Embed Size (px)
Citation preview
How Atlassian Manages Risk and Compliance
GEORGE TOTEV | HEAD OF RISK & COMPLIANCE | ATLASSIAN
RISK & COMPLIANCE TEAM
"We are here to help you build trust with our customers fast"
We manage • Compliance program • Business Continuity/Disaster Recovery (BC/DR) program • Risk management program
Agenda
Agile and Compliance relationship - “It’s Complicated”
It all begins with a TEAM
Integrated Compliance
Governance, Risk & Compliance (GRC) dilemma
Taking it up a notch - Trust Management System
We Love Agile!
• Delivers value quickly • Focuses on the stakeholder • Autonomous team execution • Highly adaptable • Continuous improvement • Predictable cost and delivery
Source: Informal survey of Atlassian development managers
• Reduces Time to Market • Improves quality • Improves productivity • Increases employee satisfaction • Reduces cost
Source: HBR Analytic Services (PwC Internal Benchmark)
Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
Source: “Agile Manifesto” - http://agilemanifesto.org
We Hate Agile!
Highly Dynamic
Unstructured/Unpredictable
Limited Documentation
Scaling Fast
Traditional Compliance “Nightmare”!
There Is A Way! We Hate
Agile!We Love
Agile!
Automate
Leverage Existing Processes
Optimize
Manage Risk
Highly Dynamic
Unstructured/Unpredictable
Limited Documentation
Scaling Fast
CHALLENGES APPROACH
Agenda
Agile and Compliance relationship - “It’s Complicated”
It all begins with a TEAM
Integrated Compliance
Governance, Risk & Compliance (GRC) dilemma
Taking it up a notch - Trust Management System
Closely aligned with business
Wide range of skills
Deep domain knowledge
Risk & Compliance
TEAM
We have intimate knowledge of the business TEAMS
Agenda
Agile and Compliance relationship - “It’s Complicated”
It all begins with a TEAM
Integrated Compliance
Governance, Risk & Compliance (GRC) dilemma
Taking it up a notch - Trust Management System
File Ticket
Review Board
Schedule Change
Deploy
TRADITIONAL CHANGE MANAGEMENT
“AGILE” CHANGE MANAGEMENT
Green build =
Deployment =
Optimize and automate existing process
How do you audit this? Peer review =
MORE ABOUT OUR CONTROLS…
Go to https://www.atlassian.com/trust/compliance
• Request our ISO27001 certificate • Request our SOC2 Type I reports
Bitbucket Cloud Jira Cloud* Confluence Cloud*
*Jira and Confluence to be available later
Sarbanes - Oxley
FedRAMP
G-Cloud
GDPR
Atlassian Controls
Framework
Optimize Controls Portfolio
Reduce Business Involvement
Lower Audit Cost
Expand and Scale
Inspiration: Unified Compliance Framework (UCF) https://www.unifiedcompliance.com
Agenda
Agile and Compliance relationship - “It’s Complicated”
It all begins with a TEAM
Integrated Compliance
Governance, Risk & Compliance (GRC) dilemma
Taking it up a notch - Trust Management System
GRC
Efficient
Scalable
Low Cost
Integrated
Easy to Use
Spreadsheets & Documents Really?!
Specialized Tools Unwieldy, $$$
What else is out there? Hmmm….
GRC Recipe
Ingredients • One Vanilla JIRA • One Vanilla Confluence • Several GRC Experts • Lots of Coffee & Pizza • (Optional: Spice up with JIRA Service Desk)
• Mix and stir for about a week • Taste and improve
Issues…
Compliance Objects
• Standard • Control Objective • Control Activity • Control Test • Finding • Remediation • ….
… Go through lifecycles …
… and link to other issues and pages…
… and are used in reports
Other Examples
Policies Policy in Confluence
Policy Lifecycle in Jira Policy Exceptions in JIRA Service Desk
Audit Subtasks in Control Test
Linked PBCs Findings in Jira
Linked Remediations
Risk Risk Issue Type
Risk Driver Issue Type Links with Controls
“Crowdsourcing” risks
Attestations Issues in Jira
Reports attached Lifecycle is Workflow
Templates in Confluence
Easy Low Cost
Integrated Expandable
Scalable
Agenda
Agile and Compliance relationship - “It’s Complicated”
It all begins with a TEAM
Integrated Compliance
Governance, Risk & Compliance (GRC) dilemma
Taking it up a notch - Trust Management System
Atlassian Trust
Management System (ATMS)
Standards, generally, require/prescribe:
• Governance Structures • Policy Management • Controls Management • Audit & Assurance
Goal Abstracted Risk Management
Summary
Optimize Control Framework Reduce cost and burden on TEAMs
Trust Management System Abstract Risk Management and leverage components
There is a Way! Combining TEAM with Atlassian tools could allow Agile Compliance Management
GRC JIRA and Confluence are easy, effective, scalable way to manage GRC
Atlassian Compliance Community at https://community.atlassian.com/t5/Compliance/ct-p/compliance
How Atlassian Manages Risk and Compliance
GEORGE TOTEV | HEAD OF RISK & COMPLIANCE | ATLASSIAN
