidance": "Document the DR procedures including notification of a disaster, activation of the DR process, recovery and reconstitution.",
      "considerations": [
        "Are the roles and responsibilities for general disaster recovery correct?",
        "What are your SLAs for disaster recovery?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-bcdr-test",
      "file": "procedures/cp-bcdr-test.md",
      "name": "BCDR Testing and Maintenance",
      "type": "operational",
      "provider": "manual process",
      "summary": "Disaster recovery is tested annually via tabletop exercise and/or simulated tests.",
      "guidance": "The business continuity and disaster recovery plan and process should be regularly tested and maintained. This can be in the form of tabletop exercise, simulation and/or technical testing such as data restore.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-bcdr-site",
      "file": "procedures/cp-bcdr-site.md",
      "name": "Work Site Recovery",
      "type": "operational",
      "provider": "manual process",
      "summary": "Remote working arrangements are in place.",
      "guidance": "You should include a process that describes how you recover from a physical disaster at a work site, or your own physical data center, if applicable.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-bcdr-app",
      "file": "procedures/cp-bcdr-app.md",
      "name": "Application Service Event Recovery",
      "type": "operational",
      "provider": "manual process",
      "summary": "External applications are monitored for service interruptions or outages, and handled according to the impact and downtime of such events. Status page is set up for communicating any outage to customers.",
      "guidance": "You should include a process that describes how you recover from a service outage that impacts your application, including notification to users/customers.",
      "applicable": false,
      "adopted": false
    },
    {
      "id": "cp-bcdr-data",
      "file": "procedures/cp-bcdr-data.md",
      "name": "Production Environments and Data Recovery",
      "type": "operational",
      "provider": "manual process",
      "summary": "All resources and data from production environments are able to be reconstructed from code and recovered from backup.",
      "guidance": "You should include a process that describes how you recover your production environments and data.",
      "considerations": [
        "How is production data synchronized and stored?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ir-sirt",
      "file": "procedures/cp-ir-sirt.md",
      "name": "Security Incident Response Team (SIRT)",
      "type": "administrative",
      "provider": "manual process",
      "function": "SIRT",
      "summary": "Incident response team is established and assigned corresponding responsibilities.",
      "guidance": "To support incident response efforts, you should form a security incident response team. If you do not have dedicated security operations resources, this team can be made up with your engineering and DevOps resources. They are the go-to people when an inevitable incident occurs.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ir-process",
      "file": "procedures/cp-ir-process.md",
      "name": "Incident Management Process",
      "type": "operational",
      "provider": "manual process",
      "summary": "Incident response / escalation policies and processes are in place for incident reporting, triage, eradication, recovery, and postmortem analysis.",
      "guidance": "In the inevitable event of a security incident, you should have a tested process to follow instead of panicking at the moment of impact.",
      "considerations": [
        "What services do you use to raise alerts of an incident?",
        "Do you store any sensitive data such as PII, PHI, or credit card/financial data?",
        "Do you agree to the five-step process?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ir-playbook",
      "file": "procedures/cp-ir-playbook.md",
      "name": "Incident Categories and Playbooks",
      "type": "operational",
      "provider": "manual process",
      "summary": "Incident playbooks are created with detailed technical procedures to guide personnel in incident handling according to the incident classification and severity.",
      "guidance": "A set of playbooks are referenced here according to the defined categories of incident. This can be done manually by following the playbooks.  As your security practice matures, you may later consider implementing a dedicated incident response / forensic solution.",
      "considerations": [
        "Do you agree with the classifications?",
        "Do you agree with the security levels?",
        "Do you agree to the listed response procedures?",
        "Do you store any sensitive data such as PII, PHI, or credit card/financial data?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ir-emergency",
      "file": "procedures/cp-ir-emergency.md",
      "name": "Emergency Operations Mode",
      "type": "technical",
      "provider": "manual process",
      "summary": "Emergency operation procedure is in place to enable temporary break-glass operations when necessary.",
      "guidance": "If a security incident escalates into an emergency situation, you should have a set of pre-defined procedures to avoid unrecoverable data loss.",
      "considerations": [
        "What tooling do you use to control access to systems?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ir-tabletop",
      "file": "procedures/cp-ir-tabletop.md",
      "name": "Tabletop Exercise",
      "type": "operational",
      "provider": "manual process",
      "summary": "Tabletop exercises and/or simulated incident drills are performed at least annually to validate and update the incident response process.",
      "guidance": "Practice makes perfect. Perform drills according to incident response procedures, playbooks, and emergency procedures so that you know what to expect in an real event.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-ir-records",
      "file": "procedures/cp-ir-records.md",
      "name": "Incident Tracking and Records",
      "type": "operational",
      "provider": "Jira",
      "summary": "Each incident is tracked with applicable attributes and notes, and the incident records are stored in an approved ticketing system.",
      "guidance": "Incidents should be tracked in a ticketing / record keeping system. This can be a dedicated incident management tool or just Jira. If Jira or similar ticket system is used, it's recommended to create a dedicated project and issue type (e.g. 'Incident') for this. The incident records can be consolidated into JupiterOne for reporting.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-breach-investigate",
      "file": "procedures/cp-breach-investigate.md",
      "name": "Breach Investigation and Notification Process",
      "type": "operational",
      "provider": "manual process",
      "summary": "Investigation and notification process is in place to handle suspected and/or confirmed data breaches.",
      "guidance": "Wish for the best and prepare for the worst. In the unfortunate event that a breach occurs, you need to have defined procedures for the investigation and notification of such breach.",
      "considerations": [
        "Do you store any sensitive data such as PII, PHI, or credit card/financial data?",
        "What are your breach and notification SLAs?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-breach-customer",
      "file": "procedures/cp-breach-customer.md",
      "name": "Platform Customer Responsibilities in a Possible Breach",
      "type": "informational",
      "provider": "",
      "summary": "Customer responsibilities are defined in the case of a breach related to or resulted from customer activities.",
      "guidance": "A breach is sometimes caused by the customer and not you. You should clearly define and communicate such responsibilities to your customers.",
      "considerations": [
        "Do you store any sensitive data such as PII, PHI, or credit card/financial data?",
        "What are your customer sensitive data disclosure SLAs?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-breach-letter",
      "file": "procedures/cp-breach-letter.md",
      "name": "Sample Notification Letter to Customers in Case of Breach",
      "type": "informational",
      "provider": "",
      "summary": "Communication template is in place for external notification of a breach.",
      "guidance": "If a breach is confirmed, you are legally obligated to notify your customers.  A notification template helps your streamline this process.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-breach-authorities",
      "file": "procedures/cp-breach-authorities.md",
      "name": "Points of Contact for Authorities",
      "type": "informational",
      "provider": "",
      "summary": "Data protection and privacy regulatory authority contacts are documented for timely response.",
      "guidance": "If a breach is confirmed, a reference for authority contacts can help begin the investigation process.",
      "considerations": [
        "What is your list of contacts for authorities?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-vendor-vtr",
      "file": "procedures/cp-vendor-vtr.md",
      "name": "Vendor Risk Assessment",
      "type": "operational",
      "provider": "Google VSAQ",
      "summary": "Risk assessments are conducted prior to engaging a new technology vendor.",
      "guidance": "A technology risk review / security assessment should be conducted prior to engaging with a vendor that involves any type of data exchange, technical integration or professional services. There are a number of options on commercial IT Risk Vendor Management solutions. However, instead of jumping in on one of those, we recommend starting with Google's open-source Vendor Security Assessment Questionnaires (VSAQ). Its Github repo has detailed usage instructions.",
      "considerations": [
        "What tooling do you use for VTR assesments?"
      ],
      "applicable": true,
      "adopted": true,
      "resources": [
        {
          "name": "Google VSAQ",
          "link": "https://github.com/google/vsaq"
        },
        {
          "name": "Gartner Reviews for IT Risk Vendor Management",
          "link": "https://www.gartner.com/reviews/market/it-vendor-risk-management"
        }
      ]
    },
    {
      "id": "cp-vendor-contracts",
      "file": "procedures/cp-vendor-contracts.md",
      "name": "Vendor Contractual Agreements",
      "type": "administrative",
      "provider": "manual process",
      "summary": "Third party vendors are required to sign applicale contractual agreements, such as BAA (for HIPAA), DPA (for GDPR), SLA (for service providers), accepting their responsibilities to meet applicable data protection and privacy requirements.",
      "guidance": "Your vendors and subcontractors must meet certain legal and contractual requirements under regulations such as HIPAA - Business Associate Agreement (BAA), and GDPR - Data Processing Agreement (DPA).",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-vendor-monitor",
      "file": "procedures/cp-vendor-monitor.md",
      "name": "Vendor Risk Monitoring",
      "type": "administrative",
      "provider": "manual process",
      "summary": "Security and DevOps teams continue to monitor the risk levels and service status of applicable vendors, such as service providers and vendors with access to sensitive data.",
      "guidance": "Vendor risk management is a continuous process beyond the initial assessment/review. A continuous monitoring process should be established to review changes to a vendor's risk posture and service level.",
      "considerations": [
        "What is your cadence for reviewing vendor contracts?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-vendor-ssa",
      "file": "procedures/cp-vendor-ssa.md",
      "name": "Software and Systems Acquisition Process",
      "type": "operational",
      "provider": "manual process",
      "summary": "A list of approved software applications and system vendors are in place, with approval process defined for additional acquisition requests.",
      "guidance": "You should maintain a list of approved software and vendors. A process should be defined and agreed on with your procurement lead for the acquisition of new system or software.",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "cp-privacy-notices",
      "file": "procedures/cp-privacy-notices.md",
      "name": "Privacy, Terms and Consent Notices",
      "type": "administrative",
      "provider": "manual process",
      "summary": "The organization has published privacy policy and established user consent process for data processing, in line with applicable regulations.",
      "guidance": "Create and publish Privacy Policy, Notice of Privacy Practices, as well as Terms and Conditions for using your product, as applicable. Any change should be promptly and formally communicated to all customers.",
      "considerations": [
        "Where is your privacy policy published? (You can adopt ours)"
      ],
      "applicable": true,
      "adopted": true
    }
  ],
  "references": [
    {
      "id": "ref-employee-handbook",
      "file": "ref/employee-handbook.md",
      "name": "Employee Handbook",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "ref-approved-software",
      "file": "ref/approved-software.md",
      "name": "Approved Software",
      "considerations": [
        "What software is approved for use in your organization?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "ref-approved-vendors",
      "file": "ref/approved-vendors.md",
      "name": "Approved Vendors",
      "considerations": [
        "Where is the list of your approved vendors maintained?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "ref-definitions",
      "file": "ref/definitions.md",
      "name": "Key Definitions",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "ref-privacy-policy",
      "file": "ref/privacy-policy.md",
      "name": "Privacy Policy",
      "considerations": [
        "Is this Privacy Policy applicable?"
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "ref-cookie-policy",
      "file": "ref/cookie-policy.md",
      "name": "Cookie Policy",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "ref-gdpr-dpa",
      "file": "ref/gdpr-dpa.md",
      "name": "GDPR Data Processing Agreement",
      "considerations": [
        "Is your organization subject to GDPR compliance? If not, remove/replace."
      ],
      "applicable": true,
      "adopted": true
    },
    {
      "id": "ref-hipaa-baa",
      "file": "ref/hipaa-baa.md",
      "name": "HIPAA Business Associate Agreement",
      "considerations": [
        "Is your organization subject to HIPAA compliance? If not, remove/replace."
      ],
      "applicable": false,
      "adopted": false
    },
    {
      "id": "ref-hipaa-mapping",
      "file": "ref/hipaa-mapping.md",
      "name": "HIPAA Controls Mapping",
      "considerations": [
        "Is your organization subject to HIPAA compliance? If not, remove/replace."
      ],
      "applicable": false,
      "adopted": false
    },
    {
      "id": "ref-nist-mapping",
      "file": "ref/nist-mapping.md",
      "name": "NIST Controls Mapping",
      "considerations": [
        "Is your organization subject to NIST compliance? If not, remove/replace."
      ],
      "applicable": false,
      "adopted": true
    },
    {
      "id": "ref-pci-dss-3-mapping",
      "file": "ref/pci-dss-3-mapping.md",
      "name": "PCI Controls Mapping",
      "considerations": [
        "Is your organization subject to PCI compliance? If not, remove/replace."
      ],
      "applicable": false,
      "adopted": true
    },
    {
      "id": "pci-charter",
      "file": "ref/pci-charter.md",
      "name": "PCI DSS Program Charter",
      "adopted": true
    },

    {
      "id": "ref-pci-certification",
      "file": "ref/pci-certification.md",
      "name": "Current PCI DSS AOC",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "ref-responsible-disclosure",
      "file": "ref/responsible-disclosure.md",
      "name": "Responsible Disclosure Guidelines",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "ref-pci-dss4-notes",
      "file": "ref/pci-dss4-notes.md",
      "name": "PCI DSS 4 Notes",
      "applicable": true,
      "adopted": true
    },
    {
      "id": "ref-pdf",
      "file": "ref/pdf.md",
      "name": "Complete PDF of this site",
      "applicable": true,
      "adopted": true
    }
  ]
}