Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Do you ever have to respond to Audit requests? Looking for examples!

RJ Gazarek Atlassian Team Dec 10, 2020

Hi everyone!  I'm the Product Manager on our Cloud team, responsible for data management.  

I'd like to ask you all if you have ever had to respond to an intern or external audit request, and what the audit request looked like.  As we look to improve on our backup/export capabilities, we want to make sure we're building something that can help with this specific need.  

So far we've heard from customers, specifically in heavily regulated industries, that they need to maintain copies of their data for a minimum of 7 years.  Mostly for the sole purpose of responding to audit requests.  I'd love to get some examples of what types of requests are made, and what type of data you have to produce to respond to those requests. 

3 answers

Hi @RJ Gazarek 

I think there might be a misunderstanding about keeping the data for 7 years:

So far we've heard from customers, specifically in heavily regulated industries, that they need to maintain copies of their data for a minimum of 7 years. Mostly for the sole purpose of responding to audit requests.

 The purpose of keeping the data primarily lies in the ability to get a the data in case of need, like when the primary business systems are down or lost.  Also the data need to be kept as an unmodified archive.  Under "normal" circumstances you don't need to access these data, except for audits.

However if there is some issue or a regulatory agency requires access, you need to be able to get at the data.  This is the primary purpose, not the audits!

RJ Gazarek Atlassian Team Dec 10, 2020

Agreed! So your last sentence there:

Under "normal" circumstances you don't need to access these data, except for audits.

Is primarily what I was getting at with this.  I'd like to understand what the audit requirements are, and what are some examples of what those look like. 

0 votes

It would be fantastic if Atlassian joined the other organisations who have provided responses to the government cloud security and privacy considerations questionnaire (see the list here).

You may be interested in this Cloud Risk Assessment Tool for he types of questions that need to be answered.

RJ Gazarek Atlassian Team Dec 11, 2020

Hi Kat! We have something very similar here in the US.  It looks like you've linked something specifically for Australia is the correct?

https://cloudsecurityalliance.org/star/registry/atlassian/  I wonder if any of these answers here can be used there as well. 

The links I provided are from New Zealand sources.

Like RJ Gazarek likes this

I break this down into two separate categories

This first is checking that we are adhering to our policies that we have documented and shared with customers, and have attested to in things like SOC1 documentation.

This is less about looking for a particular piece of data, and more about spot checking that we are doing what we are supposed to. So we will get asked to prove that we backed up our data on a particular day, or that a particular change was approved, or that a security alert was investigated promptly. 

We get on a periodic basis as a check that we are still doing the right thing.

The second usually relates to the content of the data itself. ie, a particular customer is saying we did something wrong, and we need to produce documentation that we did it right.

The first type of audit is all about making sure that when you have a request of the 2nd type, you can provide the data that is needed.

RJ Gazarek Atlassian Team Dec 11, 2020

Yup! Agreed here too, so that all makes sense.  What I'm trying to get a sense of is what are some examples of those requests for data.  

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Site Admin
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you