It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Series: How to prioritize compliance (without losing development speed), part 2

In the first part of this series, I talked about the difference between compliance and risk management. I also told you that by rethinking our compliance processes at Atlassian, we were able to turn a painful 3600-audit test compliance check into a single test.

Today, I’d like to talk about the planning process we went through to get there…

Step 1: Identify and map your obligations

Screen Shot 2019-05-23 at 8.25.03 AM.png

In compliance, strategy starts by understanding your obligations and mapping them to real business objectives and employee activities.

Compliance obligations -- control objectives -- control activities.

What exactly does that mean?

It means starting with your business’ compliance obligations—regulations you must demonstrably abide by, like GDPR, SOX, and PCI.

Once you have a list of those, you make a second list, this time of the things you need to do to be compliant with each obligation. These are what we call control objectives.

Finally, from there, you need a third and final list. This one is the actions or activities you need within your teams in order to meet the objectives. We call these control activities (and we’ll dig deeper into them in the next steps).

So, for example, if you are working on SOX compliance, which is all about protecting the public from accounting errors and fraud, one of the requirements is to save all business records for at least five years. That’s a compliance obligation.

To do that, you’ll need to make sure any changes in the database where you store those records are approved and tested before they’re deployed. That’s a control objective.

To meet that control objective, you may have a second developer who reviews and approves the changes before they can go live. You may have an automated system that won’t push the changes live until it’s been approved by someone else. Or you may do both. Those are control activities.

Now, some compliance obligations will have one objective. Others will have many. Some objectives will have a single activity. Others will require more than one. But ensuring compliance means mapping them all up front to understand the scope of what you’re working with as you start to develop your new process recommendations.

Step 2: Talk to your teams

During the mapping process, we sat down with Atlassian team members to make sure we understood how compliance and risk factored into people’s day-to-day jobs, what their concerns were, and where the process was causing friction.

Start this process early. Get in the room with people. And make sure you don’t just resort to email. If you email the list, all you’ll get is people who don’t understand what you’re emailing them.

There are two major benefits to having face-to-face conversations. The first is that people understand what compliance is and why you’re going through this process. The second? You get to understand what each person does, how it fits into the processes you’re about to change, and where across the organization teams are doing something really cool and really well—something you borrow and implement across the entire company.

Step 3: Create a control activity library

Once you’ve identified all of your control activities through mapping your obligations and talking directly with your teams, it’s time to create a control activity library.

Screen Shot 2019-05-23 at 8.25.13 AM.png

 

The library houses all the control activities you’ve defined in those team conversations. It identifies who owns the activity and what steps, in detail, it involves. It helps people understand not only what they need to do, but what the compliance team will be testing.

Because the library is available across the organization, it also increases knowledge across teams.

Step 4: Simplify and automate

Once the compliance team had a clear picture of everything involved in Atlassian compliance, we started to simplify and automate wherever possible. The goal? To minimize compliance tasks on developers and other tech team members.

Because the truth is that most of us don’t really need a six-layer approval process and months of back-and-forth with compliance approval boards. In fact, most compliance boards aren’t made up of developers—and so it’s less effective to have them reviewing code.

What we really need is some simple checks and balances that ensure non-compliant changes don’t make it past the door. And much of that can be done by our tools themselves.

BitBucket, for example, won’t let our developers push code they’ve been working on back into the database until it’s been peer-reviewed by another appropriate developer. Bamboo won’t launch new code that hasn’t been through our compliance processes in BitBucket. And the features that make this possible in both BitBucket and Bamboo are out-of-the-box features that any client can take advantage of.

Step 5: Empower workers

At Atlassian, we give our users the power to change things within the system—including to turn off certain checks in case of emergency.

But if those controls ever are changed? Our system notifies the compliance team immediately so that we can continue to ensure compliance and see any points of failure we need to plan for in future.

Giving employees the power to change things in an instant means less bottlenecks or emergencies that have a chance to balloon out of control. And notifying us immediately if there’s an issue? That helps us keep compliance under control even in an unusual or urgent situation.

Step 6: Prioritize what you care about

Does every system change have the same risk? Does every team need the same number of peer reviews?

Sometimes the answers are no and no. And you can set your processes up accordingly. If Team X is higher-risk and you need to build two peer reviews into the system, you can do it. If Team Y is lower-risk, you can plan accordingly.

Part of being agile with your compliance team is understanding what your priorities are and building your process to match them.

 

Thoughts? Questions? Anyone out there go through a similar process? What were your findings?

2 comments

Iago Docando Community Leader Jun 06, 2019

Great summary. I find it vey useful to those who are maybe preparing to do something similar.

If I can share my personal insights I would add yet another step at the very start, let's call it step 0, wich would be just like the step 2: "Talk to your teams". This would be specially important for middle sized companies where compliance team might be just a couple people so any additional early input could be of high importance.

Also, I find that Step 5: "Empower workers" should be taken with a lot of precaution. Even if that sounds awesome and to be honest that's a very desireable objective for any organization I believe that the bigger the company the more preparation this step will require. Maybe this step could be further explained in future publications, in case you're looking for inspiration :) My point is that a number of rogue agents within a big system could make things go south very quickly very often so in any case a good definition of what checks can or can't be turned off and more importantly every agent having a good understanding of the system is vital (again: "Talk to your teams").

Thank you for your view, I hope you find my 2 cents on the matter at leats somehow useful :)

Guy Atlassian Team Jun 19, 2019

Iago,

Thanks for the feedback. Getting the right culture is so important in this - and you are so right about the rogue agents can be a problem.  

Comment

Log in or Sign up to comment
TAGS
Community showcase
Posted in Compliance

Introducing the Trust & Security Group!

Hello Compliance fans! I wanted to jump in this group to introduce a brand new Community group that our Atlassian Security team started. The Trust and Security group is  a space to share inform...

944 views 2 6
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you