How Atlassian uses Jira to manage risks and compliance obligations - Part 2

@Guy for a starter like me, is there any steps that I can follow and easily understand? I usually use Confluence for documentation, raise issues / incidents in JIRA. But I want to know where and how to start for kicking off RCSA establishment within JIRA. I mean like a GRC in JIRA for dummy. Haha.

@jimmi.handoko reach out to me directly - guy@atlassian.com and let's talk - might be a good idea to get your Jira admin on the call as well.

@Shuichi Sakai We built an app internally - I think that there are a couple on the app store that do the same thing.

Thanks @Guy , will be in touch soon. 

@Guy Thank you for this.
It appears that you only show the screens of the existing transitions.
Some custom fields from the first part are missing, can you specify the screens and fields for issue creation on workflows.
Nevertheless, this will be incredibly useful to multiple GRC teams! Thank you

@Guy 

This is absolutely spectacular and helpful!!  Thank you very much.  I'm going to see what I can do with NIST following this great approach you've laid out here.  Thank you

-Scott

Hi  @Guy ,

Thanks for the sharing. 

Should I customize / seperate every creation screen according to Part1's fields? 

or

Every issuetype schould have one create screen?

What is your suggestion / best practice?

@Guy Is there any more information you can share regarding this implementation of JIRA GRC? My company is using this as our compliance tool but really needs some additional information on how to best use the different issue types and understanding the workflow. Any guidance or information you can offer would be helpful. 

Hi @Guy 

Is part 3 there in the draft stage? I followed part 1 and part 2 setups on our JIRA cloud but I still feel very blurry about this. It would be great if I can see some implementation examples of how to present control objectives on JIRA. I hope Atlassian Sydney open a meetup for GRC in future :)  

How do you recommend we trigger risk reviews annually or after a certain period of time? I would expect some sort of notification being sent out once a date has arrived to trigger a re-evaluation of the risk.

@Jordin I'm experimenting with the policy workflow and have set up project level automation to transition the policy jira back to in progress 11 months after the last resolution date.

Hi @Guy ,

Thanks for right in detail. It's good and useful. Just wondering if you are writing more on the control objective. Looking forward to your response. Thank you

We will be sharing information on the control objectives that we have and how we went about building them - we have really enjoyed the risk and compliance journey so far and want to share our travel stories. 

@Guy Would be awesome to pull in the Security Controls Framework CSVs, they map the majority of control frameworks :)

Hi. 
Can you advise/suggest one workflow that might work for issuetypes for compliance type Jira projects? D

Hey @Guy, do you have any additional information that you're able/willing to share about how this has been going for your team?

Have y'all changed anything or started doing anything new since the Part 1 and Part 2 articles were first written?