ClickUp

This guide will walk through some additional details of our ClickUp integration.

What are the benefits of the ClickUp integration?

Our updated ClickUp integration automates compliance checks and evidence collection for five requirement categories (which are presented as tests in Secureframe).

  1. Vulnerability Tracking: Security vulnerabilities are tracked to resolution, as per applicable SLAs
    • Example vulnerability sources: internal vulnerability scans, external vulnerability scans, ASV scans, penetration tests, bug bounty programs, inbound reporting, and vendor announcements
  2. Security Incident Tracking: Security incidents are tracked to resolution, as per applicable SLAs
  3. System Change Tracking: Significant system changes are tracked to deployment, as per applicable SLAs
    • Note: This is not required for HIPAA compliance
    • Example system changes: general infrastructure changes, network & router changes, firewall changes
  4. Access Tracking: System access changes are tracked to resolution, as per applicable SLAs
    • Example access changes: access onboarding, access offboarding, permission modifications, and transfers
  5. Nonconformity and Corrective Action Tracking: Nonconformities are tracked and resolved via corrective actions, as per applicable SLAs
    • Note: Requirement is specific to ISO 27001
    • Example access changes: access onboarding, access offboarding, permission modifications, and transfers

Feature 1: Issue Tracking

By defining your ClickUp issue tag(s) within Secureframe on a per requirement basis, our integration pulls in all of your issues with matching tag(s). This shows auditors that you properly track issues pertaining to these requirement categories.

Feature 2: Timely Issue Close Out

Additionally, for each tag defined within Secureframe, you can specify an SLA (# in days) for that tag. Secureframe flags issues that remain open longer than the specific SLA for that tag. This shows auditors that you close out issues in a timely manner.

  • Note: Most compliance frameworks require an SLA to be in place for medium, high, and critical vulnerabilities and for all security incident priorities. Nonconformities are specific to ISO 27001 and SLAs are required.

By taking advantage of these two features, you can avoid taking many screenshots that are traditionally required for audits. Our integration can prove that issues are tracked (tags) and closed out in a timely manner (SLAs).

What are ClickUp tags?

Within ClickUp, you can assign tags to issues. This is useful for categorizing issues. You can specify tags in use within Secureframe to pull in tasks with the respective tags.

How do I enable the ClickUp functionality?

  1. Within "Monitoring," navigate to "Integrations" > "ClickUp - Settings"
  2. Edit or acknowledge the "Testing Start Date." This date defaults to the date that you connected ClickUp in Secureframe. It can be used to prevent tasks prior to a certain date from being pulled into Secureframe.
  3. For each requirement category you wish to automate, specify one or more tags.
    • For each tag, you can specify data for additional fields - these fields are defined in Secureframe and do NOT pull from ClickUp.
      • SLA in days: You can assign an SLA to take advantage of Feature 2 mentioned above
        • Note: Secureframe will display failing tasks underneath tests when those tasks exceed specified tag-SLA pairs. Even when theses issues are closed, if it breached an SLA, the test will remain failing for your audit as it would count as an exception for sampling evidence. Reverting the ticket to passing after correcting it after it breached SLA would give false confidence going into audit. Please be mindful of this as an auditor could bring this up during your audit and ask for justification. If this particular ticket that has fallen out of SLA is a non-compliance item, you may choose to ignore the result.
      • Priority: You can specify the priority of the tag.
      • Source/description: You can specify other details about the tag. This field can be useful for giving auditors context on the tag's purpose.
    • If you do not specify a tag for a requirement category, the equivalent test called out underneath the requirement category will remain an upload.
  4. Example tag setups/strategies for Vulnerability Tracking

Example 1: Tracking all medium+ vulnerabilities to resolution under a single tag

Tag name SLA in days Priority Source/Description
Vulnerability 30 Medium/
CVSS 4.0+,
High,
Critical
Tag for all medium+ vulnerability sources (internal, external, and ASV scans, penetration tests, bug bounty program)

Example 2: Tracking all vulnerabilities to resolution under multiple tags, segmented by priority

Tag name SLA in days Priority Source/Description
Vulnerability-low 90 Low Tag for all low severity vulnerabilities & sources
Vulnerability-medium 60 Medium Tag for all medium severity vulnerabilities & sources
Vulnerability-high 45 High Tag for all high severity vulnerabilities & sources
Vulnerability-critical 30 Critical Tag for all critical severity vulnerabilities & sources

Example 3: Tracking all vulnerabilities to resolution under multiple tags, segmented by source

Tag name SLA in days Priority Source/Description
ASV Scan Results 30 Medium/
CVSS 4.0+,
High,
Critical
Tag for vulnerabilities pertaining to PCI DSS-mandated ASV scans
Penetration Test Results 30 Medium/
CVSS 4.0+,
High,
Critical
Tag for vulnerabilities pertaining to penetration tests
Internal Vulnerability Scan Results 30 Medium/
CVSS 4.0+,
High,
Critical
Tag for vulnerabilities pertaining to internal vulnerability scans
External Vulnerability Scan Results 30 Medium/
CVSS 4.0+,
High,
Critical
Tag for vulnerabilities pertaining to external vulnerability scans
Bug Bounty Program 30 Medium/
CVSS 4.0+,
High,
Critical
Tag for vulnerabilities pertaining to bug bounty programs

 

What API permissions does this integration request?

We request the following permissions when you connect to ClickUp. No additional permissions are needed to opt into task tracking.

 

Permissions, Fields Pulled, Controls, and Automated Tests

  1. Click the provided link or navigate to the “Integration” page.
  2. Select the “Available” tab.
  3. Search for the integration.
  4. Click “View Details”.

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.