How JupiterOne's Security Team Manages "Meeting Evidence" as Code

By

If you're anything like me (which I hope you're not), or let's say if you're anything like my mind, you spend 75% of your time overthinking. You reach for the closest pen and paper to write down a thought before it becomes obsolete, or you'll write it down in some app on your phone. My brain will jump from baking cookies to, "I really need to learn sign language", to "I need to read the next chapter of 'Modern Cybersecurity, Tales from the Near Distant Future'", all in the span of two seconds. Then one ... two ... poof! My brain hits eject and I'm back to reality questioning what I was doing.

Situations will arise in which those notes could benefit me, but because my thoughts weren't housed in one place, I spent an excessive amount of time locating the information. This could be bothersome, but over the years I've learned to organize my thoughts in a more practical manner.

All this brings me to the point of the importance of proper documentation methods. New regulations around security and data privacy are constantly being implemented to manage ongoing cyber threats. These regulations have led to frameworks such as SOC 2 and NIST, which require companies to provide evidence that their policies and processes are in compliance with its requirements.

The Problem with Providing Audit Evidence of Meetings

Auditors will always want to see evidence of meetings as part of audit evidence for any framework, from PCI DSS to ISO 27001 to SOC 2. Each audit framework requires a set of meetings  - like, most frameworks require regular security meetings, ISO requires executive leadership meetings, and PCI DSS requires a "charter meeting."

Without this work-around, it's time consuming to provide this evidence to auditors, forcing you to go through the team's Google calendar and take a million screenshots. 

Jasmine Henry was a pretty decent JupiterOne user before she worked here, but she didn't know about a work-around the J1 team uses for managing evidence. Between screenshots of Google calendar, confluence pages with meeting agendas, and zoom screenshots, she spent as much as 12 hours gathering meeting evidence for auditors in order to 'prove' the list of who attended.

How to Provide Meeting Evidence as Code

The JupiterOne security team manages evidence of meetings by creating and storing the evidence as code. We do this by submitting meeting notes as an update to a markdown document and then merging using a pull request on Github. One approving review from a meeting attendee is needed to merge the pull request into the security meeting main branch. Doing this creates searchable artifacts in JupiterOne of our weekly meetings, along with a timestamp of when updates occur.

This streamlined approach makes it easier to track and manage evidence for security assessments and regulatory audits. It's a clever tactic that has proved beneficial in many ways. 

As an example, here is an overview of our Github security tracking repository:

2022-02-07 Meeting Evidence as Code - JupiterOne

The security team member who is currently on-call is responsible for taking notes and for creating a PR in GitHub. 

2022-02-07 Meeting Evidence as Code - JupiterOne

One approving review from a team member is needed to merge the pull request into the main branch. 

2022-02-07 Meeting Evidence as Code - JupiterOne

How to Retrieve Meeting Evidence Via JupiterOne

Here is a screenshot, using JupiterOne to search for meeting evidence - both the query you type in, and the results.

2022-02-07 Meeting Evidence as Code - JupiterOne

Results:

2022-02-07 Meeting Evidence as Code 05a

Conclusion

This is an approach that can be used for nearly ANYTHING that JupiterOne can ingest.  Even if JupiterOne doesn't have an integration to automatically pull metadata from a certain data source (like GitHub), users can still use the API to put entities to the graph for custom data sets that they want to be searchable.

Theoretically, all evidence necessary to complete any audit should be consumable and able to be represented in the graph, and that makes it a one-stop shop for compliance, reducing work hours, complexity, and increasing the confidence of auditors in your adherence to standards, policies, and controls.

Want to take things one step further? Learn how to automate some of these steps in this blog.

Yvie Djieya
Yvie Djieya

Yvie is a Cybersecurity Assurance and Risk Analyst at Jupiter One with a passion for teamwork, technology, as well as diversity and inclusion. She is also a baking enthusiast, and an avid lover of the arts and Afrobeats. Her background is in data privacy and healthcare management.

To hear more from Yvie, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)
February 6, 2023
Blog
What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)

The new JupiterOne Query Builder streamlines your querying experience by eliminating errors, simplifying query builds, and reducing time to value.

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.