Tips to help a Jira Admins prepare for a SOC2 Audit

Hello Everyone!

Recently I have had to explain some of the “rules“ that surround the way you store data in Jira in order to maintain SOC2 compliance and since I have been involved in the audit process many times I thought I would share with all of you.

What is a SOC2 Audit?

SOC stands for Systems and Organization Control. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Principles: Security, Availability, Confidentiality, Processing Integrity & Privacy. You can read more about it here.

How long/often will I have to do this?

SOC2 Audit certification is completed annually. So, you will need to make sure that once you have done everything you need to pass the audit you continue to do so for every single year you are attempting to complete the audit.

What sort of things do I need to do/prepare?

As a Jira Admin, you will likely be asked to help gather Jira issue data and project permission information that will be used to help prove your compliance with various pieces of the audit process. I’m going to focus on the Jira issue data as that can be the most troublesome piece for your first time running through the audit process.

You will likely be working with someone else at your company that will be in communication with the auditors. The audit period is usually April 1st to September 30th for the given audit year. You will need to work with our company representative to understand what Jira projects you have that will be covered by the audit and what issue types within that project will be covered (likely it will be all types for a project that is to be included, but there my be exceptions).

You will be asked to grab a listing of “all” issues that have been created during the audit period. I would recommend building a shared filter(s) that will allow you to simply update the dates in the JQL and re-run this year over year to grab the audit information.

The first thing the auditors will be looking for is sequential numbering of issues, and they will question any gaps you have in the numbering. If you regularly delete issues, you will need to get in the habit of NOT doing that anymore, but simply closing test/duplication/”bad” issues with an appropriate reason. Deleted issues are seen as an attempt to remove data that would fail the audit. Moved issues will also exhibit a similar appearance, but you have the ability to prove that they were moved by showing that the link to the original issue redirects to the new location. If you want to avoid this completely, close the issues with an appropriate reason and create a new linked issue so there are no gaps in the issue numbering.

Next, you will be asked to provide detailed issue information on a random selection of issues chosen by the auditors. This one can be tricky as they will generally want to see all data including the history and comments for the given issues. My personal recommendation would be to write a small script/program that leverages the API and allows you to pass in a list of Jira Issue IDs which will output the data (most likely in csv format) that is easy for you to pass on to the auditors.

There are definitely many more steps involved in completing a SOC2 audit, but I thought I would share couple of tips for Jira Admins as far as what you can expect to have requested of you during the audit process. If I have missed any important pieces from this process, please keep me honest in the comments and I’ll be sure to update this article.

Have a great rest of the week!

9 comments

Sergei Gridnevskii
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 24, 2022

Good that you started to think of audit. Maybe Atlassian will create code that can print an issue with all comments and history? I have real trouble with this - of course I can use REST API to extract full issue details, convert it to HTML and print,  but they will never believe that it is an original issue unless I apply all styles as on the original page.

Like # people like this
Erick Miranda Márquez May 24, 2022

Great work Jimmy,

It should be great if Atlassian provides a script or something like that that helps us get all that stuff, because as you explained, those are steps and it doesn't change, and we have every year our audits, not only SOC though.

Like # people like this
Amir Katz (Outseer)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 24, 2022

Great article, @Jimmy Seddon !

Regarding deletion of tickets - We (Jira admins) are deleting test tickets that we create for testing purposes, but now that you mention this, I will moved them to Canceled/Rejected status. Or I may add a new dedicated status like 'REJECTED without prejudice' :-).

Such change, will require some managers to update their filters and JQLs to exclude the above status so it won't be counted in dashboard and statistics.

Like # people like this
carlos_marin - ENTELGY -
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 24, 2022

Hi @Jimmy Seddon 

I'm not a security expert, but I understand that if the Atlassian is auditing his products with SOC2 as stated in this page:

https://www.atlassian.com/trust/compliance/resources/soc2

As a jira admin that I'm using the Atlassian product, why should I do a SOC2 audit?

Best regards,

Jimmy Seddon
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 24, 2022

@carlos_marin - ENTELGY - SOC2 is an audit of the processes your company follows to deliver it's product/service (usually applies more to SaaS companies).  If you company is being audited, you as a Jira Administrator may be asked to help your company provide evidence that you are following a compliant set of processes.

The fact that Atlassian has passed a SOC2 audit does not automatically mean that your company is also SOC2 certified.

I hope that helps!

Like # people like this
Sergei Gridnevskii
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 25, 2022

Amir good point. I create new automation rules almost every day and some of them are too complex to test them on real users. So I can have 5-6 test tickets that my users are not happy to see in their reports. But I clearly identify them as "This is a test issue" in summary and delete as long as I do not need them.

Sergei Gridnevskii
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 25, 2022

For SOC2 it would be very useful to backup Jira logs every month. They are deleted by Jira after some time and it really frustrates me. Why? They are not that big in terms of storage, just a text file that can be zipped with great compression ratio.

I would appreciate if Atlassian creates auto backup and possibility to extract logs for specific period. It would help a lot with audit.

Like Erick Miranda Márquez likes this
Danny Grenzowski _Rewind_
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
May 26, 2022

@Sergei Gridnevskii are you referring to Issue Worklogs?

 

My company Rewind just launched an automated backup and restore solution for Jira Cloud, and we backup and restore Issue Worklogs. We are also SOC2 compliant as well!

 

If you are interested, feel free to check it out here: 

https://marketplace.atlassian.com/apps/1226389/rewind-backups

Like Maria Korolenko likes this
Suzanne Seaton
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 26, 2022

Thank you! I have personally been through the Deleted issues audit problem, and we were dinged for sure. 

TAGS
AUG Leaders

Atlassian Community Events