Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Do you ever have to respond to Audit requests? Looking for examples!

RJ Gazarek
RJ Gazarek
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 10, 2020

Hi everyone!  I'm the Product Manager on our Cloud team, responsible for data management.  

I'd like to ask you all if you have ever had to respond to an intern or external audit request, and what the audit request looked like.  As we look to improve on our backup/export capabilities, we want to make sure we're building something that can help with this specific need.  

So far we've heard from customers, specifically in heavily regulated industries, that they need to maintain copies of their data for a minimum of 7 years.  Mostly for the sole purpose of responding to audit requests.  I'd love to get some examples of what types of requests are made, and what type of data you have to produce to respond to those requests. 

Comment
Watch
Like Be the first to like this
792 views

3 comments

Comment

Log in or Sign up to comment
marc -Collabello--Phase Locked-
marc -Collabello--Phase Locked-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 10, 2020

Hi @RJ Gazarek 

I think there might be a misunderstanding about keeping the data for 7 years:

So far we've heard from customers, specifically in heavily regulated industries, that they need to maintain copies of their data for a minimum of 7 years. Mostly for the sole purpose of responding to audit requests.

 The purpose of keeping the data primarily lies in the ability to get a the data in case of need, like when the primary business systems are down or lost.  Also the data need to be kept as an unmodified archive.  Under "normal" circumstances you don't need to access these data, except for audits.

However if there is some issue or a regulatory agency requires access, you need to be able to get at the data.  This is the primary purpose, not the audits!

Like
Reply
RJ Gazarek
RJ Gazarek
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 10, 2020

Agreed! So your last sentence there:

Under "normal" circumstances you don't need to access these data, except for audits.

Is primarily what I was getting at with this.  I'd like to understand what the audit requirements are, and what are some examples of what those look like. 

Like
Kat Warner
Kat Warner
Atlassian Partner
December 10, 2020

It would be fantastic if Atlassian joined the other organisations who have provided responses to the government cloud security and privacy considerations questionnaire (see the list here).

You may be interested in this Cloud Risk Assessment Tool for he types of questions that need to be answered.

Like
Reply
RJ Gazarek
RJ Gazarek
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 11, 2020

Hi Kat! We have something very similar here in the US.  It looks like you've linked something specifically for Australia is the correct?

https://cloudsecurityalliance.org/star/registry/atlassian/  I wonder if any of these answers here can be used there as well. 

Like
Kat Warner
Kat Warner
Atlassian Partner
December 13, 2020

The links I provided are from New Zealand sources.

Like RJ Gazarek likes this
Andrew Laden
Andrew Laden
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 11, 2020

I break this down into two separate categories

This first is checking that we are adhering to our policies that we have documented and shared with customers, and have attested to in things like SOC1 documentation.

This is less about looking for a particular piece of data, and more about spot checking that we are doing what we are supposed to. So we will get asked to prove that we backed up our data on a particular day, or that a particular change was approved, or that a security alert was investigated promptly. 

We get on a periodic basis as a check that we are still doing the right thing.

The second usually relates to the content of the data itself. ie, a particular customer is saying we did something wrong, and we need to produce documentation that we did it right.

The first type of audit is all about making sure that when you have a request of the 2nd type, you can provide the data that is needed.

Like
Reply
RJ Gazarek
RJ Gazarek
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 11, 2020

Yup! Agreed here too, so that all makes sense.  What I'm trying to get a sense of is what are some examples of those requests for data.  

Like

Recommended Learning For You

Level up your skills with Atlassian learning

Learning Path

Jira Administrator

Jira Software

Configure Jira Software, Jira Core, or Jira Service Management, including global settings, permissions, and schemes.

12.7h Advanced
Path

Managing Jira Projects Cloud

Jira Software

Learn to create and configure company-managed projects in Jira Software and partner effectively with Jira Admins.

4h Intermediate
On Demand

Learning Path

Become an effective Jira Software Project Admin

Jira Software

This learning path is designed for team leaders who configure Jira Software projects to match a team's processes.

Intermediate
Free
groups-icon
Jira Cloud Admins
TAGS
AUG Leaders

Atlassian Community Events

    See all events