Effective Date: November 2020
SPLUNK CLOUD SECURITY ADDENDUM
This Splunk Cloud Security Addendum (CSA) sets forth the administrative, technical and physical safeguards Splunk takes to protect Customer Content in Splunk Cloud (Security Program). Splunk may update this CSA from time to time to reflect changes in Splunk’s security posture, provided such changes do not materially diminish the level of security herein provided.
This CSA is made a part of your Splunk General Terms (Agreement) with Splunk and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement or Documentation, as applicable. In the event of any conflict between the terms of the Agreement and this CSA, this CSA will control. This CSA does not apply to Splunk Cloud subscriptions purchased or acquired through Splunk.com, including without limitation Trial or Beta Services.
- 1. Purpose
1.1 This CSA describes the information security standards that Splunk maintains to protect Customer Content in addition to any requirements set forth in the Agreement.
1.2 The CSA is designed to protect the confidentiality, integrity and availability of Customer Content against anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration or destruction; and accidental loss, destruction or damage in accordance with laws applicable to the provision of the Service.
2. Splunk Security Program
2.1 Scope and Content. Splunk Security Program: (a) complies with industry recognized information security standards; (b) includes administrative, technical and physical safeguards designed to protect the confidentiality, integrity and availability of Customer Content; and (c) is appropriate to the nature, size and complexity of Splunk’s business operations.
2.2 Security Policies, Standards and Procedures. Splunk maintains security policies, standards and methods (collectively, Security Policies) designed to safeguard the processing of Customer Content by employees and contractors in accordance with this CSA.
2.3 Security Program Office. Splunk’s Chief Information Security Officer (CISO) leads Splunk’s Security Program and the CISO Office develops, reviews and approves, together with appropriate stakeholders, Splunk’s Security Policies.
2.4 Security Program Updates. Splunk Security Program Policies are available to employees via the corporate intranet. Splunk reviews, updates and approves Security Policies annually to maintain their continuing relevance and accuracy. Employees receive information and education about Splunk’s Security Policies during onboarding and annually thereafter.
2.5 Security Training and Awareness. New employees are required to complete security training as part of the new hire process and receive annual and targeted training (as needed and appropriate to their role) thereafter to help maintain compliance with Splunk’s Security Policies, as well as other corporate policies, such as the Splunk Code of Conduct. This includes requiring Splunk employees to annually re-acknowledge the Code of Conduct and other Splunk policies as appropriate. Splunk conducts periodic security awareness campaigns to educate personnel about their responsibilities and provide guidance to create and maintain a secure workplace.
3. Risk Management
3.1Splunk manages cybersecurity risks in accordance with its Risk Assessment Method, which defines how Splunk identifies, prioritizes and manages risks to its information assets and the likelihood and impact of them occurring.
3.2 Splunk management reviews documented risks to understand their potential impact to the business, determine appropriate risk levels and treatment options. Mitigation plans are implemented to address material risks to business operations, including data protection.
4. Change Management
4.1 Splunk deploys changes to the Services during maintenance windows, details of which are posted to the Splunk website or communicated to customers as set forth in the Splunk Cloud Service Maintenance Policy.
4.2 Splunk follows documented change management policies and procedures for requesting, testing and approving application, infrastructure and product related changes.
4.3 Changes undergo appropriate levels of review and testing, including security and code reviews, regression testing and user acceptance prior to approval for implementation.
4.4 Software development and testing environments are maintained and logically separated from the production environment.
- 5. Incident Response and Breach Notification
5.1 Splunk has an incident response plan (the Splunk Incident Response Framework or SIRF) and team to assess, respond, contain and remediate (as appropriate) identified security issues, regardless of their nature (e.g., physical, cyber, product). Splunk reviews and updates the SIRF annually to reflect emerging risks and “lessons learned.”
5.2 Splunk notifies Customers without undue delay after becoming aware of a Data Breach. As used herein, Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Content under the applicable Agreement, including Personal Data as defined under the General Data Protection Regulation (EU) 2016/679 (GDPR), while being transmitted, stored or otherwise processed by Splunk.
5.3 In the event of a Data Breach involving Personal Data, if a customer reasonably determines notification is required by law, Splunk will provide reasonable assistance to the extent required for the Customer to comply with applicable data breach notification laws, including assistance in notifying the relevant supervisory authority and providing a description of the Data Breach.
5.4 In the event of a conflict between the breach notification provisions in this CSA and those set forth in an applicable Business Associate Agreement (BAA) with Splunk, the BAA breach notification terms will apply.
6. Governance and Audit
6.1 Splunk conducts internal control assessments on an ongoing basis to validate that controls are designed and operating effectively. Issues identified from assessments are documented, tracked and remediated as appropriate.
6.2 Third party audits are performed as part of our certification process (further below) to validate the ongoing governance of control operations and their effectiveness. Issues identified are documented, tracked, and remediated as appropriate.
7. Access and User Management
7.1 Splunk implements reasonable controls to manage user authentication for employees or contractors with access to Customer Content, including without limitation, assigning each employee or contractor with unique and/or time limited user authorization credentials for access to any system on which Customer Content is accessed and prohibiting employees or contractors from sharing their user authorization credentials.
7.2 Splunk allocates system privileges and permissions to users or groups on a “least privilege” principle and reviews user access lists and permissions to critical systems on a quarterly basis, at minimum.
7.3 New users must be pre-approved before Splunk grants access to Splunk corporate and cloud networks and systems. Pre-approval is also required before changing existing user access rights. .
7.4 Splunk promptly disables application, platform and network access for terminated users upon notification of termination.
8. Password Management and Authentication Controls
8.1 Authorized users must identify and authenticate to the network, applications, and platforms using their user ID and password. Splunk’s enterprise password management system requires minimum password parameters.
8.2 Authorized users are required to change passwords at pre-defined intervals consistent with industry standards.
8.3 SSH key authentication and enterprise password management applications are utilized to manage access to the production environment.
8.4 Two-factor authentication (2FA) is required for remote access and privileged account access for Customer Content production systems.
9. Encryption and Key Management
9.1 Splunk uses industry-standard encryption techniques to encrypt Customer Content in transit. The Splunk System is configured by default to encrypt user data files using transport layer security (currently, TLS 1.2+) encryption for web communication sessions.
9.2 Splunk relies on policy controls to help ensure sensitive information is not transmitted over the Internet or other public communications unless it is encrypted in transit.
9.3 Where applicable, Splunk uses encryption at rest with a minimum encryption protocol of Advanced Encryption Standard (AES) 256-bit encryption.
9.4 Splunk uses encryption key management processes to help ensure the secure generation, storage, distribution and destruction of encryption keys.
10. Threat and Vulnerability Management
10.1 Splunk has a Threat and Vulnerability Management (TVM) program to continuously monitor for vulnerabilities that are discovered internally through vulnerability scans, offensive exercises (red team), and employees; or externally reported by vendors, researchers or others.
10.2 Splunk documents vulnerabilities and ranks them based on severity level as determined by the likelihood and impact ratings assigned by TVM. Splunk assigns appropriate team(s) to conduct remediation and track progress to resolution as needed.
10.3 An external vendor conducts security penetration tests on the corporate and Splunk Cloud environments annually to detect network and application security vulnerabilities. Findings from these tests are evaluated, documented and assigned to the appropriate teams for remediation based on severity level. In addition, Splunk conducts internal penetration tests quarterly on its Splunk Cloud infrastructure and remediates findings as appropriate.
11. Logging and Monitoring
11.1 Monitoring tools and services are used to monitor systems across Splunk for application, infrastructure, network and storage events, performance and utilization.
11.2 Event data is aggregated and stored using appropriate security measures designed to prevent tampering. Logs are stored in accordance with Splunk’s data retention policy.
11.3 The Splunk Security Team continuously reviews alerts and follows up on suspicious events as appropriate.
12. Secure Development
12.1 Splunk’s Software Development Life Cycle (SDLC) methodology governs the acquisition, development, implementation, configuration, maintenance, modification, and management of software components.
12.2 For major and minor product releases, Splunk uses a risk-based approach when applying its standard SDLC methodology, which includes such things as performing security architecture reviews, open source security scans, code review, dynamic application security testing, network vulnerability scans and external penetration testing. Splunk performs security code review for critical features if needed; and performs code review for all features in the development environment. Splunk scans packaged software to ensure it’s free from trojans, viruses, malware and other malicious threats.
12.3 Splunk utilizes a code versioning control system to maintain the integrity and security of application source code. Access privileges to the source code repository are reviewed periodically and limited to authorized employees.
12.4 The SDLC methodology does not apply to free Applications developed by Splunk or to Third Party Content, including any made available on splunkbase.com. For information on the inspection process for applications available on splunkbase.com, see AppInspect.
13. Network Security
13.1 Splunk uses industry standard technologies to prevent unauthorized access or compromise of Splunk’s network, servers or applications, which include such things as logical and physical controls to segment data, systems and networks according to risk. Splunk monitors demarcation points used to restrict access such as firewalls and security group enforcement points.
13.2 Users must authenticate with two-factor authentication prior to accessing Splunk networks containing Customer Content.
14. Vendor Security
14.1 Splunk conducts security due diligence and risk assessments of its vendors prior to onboarding and thereafter manages vendor security through its risk management program.
14.2 Splunk management reviews the documented risks associated with vendors to understand the potential impact to the business. Mitigation plans are implemented to address material risks to business operations, including data protection.
14.3 Splunk’s agreements with vendors that impose security obligations on them which are necessary for Splunk to maintain its security posture as set forth in this Addendum. Confidential Information is shared only with those who are subject to appropriate confidentiality terms with Splunk.
14.4 Splunk uses a risk-based approach to monitor vendor security practices and compliance with their agreements with Splunk.
15. Physical Security
15.1 Splunk grants physical access to Splunk facilities (including Splunk-operated data centers where applicable) based on role. Splunk removes physical access when access is no longer required, including upon termination.
15.2 Employees and visitors must visibly display and wear, identity badges when in Splunk facilities. Visitors must always be accompanied. Splunk logs visitor access to Splunk facilities.
15.3 Splunk reviews data center physical access, including remote access, on a quarterly basis to confirm that access is restricted to authorized personnel.
15.4 Splunk employs additional measures to protect its employees and assets, including video surveillance systems, onsite security personnel, and such other technologies deemed industry best practice.
16. Disaster Recovery Plan
16.1 Splunk has a written Disaster Recovery Plan to manage significant disruptions to Splunk Cloud operations and infrastructure. Splunk management updates and approves the Plan annually.
16.2 Splunk personnel perform annual disaster recovery tests. Test results are documented and corrective actions are noted.
16.3 Data backup, replication, and recovery systems/technologies are deployed to support resilience and protection of Customer Content.
16.4 Backup systems are configured to encrypt backup media.
17. Asset Management and Disposal
17.1 Splunk maintains and regularly updates an inventory of Cloud infrastructure assets and reconciles the asset list monthly.
17.2 Documented, standard build procedures are utilized for installation and maintenance of production servers.
17.3 Documented data disposal policies are in place to guide personnel on the procedure for disposal of Customer Content.
17.4 Upon expiration or termination of the Agreement, Splunk will return or delete Customer Content in accordance with the terms of the Agreement. If deletion is required, Customer Content will be securely deleted, except that Customer Content stored electronically in Splunk’s backup or email systems may be deleted over time in accordance with Splunk’s records management practices.
17.5 Splunk retains Customer Content stored in its cloud computing services for at least thirty (30) days after the expiration or termination of the Agreement.
18. Human Resources Security
18.1 Splunk personnel sign confidentiality agreements and acknowledge Splunk’s Acceptable Use Policy during the new employee onboarding process.
18.2 Splunk conducts background verification checks for potential Splunk personnel with access to Customer Content in accordance with relevant laws and regulations. The background checks are commensurate to an individual's job duties.
19. CSA Proof of Compliance
19.1 Splunk Cloud Standard: Security Audits. At least once a year, Splunk Cloud (Standard Environment) undergoes a security audit by an independent third party that attests to the effectiveness of the controls Splunk has in place to safeguard the systems and operations where Customer Content is processed, stored or transmitted (e.g., System and Organizational Control (SOC 2), Type 2) audit in accordance with the Attestation Standards under Section 101 of the codification standards (AT 101). At a minimum, the audit covers the Security, Confidentiality, and Availability control criteria developed by the American Institute of Certified Public Accountants (AICPA). Currently, Splunk is audited against ISO 27001 and SOC 2, Type 2. Upon request, Splunk will supply Customer with a summary copy of Splunk’s annual audit reports, which will be deemed Confidential Information under the Agreement.
19.2 Splunk Cloud Premium: Security Audits. For customers requiring Payment Card Industry Data Security Standards (PCI-DSS) or the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA) security standards, Splunk offers a PCI-DSS or HIPAA certified environment (Premium Environment). At least once a year, Splunk Cloud Premium Environment undergoes a security audit performed by an independent third party that attests to the effectiveness of the controls Splunk has in place to safeguard the systems and operations where Customer Content is processed, stored or transmitted.
19.2(i) PCI-DSS. In the case of PCI-DSS, Splunk offers cloud services as a Level 1 PCI service provider. Splunk complies with the most recent version of PCI-DSS to the extent PCI-DSS is applicable to the Services provided under the Agreement (e.g., if Splunk accesses, collects, uses, retains, discloses, processes, stores or transmits any Customer cardholder data as defined under PCI-DSS or any other data protected or subject to PCI-DSS), or if any part of such services impacts the security of the PCI Data environment.
19.2(ii) HIPAA. In the case of HIPAA, Splunk complies with the HIPAA security rule and data breach notification requirements for the processing of protected health information (PHI).
Upon request, Splunk will supply Customer with proof of Splunk’s compliance with PCI-DSS or HIPAA, as applicable.