Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,462,182
Community Members
 
Community Events
176
Community Groups

Tips to help a Jira Admins prepare for a SOC2 Audit

Hello Everyone!

Recently I have had to explain some of the “rules“ that surround the way you store data in Jira in order to maintain SOC2 compliance and since I have been involved in the audit process many times I thought I would share with all of you.

What is a SOC2 Audit?

SOC stands for Systems and Organization Control. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Principles: Security, Availability, Confidentiality, Processing Integrity & Privacy. You can read more about it here.

How long/often will I have to do this?

SOC2 Audit certification is completed annually. So, you will need to make sure that once you have done everything you need to pass the audit you continue to do so for every single year you are attempting to complete the audit.

What sort of things do I need to do/prepare?

As a Jira Admin, you will likely be asked to help gather Jira issue data and project permission information that will be used to help prove your compliance with various pieces of the audit process. I’m going to focus on the Jira issue data as that can be the most troublesome piece for your first time running through the audit process.

You will likely be working with someone else at your company that will be in communication with the auditors. The audit period is usually April 1st to September 30th for the given audit year. You will need to work with our company representative to understand what Jira projects you have that will be covered by the audit and what issue types within that project will be covered (likely it will be all types for a project that is to be included, but there my be exceptions).

You will be asked to grab a listing of “all” issues that have been created during the audit period. I would recommend building a shared filter(s) that will allow you to simply update the dates in the JQL and re-run this year over year to grab the audit information.

The first thing the auditors will be looking for is sequential numbering of issues, and they will question any gaps you have in the numbering. If you regularly delete issues, you will need to get in the habit of NOT doing that anymore, but simply closing test/duplication/”bad” issues with an appropriate reason. Deleted issues are seen as an attempt to remove data that would fail the audit. Moved issues will also exhibit a similar appearance, but you have the ability to prove that they were moved by showing that the link to the original issue redirects to the new location. If you want to avoid this completely, close the issues with an appropriate reason and create a new linked issue so there are no gaps in the issue numbering.

Next, you will be asked to provide detailed issue information on a random selection of issues chosen by the auditors. This one can be tricky as they will generally want to see all data including the history and comments for the given issues. My personal recommendation would be to write a small script/program that leverages the API and allows you to pass in a list of Jira Issue IDs which will output the data (most likely in csv format) that is easy for you to pass on to the auditors.

There are definitely many more steps involved in completing a SOC2 audit, but I thought I would share couple of tips for Jira Admins as far as what you can expect to have requested of you during the audit process. If I have missed any important pieces from this process, please keep me honest in the comments and I’ll be sure to update this article.

Have a great rest of the week!

9 comments

Good that you started to think of audit. Maybe Atlassian will create code that can print an issue with all comments and history? I have real trouble with this - of course I can use REST API to extract full issue details, convert it to HTML and print,  but they will never believe that it is an original issue unless I apply all styles as on the original page.

Like # people like this

Great work Jimmy,

It should be great if Atlassian provides a script or something like that that helps us get all that stuff, because as you explained, those are steps and it doesn't change, and we have every year our audits, not only SOC though.

Like # people like this

Great article, @Jimmy Seddon !

Regarding deletion of tickets - We (Jira admins) are deleting test tickets that we create for testing purposes, but now that you mention this, I will moved them to Canceled/Rejected status. Or I may add a new dedicated status like 'REJECTED without prejudice' :-).

Such change, will require some managers to update their filters and JQLs to exclude the above status so it won't be counted in dashboard and statistics.

Like # people like this

Hi @Jimmy Seddon 

I'm not a security expert, but I understand that if the Atlassian is auditing his products with SOC2 as stated in this page:

https://www.atlassian.com/trust/compliance/resources/soc2

As a jira admin that I'm using the Atlassian product, why should I do a SOC2 audit?

Best regards,

Jimmy Seddon Community Leader May 24, 2022

@carlos_marin - ENTELGY - SOC2 is an audit of the processes your company follows to deliver it's product/service (usually applies more to SaaS companies).  If you company is being audited, you as a Jira Administrator may be asked to help your company provide evidence that you are following a compliant set of processes.

The fact that Atlassian has passed a SOC2 audit does not automatically mean that your company is also SOC2 certified.

I hope that helps!

Amir good point. I create new automation rules almost every day and some of them are too complex to test them on real users. So I can have 5-6 test tickets that my users are not happy to see in their reports. But I clearly identify them as "This is a test issue" in summary and delete as long as I do not need them.

For SOC2 it would be very useful to backup Jira logs every month. They are deleted by Jira after some time and it really frustrates me. Why? They are not that big in terms of storage, just a text file that can be zipped with great compression ratio.

I would appreciate if Atlassian creates auto backup and possibility to extract logs for specific period. It would help a lot with audit.

Like Erick Miranda Márquez likes this

@Sergei Gridnevskii are you referring to Issue Worklogs?

 

My company Rewind just launched an automated backup and restore solution for Jira Cloud, and we backup and restore Issue Worklogs. We are also SOC2 compliant as well!

 

If you are interested, feel free to check it out here: 

https://marketplace.atlassian.com/apps/1226389/rewind-backups

Thank you! I have personally been through the Deleted issues audit problem, and we were dinged for sure. 

Comment

Log in or Sign up to comment
TAGS

Atlassian Community Events