Last Updated: 10/30/2018
JASP Security Policy
JASP is built by Jemurai. Jemurai has the following open, published security policies that apply across the firm including the teams building and supporting JASP: https://github.com/jemurai/policy.
This policy set includes the following:
- Asset Management Policy
- Identity and Access Management Policy
- Acceptable Use Policy
- Data Classification, Confidentiality and Encryption Policy
- Network Security Policy
- Application Security Policy
- Systems Security Policy
- Partner Security Policy
- Physical Security Policy
- Business Continuity Policy
- Risk Assessment and Management Policy
- Incident Response Policy
JASP Specific Security Policy
In addition to the above policies, JASP has some specific data security requirements that we can provide specific security policy direction for.
JASP Data Protection
The JASP system contains data that we consider the highest tier of criticality per our Data Classification Policy. Specifically, all of the following are considered SECRET and must be encrypted at rest and in transit.
- User’s passwords
- Client AWS credentials
- JASP client encryption keys
This explicitly means that:
- All communication to JASP must be over TLS (HTTPS)
- All databases are encrypted
- Any transmission of client credentials is encrypted with a client specific key
- All encryption is reviewed by industry experts
JASP Access Controls
- JASP will only ever request read access to client environments.
- Only specific operational leads have access to deploy JASP or manage the production environment.
- Only specific research team members have access to read a client’s specific findings in JASP and only for the purpose of providing support and remediation assistance.
JASP Logging and Auditing
- Access to JASP functions and privileged actions are written to audit tables for visibiltiy and review.
- Access controls are verified through log review.