Close

Our Atlassian Security & Technology Policies

Atlassian has established an information security management program (ISMP) describing the principles, and basic rules for how we maintain trust & security. We accomplish this by continually evaluating risks to our operations and improving the security, confidentiality, integrity, and availability of our Atlassian environment. We regularly review and update security policies, perform application and network security testing of our environment, and monitor compliance with security policies.

Below is a list and short description of our major Security & Technology policies that Atlassian has put in place for our internal & cloud environments. 

Policy, Risk, and Governance

This policy sets out the general principles and guidelines for managing Security @ Atlassian.

The basic principles include:

  • Atlassian will manage access to company information and customer information based on business need and in line with our Atlassian values
  • Atlassian will implement a set of controls to manage the implementation of security in line with this policy
  • Atlassian will periodically review risks and the effectiveness of controls intended to manage those risks

Access Management

This policy sets out the general principles and guidelines for Access Management.

The basic principles include:

  • Maintain an Access Control policy outlining how to manage access to systems
  • User accounts and passwords will be used to manage access
  • All users have responsibility to manage access to their systems
  • Systems will be logged and monitored for potential inappropriate access
  • Remote access will be managed by multi-factor authentication

Asset Management

This policy sets out the general principles and guidelines for management of Atlassian's IT assets and how those assets should be handled.

The basic principles include:

  • Atlassian will maintain an inventory of assets
  • Assets maintained in an asset management database will have identified owners
  • Acceptable use of assets will be identified, documented and implemented
  • Assets will be returned to Atlassian if employment is terminated

Business Continuity & Disaster Recovery

This policy sets out the general principles that establish our approach toward resilience, availability and continuity of processes, systems and services at Atlassian. It defines requirements around business continuity, disaster recovery and crisis management processes.

The basic principles include:

  • Mission critical system, process or Service Owners must ensure proper Business Continuity and/or Disaster Recovery that is inline with the tolerance for disruption in case of disaster.
  • Continuity plans must include appropriate "last stand" environment, that provides core functionality (at the minimum), and a plan to fail to that environment. Considerations for business-as-usual resumption must also be included.
  • No mission critical system, process or function could be deployed in production without appropriate continuity plan.
  • Plans must be tested quarterly and issues identified and addressed.
  • Maximum time for recovery (RTO) starts from event detection until the core functionality is operational. Services are grouped into Tiers that define maximum RTO and RPO.

Communications Security

This policy sets out the general principles and guidelines for managing the security of our communications and our networks.

The basic principles include:

  • Network access should be controlled
  • Network access is supplied
  • Networks should be segregated based on criticality

Crypto & Encryption

This policy sets out the general principles to ensure that Atlassian implements appropriate encryption & cryptography to ensure confidentiality of critical data. Atlassian deploys cryptographic mechanisms to mitigate the risks involved in storing sensitive information and transmitting it over networks, including those that are publicly accessible (such as the internet).

The basic principles include:

  • Sensitive data is encrypted appropriately
  • Strength of selected encryption corresponds with information classification
  • Cryptographic keys will be securely managed
  • Only approved cryptographic algorithms will be used

Data Security & Information Lifecycle Management

This policy establishes overall requirements on how to handle customer data. While one of our Corporate values is Open Company, No Bullshit, all employees should still consider how to handle both internal as well as customer data. All employees share in the responsibility for ensuring that our information receives an appropriate level of protection by observing this policy.

The basic principles include:

  • Information must be classified in terms of legal requirements, value and criticality to Atlassian
  • Information must be labeled to ensure appropriate handling
  • Manage all removable media with the same handling guidelines as below
  • Media being disposed of should be securely deleted
  • Media containing company information must be protected against unauthorized access, misuse or corruption during transport

Mobile & Bring Your Own Device (BYOD)

This policy sets out the general principles and guidelines for the use of personal devices with Atlassian networks and systems.

The basic principles include:

  • Be as unobtrusive and flexible as possible with regard to BYOD usage to maintain the autonomy of Atlassians whilst ensuring we have the ability to protect our customer and corporate data.
  • Perform configuration / posture checking and monitoring of compliance of devices, with the least restrictive principles that reasonably achieve the required security objectives.
  • Where restrictions do need to be applied, this will be done selectively depending on the type of data that can be accessed.
  • Atlassian reserves the right to revoke access to personal electronic devices if users do not abide by the BYOD policies and procedures

Operations

This policy sets out the general principles and guidelines for technology operational practices at Atlassian.

The basic principles include:

  • Atlassian procedures should be documented for operational activities
  • Our backups should be taken regularly and the backups tested
  • All changes should be managed and evaluated by multiple people
  • Capacity should be evaluated and planned for
  • Software installation should be limited and unnecessary software should be restricted
  • Logs should be configured and forwarded to the centralized logging platform
  • Any operational incidents should be managed according to our standard Incident process

Personnel Security

This policy sets out the general principles and guidelines for personnel security at Atlassian.

The basic principles include:

  • Security responsibilities will be outlined in job definitions
  • All employees and users will regularly attend security awareness training
  • All employees and contractors have a duty to report security incidents or weaknesses
  • Upon employee termination, access and return of assets will occur in a reasonable time frame

Physical & Environmental Security

This policy sets out the general principles and guidelines for securing our buildings, our offices and securing our equipment.

The basic principles include:

  • Provide for secure areas to work
  • Secure our IT equipment wherever it may be
  • Restrict access to our buildings and offices to appropriate personnel

Privacy

This policy sets out the general principles and guidelines for managing customer related data privacy.

The basic principles include:

  • Manage controls around collecting customer data
  • Reviewing customer data should be limited to support purposes only
  • The only scenarios where customer data may be cloned is for backup or support purposes

Security Incident Management

This policy sets out the general principles and guidelines to ensure that Atlassian reacts appropriately to any actual or suspected security incidents. Atlassian has a responsibility to monitor for incidents that occur within the organisation that may breach confidentiality, integrity or availability of information or information systems. All suspected incidents must be reported and evaluated. 

The basic principles include:

  • Anticipate security incidents and prepare response plans accordingly
  • Contain, eradicate and recover from an incident
  • Invest in our people, processes and technologies to ensure we have the capability to detect and analyse an incident when it occurs
  • Make protection of Personal data and customer data the top priority during security incidents
  • Regularly exercise the the security incident response process
  • Learn from and improve the security incident management function
  • Communicate critical security incidents to the Atlassian Leadership Group

Supplier Management

This policy sets out the general principles and guidelines to select, engage, monitor and off-board suppliers.

The basic principles include:

  • Atlassian will be purposeful in managing our vendor selection process
  • All suppliers must be onboarded and managed in accordance with Atlassian supplier risk assessment and due diligence processes
  • The business owner requesting the vendor relationship is responsible for utilizing standard Atlassian contracts
  • Atlassian will perform oversight of the relationship to ensure it meets our Atlassian standards
  • Atlassian reserves the right to terminate the contract with any vendor when the service is no longer required

System Acquisition, Development, and Maintenance

This policy sets out the general principles and guidelines for development of applications, both internally and customer-facing, as well as creating limitations on how to manage pre-production environments and incorporating open source software into any of our products.

The basic principles include:

  • Security requirements will be included and incorporated to any environment, application development, or acquisition
  • Product development will follow our internal quality assurance process, which includes integration of security checks
  • Production data will be anonymized or masked when being used in pre-production environments
  • Integration of any open source frameworks or libraries will follow our internal guidelines

Threat & Vulnerability Management

This policy sets out the general principles and guidelines for managing security threats and vulnerabilities both in our environment and in our products.

The basic principles include:

  • Manage security vulnerabilities in our products and services, including issuing updates, patches or advisories
  • Manage security threats and vulnerabilities throughout our environment, both internal and hosted environments
  • Manage the threat of malware in the environment

Audit & Compliance Management

This policy sets out the general principles and guidelines for managing the audit and compliance program to validate implementation of the Atlassian Controls Framework.

The basic principles include:

  • Implement technology-focused operations, security and privacy controls to ensure they comply with relevant internal policies, regulations and external industry standards
  • Audits are coordinated and delivered as appropriate to achieve high level of confidence in our control environment, as well as to achieve internal or external certification
  • Atlassian seeks external validation of the implementation of our operational, security, privacy and other controls
  • Atlassian maintains a consolidated view of all its relevant control objectives, activities and tests