Our Atlassian Security Management Program (SMP)
Introduction to our Information Security Management Program
Here at Atlassian, we're pretty proud of our company values. These values to guide everything that we do. One particular value that stands out is our Open Company, No Bullshit. What this particular value represents is exactly how it's defined on our Values page -
And we understand that speaking your mind requires equal parts brains (what to say), thoughtfulness (when to say it), and caring (how it's said).
We've heard from you, our customers, pretty consistently that you would like to know more about how we run our business, and how we run our operations. We'd like to take a little time to tell you how we run our Security Management Program, or as the ISO27001 Security Management Standard calls it - our Information Security Management System (ISMS).
At Atlassian, we pride ourselves on being a little different - whether it's our unique sales approach, our Company Values, or our approach to philanthropy. We have extended this approach to our Security Management Program.
Importance of a structured management program?
There is value in management systems, whether you evaluate quality management systems, defect management systems, the kaizen method for continuous improvement, or a structured methodology to evaluate capability maturity. These management programs have been tested in the field, published, peer reviewed, and refined. Our Atlassian Security Program is based on the ISO27001 Information Security Management System standard. The basis of the ISO27001 standard is:
This International Standard can be used by internal and external parties to assess the organization’s ability to meet the organization’s own information security requirements.
Value of International Standards as Guidance (but not necessarily 'you must do')
As with any organisation, especially those who are responsible for hosting and handling our customer's data, there are understandably a lot of questions from our customers as to whether Atlassian, as a cloud service provider, is taking due care for the protection and confidentiality of our customer's data. Any customer who is considering utilising cloud services face similar decisions in choosing to host any key applications or service.
While each of our customers have their own security requirements, Atlassian's Security Management Program takes those security requirements into consideration, and arrives at a set of requirements unique for our company and our environment. The ISO27001 approach to planning, operating, evaluating performance, and improving allows for continuous evaluation of how our program is operating, and improve the program over time to take into consideration new threats, new requirements or improve the overall performance of our operation.
We evaluate International Standards as a set of well-structured guidelines, but consider each of the controls and whether those controls are appropriate for our particular environment. We take a similar approach to the overall applicability of these international standards to our environment.
Policy Management Program
The basis of the SMP is our Policy Management Program. We have structured our policies to cover the domains included in both the ISO27001 standard as well as the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM). We have developed a couple of foundational principles to our Policy Management Program:
- Be posted and available - we aren't playing gotcha - we make it clear the bar our teams are expected to meet
- Be supported by the security team to make it easy for you to comply - we are here to help our teams, help us
- Outline our security objectives - we like to have goals and be clear about them
- Show commitment to meet our regulatory obligations - we don't want to go to jail
- Be focused on continual iteration and improvement - we continue to evaluate risks in our environment and in our program, and reflect those in our policies
- Provide for an Exception Process - for when our teams absolutely, not even a chance, there is no way, can they meet the policies for a short window
- Review annually - including updating our policies as we observe new threats and risks
Risk Management Program
In order to continuously evaluate risks to our environments and our products, we perform on-going risk assessments. In many cases, especially in the case of our products, these are performed as technical risk assessments or code reviews. However, we also evaluate each of our entire product stack or a portion of our organization to uncover higher level business risks. Generally, we have adopted the ISO27005 or ISO31010 Risk Management methodology and apply that methodology it to a particular scope. Our approach to risk management includes:
- Conduct risk assessment activities - including executing risk assessments, facilitating risk treatment decisions. This includes identifying the scope and the assets under that scope, identifying risks, assessing the impact and likelihood, review and report on the risks.
- Monitor and report on projects intended to manage security risks - continue to monitor and report on programs or projects designed to manage security risks.
- Support the SMP - through continued risk evaluation as a mechanism to improve the environment and to ensure that the implemented security controls effectively manage identified security risks.
Information Security Management Forum (ISMF)
Finally, we maintain a structured Security Management Forum that includes representatives from various parts of our business to ensure that we seek and receive input from across different disciplines on how to apply security controls and how to manage risks. We have created a few separate forum meetings to ensure coverage of particular topics as well as appropriate input.
The ISMF’s purpose is to:
- Agree on priorities and actions required to protect Atlassian and our customers from security threats
- Champion and drive activities within each business division to address deficiencies or vulnerabilities that may allow an attack to occur
- Provide direction and support to working groups on critical security risks and compliance programs
- Champion a security awareness culture throughout the organisation
We maintain the following forum meetings:
- ISMF: Management Review (Annually)
- ISMF: Resource Review (Annually)
- ISMF: Security Risk Review (Quarterly)
- ISMF: Security Health Review (Monthly)
- ISMF: Compliance Review (Monthly)
- ISMF: Security Management Review (Weekly)
The structure and frequency of these meetings ensure we are continuously reviewing our threat profile, as well as our response to those threats.
There are as many different approaches to manage a security organization as there are organizations out there. We, at Atlassian, believe we have set up a program to be flexible, responsive, but also with enough structure to ensure we are evaluating and addressing new threats and risks to both us, as well as our customers.