In the first part of this series, I talked about the difference between compliance and risk management. I also told you that by rethinking our compliance processes at Atlassian, we were able to turn a painful 3600-audit test compliance check into a single test.
Today, I’d like to talk about the planning process we went through to get there…
In compliance, strategy starts by understanding your obligations and mapping them to real business objectives and employee activities.
Compliance obligations -- control objectives -- control activities.
What exactly does that mean?
It means starting with your business’ compliance obligations—regulations you must demonstrably abide by, like GDPR, SOX, and PCI.
Once you have a list of those, you make a second list, this time of the things you need to do to be compliant with each obligation. These are what we call control objectives.
Finally, from there, you need a third and final list. This one is the actions or activities you need within your teams in order to meet the objectives. We call these control activities (and we’ll dig deeper into them in the next steps).
So, for example, if you are working on SOX compliance, which is all about protecting the public from accounting errors and fraud, one of the requirements is to save all business records for at least five years. That’s a compliance obligation.
To do that, you’ll need to make sure any changes in the database where you store those records are approved and tested before they’re deployed. That’s a control objective.
To meet that control objective, you may have a second developer who reviews and approves the changes before they can go live. You may have an automated system that won’t push the changes live until it’s been approved by someone else. Or you may do both. Those are control activities.
Now, some compliance obligations will have one objective. Others will have many. Some objectives will have a single activity. Others will require more than one. But ensuring compliance means mapping them all up front to understand the scope of what you’re working with as you start to develop your new process recommendations.
During the mapping process, we sat down with Atlassian team members to make sure we understood how compliance and risk factored into people’s day-to-day jobs, what their concerns were, and where the process was causing friction.
Start this process early. Get in the room with people. And make sure you don’t just resort to email. If you email the list, all you’ll get is people who don’t understand what you’re emailing them.
There are two major benefits to having face-to-face conversations. The first is that people understand what compliance is and why you’re going through this process. The second? You get to understand what each person does, how it fits into the processes you’re about to change, and where across the organization teams are doing something really cool and really well—something you borrow and implement across the entire company.
Once you’ve identified all of your control activities through mapping your obligations and talking directly with your teams, it’s time to create a control activity library.
The library houses all the control activities you’ve defined in those team conversations. It identifies who owns the activity and what steps, in detail, it involves. It helps people understand not only what they need to do, but what the compliance team will be testing.
Because the library is available across the organization, it also increases knowledge across teams.
Once the compliance team had a clear picture of everything involved in Atlassian compliance, we started to simplify and automate wherever possible. The goal? To minimize compliance tasks on developers and other tech team members.
Because the truth is that most of us don’t really need a six-layer approval process and months of back-and-forth with compliance approval boards. In fact, most compliance boards aren’t made up of developers—and so it’s less effective to have them reviewing code.
What we really need is some simple checks and balances that ensure non-compliant changes don’t make it past the door. And much of that can be done by our tools themselves.
BitBucket, for example, won’t let our developers push code they’ve been working on back into the database until it’s been peer-reviewed by another appropriate developer. Bamboo won’t launch new code that hasn’t been through our compliance processes in BitBucket. And the features that make this possible in both BitBucket and Bamboo are out-of-the-box features that any client can take advantage of.
At Atlassian, we give our users the power to change things within the system—including to turn off certain checks in case of emergency.
But if those controls ever are changed? Our system notifies the compliance team immediately so that we can continue to ensure compliance and see any points of failure we need to plan for in future.
Giving employees the power to change things in an instant means less bottlenecks or emergencies that have a chance to balloon out of control. And notifying us immediately if there’s an issue? That helps us keep compliance under control even in an unusual or urgent situation.
Does every system change have the same risk? Does every team need the same number of peer reviews?
Sometimes the answers are no and no. And you can set your processes up accordingly. If Team X is higher-risk and you need to build two peer reviews into the system, you can do it. If Team Y is lower-risk, you can plan accordingly.
Part of being agile with your compliance team is understanding what your priorities are and building your process to match them.
Thoughts? Questions? Anyone out there go through a similar process? What were your findings?
Hello Compliance fans! I wanted to jump in this group to introduce a brand new Community group that our Atlassian Security team started. The Trust and Security group is a space to share inform...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events