How Atlassian uses Jira to manage risks and compliance obligations - Part 2

Since I don't have access to {{hello.atlassian.net}}, I'm not seeing the images on this post. Is it just me?

Thanks for pointing that out - fixed

I am missing some of your thoughts on where to have the asset repository, all risks are related to some type of asset, right?

We have our asset repository in another Jira project and we link to those where we think it is appropriate.  At the moment we don't have a strong linkage between them - the risks are higher level than that in the GRC project.  We do more at the team level and the control activities for that team.

Hey Guy. This is awesome, thanks for sharing :) Quick question - what's the background behind having a different risk and risk driver issue type? Is the idea to abstract the causes of a risk from the risk event, so each cause has a set of controls?

Hi Guy,

Thanks for sharing the set up. Can you share reporting you find most helpful?

Hi again, I have been working on this and I am still wondering if you can share the overall GRC landscape you have deployed at Atlassian. These two post focus on some of the fundamental processes around risks, but I am still wondering where the documentation is, how the policies related to specific processes, and how the new employees are introduced to this. Its seems very substantial, and there are a lot of custom fields for very custom purposes - over to say it differently, do you anything more overview focused? 

Will do a couple of posts in the new year to talk about the general background of how we manage risk and compliance and how we report what we have in the data.  Great feedback and thanks

Im interested in seeing how people actually interact with for example Control Activity issue type. To generate Control Activity Performance or Finding... how elegantly can that be made?

Great presentation. Looking forward to future posts that you mention in the Dec 13 post especially the reports.

Hi Guy, thanks for the great articles. Here are a few questions:

1) Are the custom fields and workflows that you've listed in the two articles already exist in the Jira instance for customers, or is this something that needs to be built/customized for each customer?

2) Are the "GRC_Compliance", and "GRC_SOC2 Common Criteria" or other control objectives from various compliance frameworks (e.g. ISO 27001, PCI) already populated in Jira?

3) Are there any other resources (e.g. white papers, guidance docs) available for implementing the "Atlassian Manages Risk and Compliance" project in Jira/confluence?

Thanks!

Everyone - thanks for the questions - I know that I have been a bit quiet - but lets fix that.

Andrew - We created a set of fairly generic risks - if you get too specific on these you end up with a million risks and people saying - no, my risk is a bit different to that.  The risk drivers were a way for us to look closer at what factors go into the risks.  Still a bit of a work in progress there.

Sharon - yes I will - a later post as it really is a combination of Jira and Confluence - and it iterates as well.  Probably later this month.

Niels - I will do a post on this - realised you are so right - needs context.  Again - probably this month - but might be early March.

Sahar - 

1. the fields are custom fields - but your admin can create them - you don't need anyone outside to build anything.
2. We have them in our instance - but due to licencing problems we are not sure how to share these (ISO as an example is something that is owned by someone else)
3. At the moment no - but we are developing playbooks to help with that.  If you have an admin looking after your instance they would be able to take our custom fields and workflows and implement them.  The - how do we use it is also coming - probably after after the 2 blogs above.

Watched this get presented in your Summit2019 preview last night - really enjoyed it. As a CISA, I appreciated the hard work that's gone on behind the scenes in keeping this a transparent activity across Atlassian and the focus on simplifying. Worth noting that the Control Objectives referenced are from SOC, Sarbanes Oxley, but could equally be from COBIT, ISO27001, HIPAA etc - as you noted in your presentation, they're CSV based and = import candidates into JIRA.

Something that is really important and I am not sure that I have highlighted - when you bring in a new compliance obligation DON'T create a whole new set of control objectives. 

Bring it in as a compliance obligation and then work out which existing control objectives map to the new obligation. 

For obligations not covered by existing control objectives - create the new control objective and then go back out to the teams to see if they have a control activity that covers it.  

@guy - all well and good until you spend time working across a range of the different standardisation models for IT Governance/Control and start wrestling with the cross mappings or overlaps that are evident across ITSM/COBIT/SOX/SOC/HIPAA/ISO2700-n. If you've tackled that element, will be interested to hear how you did it.

@Brian Hill Might be worth looking into the Common Controls Hub as it helps with that. You select what regulations/frameworks you want to comply with and it spits out a set of relevant control objectives and the mappings. They have a free preview available on their website: https://commoncontrolshub.com/overview/.

Since nobody else has the guts to admit to laziness...could this fantastic workflow be available as a template??

@Guy interesting work. I know you are probably busy, but any update on the follow up articles, you referred to, should have been published in late Feb and Mar? :-)

@GuyIs there a mapping of fields for the create screens. Which fields are relevant? I assume not all fields are relevant for every tcket type.

I wish that we had a way to template this - we are working on it. In the meantime - sorry but that is all we have. For the mapping of fields to screens - will find out what we can generate and let you know.

And I am working on the other blogs (have had some risk and compliance work to do as well). 

I would love a template or plugin for this

Hi,

@Guy Have you managed to create a white papers, guidance docs? 

At the moment all fields, screens, workflows are implemented in my Jira service desk. But Im lacking information on how it all should be connected in the project. What Im after is there any WoW for implementing the CRTs in Jira service desk?

Thank you for sharing these two blog posts @Guy 

Is the risk heat map (risks mapped onto the risk matrix) that was shown in the presentation a custom gadget that you created? 

@Guy thank you very much. currently looking for a solution for RCSA and found this might be very helpful instead of acquiring new application.

@jimmi.handoko It takes about a half a day for an experienced Jira admin to set up the fields, flows and screens. After that the work is in creating your obligations and objectives - and spending time with the teams to understand their control activities. But you will have to do that with any tool that you purchase (even ones that promise all the data is already there).