Compliance at Splunk

ISO 27001 Certification

Splunk Cloud achieved the International Organization for Standardization’s information security standard 27001 (ISO 27001) certification in December 2015 and continues to update it annually. ISO 27001 is a specification that outlines security requirements for an information security management system (ISMS). Authorized users can access related documentation in the Customer Trust Portal.

SOC 2 Type II Report

Splunk Cloud undergoes annual Service Organization Controls 2 (SOC 2) Type II audits to evaluate its information security system controls as they relate to the Security, Availability and Confidentiality of the Trust Services Criteria.*

* Splunk continues to update and extend the scope of its SOC 2 Type II audit program, and therefore, for some regions, the corresponding SOC 2 Type II may not yet be completed. For more information; see the Splunk Cloud Security Addendum. Authorized users can access related documentation in the Customer Trust Portal.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that sets forth national standards governing the processing of protected health information or “PHI.” HIPAA is intended to improve the effectiveness and efficiency of healthcare systems by:

• establishing standards for the use of electronic records in healthcare;
• establishing standards for accessing, storing and transmitting PHI; and
• protecting the privacy and security of PHI.

Splunk Cloud is reviewed by third-party auditors annually to certify that it meets HIPAA’s data security requirements, including encryption in transit and at rest. Authorized users can access related documentation in the Customer Trust Portal.

PCI DSS

The PCI Data Security Standard (PCI DSS) is a set of comprehensive operational and technical controls required by businesses in the credit card industry to process payments. Splunk Cloud is audited annually to confirm its ongoing compliance with PCI DSS. Authorized users can access related documentation in the Customer Trust Portal.

FedRAMP Authorized

Splunk Cloud is FedRAMP Authorized by the General Services Administration FedRAMP PMO at a moderate impact level. This authorization facilitates the use of Splunk Cloud by U.S. Federal Government agencies requiring cloud-based services up to the moderate security impact level.

FIPS 140-2 Certification

Splunk Enterprise, Splunk Cloud Platform FedRAMP and Splunk Cloud Platform IL5 leverage the FIPS 140-2 validated Splunk Cryptographic Module for the protection of sensitive information when deployed on any compliant operating system. The Splunk cryptographic module achieved Federal Information Processing Standard 140-2 validation.

U.S. Department of Defense (DoD) Impact Level 5 (IL5)

U.S. Defense Information Systems Agency (DISA) has granted the Splunk Cloud Platform U.S. Department of Defense (DoD) Impact Level 5 (IL5) Provisional Authorization (PA). U.S. Government agencies are now able to leverage the power of Splunk Cloud Platform to solve their challenging mission-critical problems, even when working with high sensitivity Controlled Unclassified Information (CUI).

Common Criteria

Splunk Enterprise is Common Criteria certified by National Information Assurance Partnership (NIAP). This certification facilitates the use of Splunk Enterprise by Government Agencies requiring products that meet the Common Criteria security standard. Additional details are available on the NIAP Product Compliant List website.