Last Updated: 10/30/2018

JASP Security Policy

JASP is built by Jemurai. Jemurai has the following open, published security policies that apply across the firm including the teams building and supporting JASP: https://github.com/jemurai/policy.

This policy set includes the following:

  • Privacy Policy
  • Asset Management Policy
  • Identity and Access Management Policy
  • Acceptable Use Policy
  • Data Classification, Confidentiality and Encryption Policy
  • Network Security Policy
  • Application Security Policy
  • Systems Security Policy
  • Partner Security Policy
  • Physical Security Policy
  • Business Continuity Policy
  • Risk Assessment and Management Policy
  • Incident Response Policy

JASP Specific Security Policy

In addition to the above policies, JASP has some specific data security requirements that we can provide specific security policy direction for.

JASP Data Protection

The JASP system contains data that we consider the highest tier of criticality per our Data Classification Policy. Specifically, all of the following are considered SECRET and must be encrypted at rest and in transit.

  1. User’s passwords
  2. Client AWS credentials
  3. JASP client encryption keys

This explicitly means that:

  • All communication to JASP must be over TLS (HTTPS)
  • All databases are encrypted
  • Any transmission of client credentials is encrypted with a client specific key
  • All encryption is reviewed by industry experts

JASP Access Controls

  • JASP will only ever request read access to client environments.
  • Only specific operational leads have access to deploy JASP or manage the production environment.
  • Only specific research team members have access to read a client’s specific findings in JASP and only for the purpose of providing support and remediation assistance.

JASP Logging and Auditing

  • Access to JASP functions and privileged actions are written to audit tables for visibiltiy and review.
  • Access controls are verified through log review.