Hi everyone! I'm the Product Manager on our Cloud team, responsible for data management.
I'd like to ask you all if you have ever had to respond to an intern or external audit request, and what the audit request looked like. As we look to improve on our backup/export capabilities, we want to make sure we're building something that can help with this specific need.
So far we've heard from customers, specifically in heavily regulated industries, that they need to maintain copies of their data for a minimum of 7 years. Mostly for the sole purpose of responding to audit requests. I'd love to get some examples of what types of requests are made, and what type of data you have to produce to respond to those requests.
Hi @RJ Gazarek
I think there might be a misunderstanding about keeping the data for 7 years:
So far we've heard from customers, specifically in heavily regulated industries, that they need to maintain copies of their data for a minimum of 7 years. Mostly for the sole purpose of responding to audit requests.
The purpose of keeping the data primarily lies in the ability to get a the data in case of need, like when the primary business systems are down or lost. Also the data need to be kept as an unmodified archive. Under "normal" circumstances you don't need to access these data, except for audits.
However if there is some issue or a regulatory agency requires access, you need to be able to get at the data. This is the primary purpose, not the audits!
Agreed! So your last sentence there:
> Under "normal" circumstances you don't need to access these data, except for audits.
Is primarily what I was getting at with this. I'd like to understand what the audit requirements are, and what are some examples of what those look like.
Hi Kat! We have something very similar here in the US. It looks like you've linked something specifically for Australia is the correct?
https://cloudsecurityalliance.org/star/registry/atlassian/ I wonder if any of these answers here can be used there as well.
I break this down into two separate categories
This first is checking that we are adhering to our policies that we have documented and shared with customers, and have attested to in things like SOC1 documentation.
This is less about looking for a particular piece of data, and more about spot checking that we are doing what we are supposed to. So we will get asked to prove that we backed up our data on a particular day, or that a particular change was approved, or that a security alert was investigated promptly.
We get on a periodic basis as a check that we are still doing the right thing.
The second usually relates to the content of the data itself. ie, a particular customer is saying we did something wrong, and we need to produce documentation that we did it right.
The first type of audit is all about making sure that when you have a request of the 2nd type, you can provide the data that is needed.
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events