This guide will walk through some additional details of our ClickUp integration.
What are the benefits of the ClickUp integration?
Our updated ClickUp integration automates compliance checks and evidence collection for five requirement categories (which are presented as tests in Secureframe).
-
Vulnerability Tracking: Security vulnerabilities are tracked to resolution, as per applicable SLAs
- Example vulnerability sources: internal vulnerability scans, external vulnerability scans, ASV scans, penetration tests, bug bounty programs, inbound reporting, and vendor announcements
- Security Incident Tracking: Security incidents are tracked to resolution, as per applicable SLAs
-
System Change Tracking: Significant system changes are tracked to deployment, as per applicable SLAs
- Note: This is not required for HIPAA compliance
- Example system changes: general infrastructure changes, network & router changes, firewall changes
-
Access Tracking: System access changes are tracked to resolution, as per applicable SLAs
- Example access changes: access onboarding, access offboarding, permission modifications, and transfers
-
Nonconformity and Corrective Action Tracking: Nonconformities are tracked and resolved via corrective actions, as per applicable SLAs
- Note: Requirement is specific to ISO 27001
- Example access changes: access onboarding, access offboarding, permission modifications, and transfers
Feature 1: Issue Tracking
By defining your ClickUp issue tag(s) within Secureframe on a per requirement basis, our integration pulls in all of your issues with matching tag(s). This shows auditors that you properly track issues pertaining to these requirement categories.
Feature 2: Timely Issue Close Out
Additionally, for each tag defined within Secureframe, you can specify an SLA (# in days) for that tag. Secureframe flags issues that remain open longer than the specific SLA for that tag. This shows auditors that you close out issues in a timely manner.
- Note: Most compliance frameworks require an SLA to be in place for medium, high, and critical vulnerabilities and for all security incident priorities. Nonconformities are specific to ISO 27001 and SLAs are required.
By taking advantage of these two features, you can avoid taking many screenshots that are traditionally required for audits. Our integration can prove that issues are tracked (tags) and closed out in a timely manner (SLAs).
What are ClickUp tags?
Within ClickUp, you can assign tags to issues. This is useful for categorizing issues. You can specify tags in use within Secureframe to pull in tasks with the respective tags.
How do I enable the ClickUp functionality?
- Within "Monitoring," navigate to "Integrations" > "ClickUp - Settings"
- Edit or acknowledge the "Testing Start Date." This date defaults to the date that you connected ClickUp in Secureframe. It can be used to prevent tasks prior to a certain date from being pulled into Secureframe.
- For each requirement category you wish to automate, specify one or more tags.
- For each tag, you can specify data for additional fields - these fields are defined in Secureframe and do NOT pull from ClickUp.
-
SLA in days: You can assign an SLA to take advantage of Feature 2 mentioned above
- Note: Secureframe will display failing tasks underneath tests when those tasks exceed specified tag-SLA pairs. Even when theses issues are closed, if it breached an SLA, the test will remain failing for your audit as it would count as an exception for sampling evidence. Reverting the ticket to passing after correcting it after it breached SLA would give false confidence going into audit. Please be mindful of this as an auditor could bring this up during your audit and ask for justification. If this particular ticket that has fallen out of SLA is a non-compliance item, you may choose to ignore the result.
- Priority: You can specify the priority of the tag.
- Source/description: You can specify other details about the tag. This field can be useful for giving auditors context on the tag's purpose.
-
SLA in days: You can assign an SLA to take advantage of Feature 2 mentioned above
- If you do not specify a tag for a requirement category, the equivalent test called out underneath the requirement category will remain an upload.
- For each tag, you can specify data for additional fields - these fields are defined in Secureframe and do NOT pull from ClickUp.
- Example tag setups/strategies for Vulnerability Tracking
Example 1: Tracking all medium+ vulnerabilities to resolution under a single tag
Tag name | SLA in days | Priority | Source/Description |
Vulnerability | 30 | Medium/ CVSS 4.0+, High, Critical |
Tag for all medium+ vulnerability sources (internal, external, and ASV scans, penetration tests, bug bounty program) |
Example 2: Tracking all vulnerabilities to resolution under multiple tags, segmented by priority
Tag name | SLA in days | Priority | Source/Description |
Vulnerability-low | 90 | Low | Tag for all low severity vulnerabilities & sources |
Vulnerability-medium | 60 | Medium | Tag for all medium severity vulnerabilities & sources |
Vulnerability-high | 45 | High | Tag for all high severity vulnerabilities & sources |
Vulnerability-critical | 30 | Critical | Tag for all critical severity vulnerabilities & sources |
Example 3: Tracking all vulnerabilities to resolution under multiple tags, segmented by source
Tag name | SLA in days | Priority | Source/Description |
ASV Scan Results | 30 | Medium/ CVSS 4.0+, High, Critical |
Tag for vulnerabilities pertaining to PCI DSS-mandated ASV scans |
Penetration Test Results | 30 | Medium/ CVSS 4.0+, High, Critical |
Tag for vulnerabilities pertaining to penetration tests |
Internal Vulnerability Scan Results | 30 | Medium/ CVSS 4.0+, High, Critical |
Tag for vulnerabilities pertaining to internal vulnerability scans |
External Vulnerability Scan Results | 30 | Medium/ CVSS 4.0+, High, Critical |
Tag for vulnerabilities pertaining to external vulnerability scans |
Bug Bounty Program | 30 | Medium/ CVSS 4.0+, High, Critical |
Tag for vulnerabilities pertaining to bug bounty programs |
What API permissions does this integration request?
We request the following permissions when you connect to ClickUp. No additional permissions are needed to opt into task tracking.
Permissions, Fields Pulled, Controls, and Automated Tests
- Click the provided link or navigate to the “Integration” page.
- Select the “Available” tab.
- Search for the integration.
- Click “View Details”.
Comments
0 comments
Please sign in to leave a comment.