Compliance at Splunk

A Service Organization Controls (SOC) 2 report is designed to provide assurance about the effectiveness of controls in place that is relevant to the security, availability, and confidentiality of the systems where customer data is processed. The SOC 2 control objectives are governed by the American Institute of Certified Public Accountants (AICPA) and the reports are inclusive of specified Splunk products utilized by our customers. For more information; see the Splunk Cloud Security Addendum.

On a semi-annual basis, specified Splunk products and services are reviewed and evaluated by an independent third-party auditor against the SOC 2 control objectives. Authorized users can access related documentation in the Customer Trust Portal.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that establishes data privacy and security requirements for organizations that are responsible for safeguarding individuals' protected health information (PHI). Under HIPAA, these organizations meet the definition of “covered entities” or “business associates.” Customers that are subject to HIPAA and want to utilize HIPAA compliant Splunk Cloud products in connection with PHI must review and accept Splunk’s Business Associate Agreement (BAA).

On an annual basis, specified Splunk products are reviewed and evaluated by an independent third-party auditor against the HIPAA requirements. Authorized users can access related documentation in the Customer Trust Portal.

The Payment Card Industry Security Standards Council (PCI SSC) developed one standard policy, the PCI Data Security Standards (PCI DSS) to ensure a baseline level of protection for consumers and vendors. All merchants and their service providers that store, process, or transmit cardholder data must be compliant with PCI DSS.

As a Level 1 PCI service provider, Splunk is required to undergo an Annual Compliance Report (ROC) by Qualified Security Assessor (QSA) or Internal Security Assessor and quarterly network scanning by an Approved Scanning Vendor (ASV). Authorized users can access related documentation in the Customer Trust Portal.

The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). For CSA STAR level 1, cloud providers submit the Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the Cloud Controls Matrix (CCM).

On an annual basis, Splunk self-attests specified products against the CSA STAR Level 1 requirements and submits to the STAR registry. This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices.

The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). The CSA STAR Level 2 certification leverages the requirements of the ISO 27001:2013 management system standard together with the CSA CCM criteria.

On an annual basis, specified Splunk products are reviewed and evaluated by an independent third-party auditor against the CSA STAR Level 2 requirements. This information is submitted to the STAR registry then becomes publicly available, promoting industry transparency and providing customer visibility into specific Splunk security practices.

The U.S. Department of Defense (DoD) has information protection requirements that extend beyond the common set of requirements established by the Federal Risk and Authorization Management Program (FedRAMP) program. Using FedRAMP requirements as a foundation, the U.S. DoD has defined cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Cloud service providers supporting U.S. DoD customers are required to comply with these requirements.

On an annual basis, specified Splunk products are assessed by an independent third-party auditor against the Impact Level 5 (IL5) requirements. DoD IL5 is a designation that includes high sensitivity controlled unclassified information (CUI) and mission data, along with Unclassified National Security Information (U-NSI).

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Cloud Service Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program.

On an annual basis, specified Splunk products are assessed by an independent third-party auditor against the FedRAMP Moderate requirements, see Splunk’s FedRAMP authorizations.

StateRAMP is a non-profit, 501(c)6 membership organization that brings U.S. state and local governments, educational institutions, and special districts with the cloud service providers (CSP) who serve them and to promote best cyber practices and to establish a common set of security criteria. Similar to the Federal Risk Authorization Management Program (FedRAMP), StateRAMP established a certification program which verifies CPSs meet the controls for National Institute of Standards and Technology (NIST) Special Publication 800- 53 by impact level.

On an annual basis, specified Splunk products are assessed by an independent third-party auditor against the StateRAMP moderate impact level requirements, see the StateRAMP product list.

Splunk Enterprise, Splunk Cloud Platform FedRAMP and Splunk Cloud Platform IL5 leverage the FIPS 140-2 validated Splunk Cryptographic Module for the protection of sensitive information when deployed on any compliant operating system. The Splunk cryptographic module achieved Federal Information Processing Standard 140-2 validation.

Splunk Enterprise is Common Criteria certified by National Information Assurance Partnership (NIAP). This certification facilitates the use of Splunk Enterprise by Government Agencies requiring products that meet the Common Criteria security standard. Additional details are available on the NIAP Product Compliant List website.