Our Atlassian Security Incident Responsibilities
Introduction
Just like any cloud service provider, we try our best to ensure our customers don't experience an outage or a security incident. However, we understand that a security incident is likely to happen. It's important to us that customers understand how they fit into our security incident response process and what responsibilities you have in the course of an incident. We plan for the worst so, if it happens, we are ready and Don't #@!% our Customer (DFTC).
We do our best to handle the entirety of any security incident affecting our services and infrastructure. We'll do everything from breach detection to containment, and even disclosure. However, we can't possibly see everything; sometimes we need a helping hand from our customers to report an incident or from an external consultancy to provide specialized investigatory or forensic skills.
Roles
We've reviewed and utilize a number of security incident management models to ensure our incident response processes are not only comprehensive but world-class. We've pulled out the most significant activities from those models and described the responsibility for each.
| | Party | Role | Description |
|---|---|---|---|
|
| Party Atlassian | Role Security Incident Response Coordinator | Description Each security incident has a lead incident coordinator from our Atlassian security team to make security decisions, oversee the process and allocate tasks. |
|
| Party Atlassian | Role Security incident analyst | Description Security analysts perform the majority of incident investigations and analysis. On smaller incidents, this is often assumed by the security incident response coordinator. |
|
| Party Atlassian | Role Customer communications lead | Description A customer communications lead is assigned to each incident to make decisions about how customers should be engaged. Typically this person also delivers much of the customer communication. |
|
| Party Atlassian | Role Red team | Description The Atlassian red team mimics real world cyber adversaries and executes defined test scenarios designed to evaluate and identify improvements in our own detection and response capabilities. |
|
| Party Atlassian | Role Supporting advisor | Description Atlassian security incident management teams seek the advice of various internal subject matter experts (e.g. legal, privacy, risk, human resources etc.). These advisors provide specialist guidance on issues that impact their areas of expertise. |
|
| Party Security Consultancy | Role Consultant | Description Atlassian retains the services of a specialist cyber security consultancy in case of an incident. In general the consultancy is used to provide additional resources in case of shortage, specialist skills if unavailable internally, and independent advice and review of incidents. |
|
| Party Customer | Role Reporter | Description Customers are encouraged to report any unauthorized access or malicious behaviour to Atlassian assets. |
|
| Party Customer | Role Security contact | Description If an incident affecting a customer is confirmed, the customer's security contact will be notified. The security contact is usually the account technical contact but may change if the customer has a dedicated security team. The security contact ensures the customer manages the incident appropriately outside the scope of Atlassian assets. |
Responsibilities
We define our security incident management responsibilities using the RACI model. While we make every effort to fulfill our defined responsibilities, customers are ultimately responsible for the security of their data as per the Atlassian Customer Agreement.
- Responsible - The party will do the work to achieve the task.
- Accountable - The party ultimately answerable for the correct and thorough completion of the activity.
- Consulted - The party whose opinions are sought and with whom there is two-way communication.
- Informed - The party who is kept up-to-date on progress, and with whom there is just one-way communication.
| | Activity | Atlassian | Customer |
|---|---|---|---|
|
| Activity Detection | Atlassian Responsible | Customer
|
|
| Activity Triage | Atlassian Responsible | Customer
|
|
| Activity Investigation | Atlassian Responsible | Customer
|
|
| Activity Containment | Atlassian Responsible | Customer
|
|
| Activity Eradication | Atlassian Responsible | Customer Informed |
|
| Activity Recovery | Atlassian Responsible | Customer Informed |
|
| Activity Notification (to Customer) | Atlassian Responsible | Customer Informed |
|
| Activity Notification (to Atlassian) | Atlassian Informed | Customer Responsible |
|
| Activity Improvement | Atlassian Responsible | Customer
|
|
| Activity Testing | Atlassian Responsible | Customer
|
|
| Activity External reporting (law enforcement and compliance) | Atlassian Accountable Responsible | Customer Informed |
|
| Activity Aggregate data publication | Atlassian Responsible | Customer Informed |