Our Atlassian Security Incident Responsibilities


Introduction

Just like any cloud service provider, we try our best to ensure our customers don't experience an outage or a security incident. However, we understand that a security incident is likely to happen. It's important to us that customers understand how they fit into our security incident response process and what responsibilities you have in the course of an incident. We plan for the worst so, if it happens, we are ready and Don't #@!% our Customer (DFTC). 

We do our best to handle the entirety of any security incident affecting our services and infrastructure. We'll do everything from breach detection to containment, and even disclosure. However, we can't possibly see everything; sometimes we need a helping hand from our customers to report an incident or from an external consultancy to provide specialized investigatory or forensic skills.

Roles

We've reviewed and utilize a number of security incident management models to ensure our incident response processes are not only comprehensive but world-class. We've pulled out the most significant activities from those models and described the responsibility for each.
Party
Role
Description
Atlassian Security Incident Response Coordinator Each security incident has a lead incident coordinator from our Atlassian security team to make security decisions, oversee the process and allocate tasks.
Atlassian Security incident analyst Security analysts perform the majority of incident investigations and analysis. On smaller incidents, this is often assumed by the security incident response coordinator.
Atlassian Customer communications lead A customer communications lead is assigned to each incident to make decisions about how customers should be engaged. Typically this person also delivers much of the customer communication.
Atlassian Red team The Atlassian red team mimics real world cyber adversaries and executes defined test scenarios designed to evaluate and identify improvements in our own detection and response capabilities.
Atlassian Supporting advisor Atlassian security incident management teams seek the advice of various internal subject matter experts (e.g. legal, privacy, risk, human resources etc.). These advisors provide specialist guidance on issues that impact their areas of expertise.
Security Consultancy Consultant Atlassian retains the services of a specialist cyber security consultancy in case of an incident. In general the consultancy is used to provide additional resources in case of shortage, specialist skills if unavailable internally, and independent advice and review of incidents.
Customer Reporter Customers are encouraged to report any unauthorized access or malicious behaviour to Atlassian assets.
Customer

Security contact

If an incident affecting a customer is confirmed, the customer's security contact will be notified. The security contact is usually the account technical contact but may change if the customer has a dedicated security team. The security contact ensures the customer manages the incident appropriately outside the scope of Atlassian assets.

Responsibilities

We define our security incident management responsibilities using the RACI model. While we make every effort to fulfill our defined responsibilities, customers are ultimately responsible for the security of their data as per the Atlassian Customer Agreement.

  • Responsible - The party will do the work to achieve the task. 
  • Accountable - The party ultimately answerable for the correct and thorough completion of the activity.
  • Consulted - The party whose opinions are sought and with whom there is two-way communication.
  • Informed - The party who is kept up-to-date on progress, and with whom there is just one-way communication.
Activity
Atlassian
Customer
Detection Responsible  
Triage Responsible  
Investigation Responsible  
Containment Responsible  
Eradication Responsible Informed
Recovery Responsible Informed
Notification (to Customer) Responsible Informed
Notification (to Atlassian)

Informed

Responsible
Improvement Responsible  
Testing Responsible  
External reporting (law enforcement and compliance)

Accountable

Responsible

Informed
Aggregate data publication Responsible Informed