Hello Everyone!
Recently I have had to explain some of the “rules“ that surround the way you store data in Jira in order to maintain SOC2 compliance and since I have been involved in the audit process many times I thought I would share with all of you.
SOC stands for Systems and Organization Control. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Principles: Security, Availability, Confidentiality, Processing Integrity & Privacy. You can read more about it here.
SOC2 Audit certification is completed annually. So, you will need to make sure that once you have done everything you need to pass the audit you continue to do so for every single year you are attempting to complete the audit.
As a Jira Admin, you will likely be asked to help gather Jira issue data and project permission information that will be used to help prove your compliance with various pieces of the audit process. I’m going to focus on the Jira issue data as that can be the most troublesome piece for your first time running through the audit process.
You will likely be working with someone else at your company that will be in communication with the auditors. The audit period is usually April 1st to September 30th for the given audit year. You will need to work with our company representative to understand what Jira projects you have that will be covered by the audit and what issue types within that project will be covered (likely it will be all types for a project that is to be included, but there my be exceptions).
You will be asked to grab a listing of “all” issues that have been created during the audit period. I would recommend building a shared filter(s) that will allow you to simply update the dates in the JQL and re-run this year over year to grab the audit information.
The first thing the auditors will be looking for is sequential numbering of issues, and they will question any gaps you have in the numbering. If you regularly delete issues, you will need to get in the habit of NOT doing that anymore, but simply closing test/duplication/”bad” issues with an appropriate reason. Deleted issues are seen as an attempt to remove data that would fail the audit. Moved issues will also exhibit a similar appearance, but you have the ability to prove that they were moved by showing that the link to the original issue redirects to the new location. If you want to avoid this completely, close the issues with an appropriate reason and create a new linked issue so there are no gaps in the issue numbering.
Next, you will be asked to provide detailed issue information on a random selection of issues chosen by the auditors. This one can be tricky as they will generally want to see all data including the history and comments for the given issues. My personal recommendation would be to write a small script/program that leverages the API and allows you to pass in a list of Jira Issue IDs which will output the data (most likely in csv format) that is easy for you to pass on to the auditors.
There are definitely many more steps involved in completing a SOC2 audit, but I thought I would share couple of tips for Jira Admins as far as what you can expect to have requested of you during the audit process. If I have missed any important pieces from this process, please keep me honest in the comments and I’ll be sure to update this article.
Have a great rest of the week!
Jimmy Seddon
Sr R&D Tools Administrator
Arctic Wolf
Waterloo, Ontario, Canada
180 accepted answers
9 comments