Jemurai Logo Jemurai Trust Center

Company Background

Jemurai is a security firm. We advise clients about security, primarily focused on application and cloud security. We also make securityprogram.io which is an online system for building and running a standards aligned security program. We have been in business for 12+ years. Check us out on LinkedIn.

The Data We Have and What We Do With It

In our SecurityProgram.io system, we have information about company users (name, email) and company cybersecurity posture, including risks, policies, security task completion, user audit information and vuln scan information. We never share or sell data from our systems. Period.

Subprocessors

  • Google Used for email and documents as shared with prospects and customers.

  • AWS
  • Heroku (Salesforce)
  • Auth0 (Okta)

Security Program

Our security program is based on NIST 800-53 R5 with mappings to SOC 2, ISO 27001, NIST CSF and other frameworks. Our policies cover all FISMA Moderate level controls and we use the securityprogram.io system to help us make sure we are doing the work to meet our policy.

Compliance and Documentation

We can provide CAIQ, SigLITE, HECVAT, Scan Summary upon request. We do not allow automatic downloads of any artifacts due to common abuse of this ability, but reach out and we will respond to any and all credible inquiries.

Security Areas

Personnel Security

  • Background Checks Comprehensive criminal background checks are performed on hire.

  • Confidentiality Agreements All employees sign confidentiality agreements.

  • Security Training All employees receive general and role specific security training.

Data Protection

  • Data Encrypted In Transit (TLS 1.2+) TLS 1.2+ is used throughout our infrastructure.

  • Data Encrypted At Rest (AES-256) Data is encrypted at rest with platform provided standard implementations of AES 256.

  • Customer Passwords SSO or Auth0 Protecting passwords is so important, we left it to the experts.

Access Controls

  • Least Privilege Only a small number of team members with a need to know have access to production systems.

  • MFA for Admin Access All critical systems require MFA.

  • Role Based Access Control Roles are used to determine access.

Physical Security

  • Clean Desk Clean desk clear screen policy ensures we don't leak secrets.

  • Data in Proven Data Centers AWS, Google and Microsoft provide infrastructure for all of our prod systems.

Vendor Security

  • Vendors Tiered and Reviewed Vendors are assessed based on risk and tracked.

  • Annual Review Vendors are re-reviewed annually.

Endpoint Protection

  • Endpoint Detection and Response TLS 1.2+ is used throughout our infrastructure.

  • Patching All patches are applied according to policy, critical within 72 hours.

  • Configuration Management Devices have secure settings (disk encryption, screen lock, local firewall).

Cloud Security

  • Platform Tooling We leverage cloud provided tools (eg. guardduty) where applicable.

  • Security Analysis Tools We use additional tools (eg. Steampipe CIS Benchmarks) to analyze our cloud security posture.

  • Infrastructure as Code We use code or automation to build environments and infrastructure.

Secure SDLC

  • Code In SCCM Source code management ensures we can always get back to any version of code that is deployed.

  • Change Control Pushing to production requires a second review and approval.

  • Security Automation We leverage SCA, SAST and DAST tools for our systems.

Assesssments

  • Vulnerability Scanning Quarterly vuln scanning is done to identify any potential vulnerabilities in our infrastructure.

  • Penetration Testing We perform annual penetration testing against our systems.

  • Risk Assessment We perform annual risk assessments that include architecture review, threat model, risk tables, cross checking with current risks and assessing recommendations that would make sure program more robust.

Incident Response

  • IR Plan We have a documented incident response plan.

  • Tabletops We perform semi annual IR tabletops to test our gathering and communication protocols.

  • Notification Plan We have a plan for how and when we will notify customers about incidents.

Business Continuity

  • BCP Plan We have a documented business continuity plan that details how we identify critical systems, fail them over and communicate about all of that.

  • Resilient Infrastructure Our infrastructure is designed around cloud based services with strong availability and backup capabilities.

  • BCP Tests We perform annual BCP tests where we ensure the platform infrastructure performs as we would expect.

Network Security

  • DNS, WAF and DDoS We leverage cloudflare for DNS, WAF and DDoS protection.

  • Server Firewalls We leverage Heroku and AWS for firewalls. We scan them and test via configuration review.

  • local Firewalls We leverage our OS provider for local firewalls and experiment with alternative options.