Effective Date: May 2020
SPLUNK CLOUD SECURITY ADDENDUM
This Splunk Cloud Security Addendum (CSA) sets forth the administrative, technical and physical safeguards Splunk takes to protect Customer Content in Splunk Cloud (Security Program). Splunk may update this CSA from time to time to reflect changes in Splunk’s security posture, provided such changes do not materially diminish the level of security herein provided.
This CSA is made a part of your Splunk General Terms (Agreement) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement or Documentation, as applicable. In the event of any conflict between the terms of the Agreement and this CSA, this CSA will control. This CSA applies to Splunk Cloud environments initially provisioned on or after the Effective Date and does not apply to Splunk Cloud subscriptions purchased or acquired through Splunk.com, including without limitation Trial or Beta Services.
- 1. Purpose
1.1 This CSA describes the minimum information security standards that Splunk maintains to protect Customer Content. Requirements in this CSA are in addition to any requirements in the Agreement.
1.2 The CSA is reasonably designed to protect the confidentiality, integrity and availability of Customer Content against anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration or destruction; and accidental loss, destruction or damage in accordance with laws applicable to the provision of the Service.
2. Splunk Security Program
2.1 Scope and Content. Splunk Security Program: (a) complies with industry recognized information security standards; (b) includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Customer Content; and (c) is appropriate to the nature, size and complexity of Splunk’s business operations.
2.2 Security Policies, Standards and Procedures. Splunk maintains security policies, standards and procedures (collectively, Security Policies) designed to safeguard the processing of Customer Content by employees and contractors in accordance with this CSA.
2.3 Security Program Office. Splunk’s Chief Information Security Officer leads Splunk’s Security Program and develops, reviews and approves (together with other stakeholders such as Legal and Internal Audit) Splunk’s Security Policies.
2.4 Security Program Updates. Splunk Security Program Policies are available to employees via the corporate intranet. Splunk reviews, updates and approves Security Policies once annually to maintain their continuing relevance and accuracy. Employees receive information and education about Splunk’s Security Policies during onboarding and annually thereafter.
2.5 Security Training and Awareness. New employees are required to complete security training as part of the new hire process and receive annual and targeted training (as needed and appropriate to their role) thereafter to help maintain compliance with Splunk’s Security Policies, as well as other corporate policies, such as the Splunk Code of Conduct. This includes requiring Splunk employees to annually re-acknowledge the Code of Conduct and other Splunk policies as appropriate. Splunk conducts periodic security awareness campaigns to educate personnel about their responsibilities and provide guidance to create and maintain a secure workplace.
3. Risk Management
3.1 Splunk has a security risk assessment program and management process to identify potential threats to the organization.
3.2 Splunk management rates and reviews identified, material risks to determine if existing controls, policies and procedures are adequate. Risk mitigation plans are implemented as needed to address material gaps considering the nature of Splunk’s business and the information it stores.
4. Change Management
4.1 Splunk deploys changes to the Services during maintenance windows, details of which are posted to the Splunk website or communicated to customers as set forth in the Splunk Cloud Service Maintenance Policy.
4.2 Splunk follows documented change management policies and procedures for requesting, testing and approving application, infrastructure and product related changes.
4.3 Changes undergo appropriate levels of review and testing, including security and code reviews, regression testing and user acceptance prior to approval for implementation.
4.4 Software development and testing environments are maintained and logically separated from the production environment.
- 5. Incident Response and Breach Notification
5.1 Splunk has an incident response plan (the Splunk Incident Response Framework or SIRF) and team to assess, respond, contain and remediate (as appropriate) identified security issues, regardless of their nature (e.g., physical, cyber, product). Splunk reviews and updates the SIRF once annually to reflect emerging risks and “lessons learned.”
5.2 Splunk notifies Customers without undue delay after becoming aware of a Data Breach. As used herein, Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Content under the applicable Agreement, including Personal Data as defined under the General Data Protection Regulation (EU) 2016/679 (GDPR), while being transmitted, stored or otherwise processed by Splunk.
5.3 In the event of a Data Breach involving Personal Data under the GDPR, if customer reasonably determines notification is required by law, Splunk will provide reasonable assistance to the extent required for the Customer to comply with applicable data breach notification laws, including assistance in notifying the relevant supervisory authority and providing a description of the Data Breach.
5.4 In the event of a conflict between the breach notification provisions in this CSA and those set forth in an applicable Business Associate Agreement (BAA) with Splunk, the BAA breach notification terms will apply.
6. Governance and Audit
6.1 Splunk conducts internal control assessments on an ongoing basis to validate that controls are designed and operating effectively. Issues identified from assessments are documented, tracked and remediated as appropriate.
6.2 Third party assessments are performed as part of our onboarding process and periodically thereafter to validate ongoing governance of control operations and effectiveness. Issues identified are documented, tracked and remediated as appropriate.
7. Access and User Management
7.1 Splunk implements reasonable controls to manage user authentication for employees or contractors with access to Customer Content, including without limitation, assigning each employee or contractor with unique and/or time limited user authorization credentials for access to any system on which Customer Content is accessed and prohibiting employees or contractors from sharing their user authorization credentials.
7.2 Splunk allocates system privileges and permissions to users or groups on a “least privilege” principle and reviews user access lists and permissions on a quarterly basis, at minimum.
7.3 New users must be pre-approved before Splunk grants access to Splunk corporate and cloud networks and systems. Pre-approval is also required before changing existing user access rights.
7.4 Splunk promptly disables application, platform and network access for terminated users upon notification of termination.
8. Password Management and Authentication Controls
8.1 Authorized users must identify and authenticate to the network, applications and platforms using their user ID and password. Splunk’s enterprise password management system requires minimum password parameters.
8.2 SSH key authentication and enterprise password management applications are utilized to manage access to the production environment.
8.3 Two-factor authentication (2FA) is required for remote access and privileged account access for Customer Content production systems.
9. Encryption and Key Management
9.1 Splunk uses industry-standard encryption techniques to encrypt Customer Content in transit. The Splunk System is configured by default to encrypt user data files using transport layer security (TLS) encryption for web communication sessions.
9.2 Splunk relies on policy controls to help ensure sensitive information is not transmitted over the Internet or other public communications unless it is encrypted in transit.
9.3 Where applicable, Splunk uses encryption at rest with a minimum encryption protocol of Advanced Encryption Standard (AES) 256-bit encryption.
9.4 Splunk uses encryption key management processes to help ensure the secure generation, storage, distribution and destruction of encryption keys.
10. Threat and Vulnerability Management
10.1 Splunk has a Threat and Vulnerability Management (TVM) program to continuously monitor for vulnerabilities that are acknowledged by vendors, reported by researchers or discovered internally through vulnerability scans, Red Team activities or personnel identification.
10.2 Splunk documents vulnerabilities and ranks them based on severity level as determined by the likelihood and impact ratings assigned by TVM. Splunk assigns appropriate team(s) to conduct remediation and track progress to resolution as needed.
10.3 For systems containing Customer Content, an external vendor conducts security penetration tests on the corporate and cloud environments at least annually to detect network and application security vulnerabilities. Critical findings from these tests are evaluated, documented and assigned to the appropriate teams for remediation. In addition, Splunk conducts internal penetration tests quarterly and remediates findings as appropriate.
11. Logging and Monitoring
11.1 Splunk continuously monitors application, infrastructure, network, data storage space and system performance.
11.2 The Splunk Security Team reviews key reports daily and follows up on events as necessary.
12. Secure Development
12.1 Splunk’s Software Development Life Cycle (SDLC) methodology governs the acquisition, development, implementation, configuration, maintenance, modification, and management of software components.
12.2 For major product releases, Splunk uses a risk-based approach when applying its standard SDLC methodology, which may include such things as performing security architecture reviews, open source security scans, dynamic application security testing, network vulnerability scans and external penetration testing in the development environment. Splunk performs security code review for critical features if needed; and performs code review for all features in the development environment. Splunk scans packaged software to ensure it’s free from trojans, viruses, malware and other malicious threats.
12.3 Splunk utilizes a code versioning control system to maintain the integrity and security of application source code. Access privileges to the source code repository are reviewed periodically and limited to authorized employees.
12.4 The SDLC methodology does not apply to free Applications developed by Splunk or to Third Party Content, including any made available on splunkbase.com. For information on the inspection process for applications available on splunkbase.com, see AppInspect.
13. Network Security
13.1 Splunk uses industry standard technologies to prevent unauthorized access or compromise of Splunk’s network, servers or applications, which include such things as logical and physical controls to segment data, systems and networks according to risk. Splunk monitors demarcation points used to restrict access such as firewalls and security group enforcement points.
13.2 Remote users must authenticate with two-factor authentication prior to accessing Splunk networks containing Customer Content.
14. Vendor Security
14.1 Splunk’s vendor management team assesses risks associated with new vendors prior to onboarding and thereafter manages them through its risk management program. The vendor management team employs a risk-based vendor scoring model to monitor third-party risk.
14.2 Confidential Information is shared only with those who are subject to appropriate confidentiality terms with Splunk.
14.3 Splunk uses a risk-based approach to verify on-going vendor compliance with Splunk’s Security Policies.
15. Physical Security
15.1 Splunk grants physical access to Splunk facilities (including data centers where necessary) based on role. Splunk removes physical access when access is no longer required, including upon termination.
15.2 Personnel must carry, and visitors must wear, identity badges when in Splunk facilities. Visitors must always be accompanied. Splunk logs visitor access to Splunk facilities. Splunk reviews data center physical access, including remote access, on a quarterly basis to confirm that access is restricted to authorized personnel.
16. Disaster Recovery Plan
16.1 Splunk has a written Disaster Recovery Plan to manage significant disruptions to Splunk Cloud operations and infrastructure. Splunk management updates and approves the Plan annually.
16.2 Splunk personnel perform annual disaster recovery tests. Test results are documented and corrective actions are noted.
16.3 Data backup, replication and recovery systems/technologies are deployed to support resilience and protection of Customer Content.
16.4 Backup systems are configured to encrypt backup media.
17. Asset Management and Disposal
17.1 Splunk maintains and regularly updates an inventory of Cloud infrastructure assets and reconciles the asset list monthly.
17.2 Documented, standard build procedures are utilized for installation and maintenance of production servers.
17.3 Documented data disposal policies are in place to guide personnel on the procedure for disposal of Customer Content.
17.4 Upon expiration or termination of the Agreement, Splunk will return or delete Customer Content in accordance with the terms of the Agreement. If deletion is required, Customer Content will be securely deleted, except that Customer Content stored electronically in Splunk’s backup or email systems may be deleted over time in accordance with Splunk’s records management practices.
17.5 Splunk retains Customer Content stored in its cloud computing services for at least thirty (30) days after the expiration or termination of this Agreement.
18. Human Resources Security
18.1 Splunk personnel sign confidentiality agreements and acknowledge Splunk’s Acceptable Use Policy during the new employee onboarding process.
18.2 Splunk conducts background verification checks for potential Splunk personnel with access to Customer Content in accordance with relevant laws and regulations. The background checks are commensurate to an individual's job duties.
19. CSA Proof of Compliance*
19.1 Splunk Cloud Standard: Security Audits. At least once a year, Splunk Cloud (Standard Environment) undergoes a security audit by an independent third party that attests to the effectiveness of the controls Splunk has in place to safeguard the systems and operations where Customer Content is processed, stored or transmitted (e.g., System and Organizational Control (SOC 2), Type 2) audit in accordance with the Attestation Standards under Section 101 of the codification standards (AT 101). At a minimum, the audit covers the Security, Confidentiality, and Availability control criteria developed by the American Institute of Certified Public Accountants (AICPA). Currently, Splunk is audited against ISO 27001 and SOC 2, Type 2. Upon request, Splunk will supply Customer with a summary copy of Splunk’s annual audit reports, which will be deemed Confidential Information under the Agreement.
19.2 Splunk Cloud Premium: Security Audits. For customers requiring Payment Card Industry Data Security Standards (PCI-DSS) or the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA) security standards, Splunk offers a PCI-DSS or HIPAA certified environment (Premium Environment). At least once a year, Splunk Cloud Premium Environment undergoes a security audit performed by an independent third party that attests to the effectiveness of the controls Splunk has in place to safeguard the systems and operations where Customer Content is processed, stored or transmitted.
19.2(i) PCI-DSS. In the case of PCI-DSS, Splunk offers cloud services as a Level 1 PCI service provider. Splunk complies with the most recent version of PCI-DSS to the extent PCI-DSS is applicable to the Services provided under the Agreement (e.g., if Splunk accesses, collects, uses, retains, discloses, processes, stores or transmits any Customer cardholder data as defined under PCI-DSS or any other data protected or subject to PCI-DSS), or if any part of such services impacts the security of the PCI Data environment.
19.2(ii) HIPAA. In the case of HIPAA, Splunk complies with the HIPAA security rule standards for the processing of protected health information (PHI).
Upon request, Splunk will supply Customer with proof of Splunk’s compliance with PCI-DSS or HIPAA, as applicable.*Does not apply to the Limited Availability Release of Splunk Cloud on Google Cloud Platform (GCP regions: Iowa, Belgium, Singapore)
(Version May 2020)