Our Atlassian Security Incident Responsibilities
Just like any cloud service provider, we try our best to ensure our customers don't experience an outage or a security incident. However, we understand that a security incident is likely to happen. It's important to us that customers understand how they fit into our security incident response process and what responsibilities you have in the course of an incident. We plan for the worst so, if it happens, we are ready and Don't #@!% our Customer (DFTC).
We do our best to handle the entirety of any security incident affecting our services and infrastructure. We'll do everything from breach detection to containment, and even disclosure. However, we can't possibly see everything; sometimes we need a helping hand from our customers to report an incident or from an external consultancy to provide specialized investigatory or forensic skills.
RolesWe've reviewed and utilize a number of security incident management models to ensure our incident response processes are not only comprehensive but world-class. We've pulled out the most significant activities from those models and described the responsibility for each.
|Atlassian||Security Incident Response Coordinator||Each security incident has a lead incident coordinator from our Atlassian security team to make security decisions, oversee the process and allocate tasks.|
|Atlassian||Security incident analyst||Security analysts perform the majority of incident investigations and analysis. On smaller incidents, this is often assumed by the security incident response coordinator.|
|Atlassian||Customer communications lead||A customer communications lead is assigned to each incident to make decisions about how customers should be engaged. Typically this person also delivers much of the customer communication.|
|Atlassian||Red team||The Atlassian red team mimics real world cyber adversaries and executes defined test scenarios designed to evaluate and identify improvements in our own detection and response capabilities.|
|Atlassian||Supporting advisor||Atlassian security incident management teams seek the advice of various internal subject matter experts (e.g. legal, privacy, risk, human resources etc.). These advisors provide specialist guidance on issues that impact their areas of expertise.|
|Security Consultancy||Consultant||Atlassian retains the services of a specialist cyber security consultancy in case of an incident. In general the consultancy is used to provide additional resources in case of shortage, specialist skills if unavailable internally, and independent advice and review of incidents.|
|Customer||Reporter||Customers are encouraged to report any unauthorized access or malicious behaviour to Atlassian assets.|
|If an incident affecting a customer is confirmed, the customer's security contact will be notified. The security contact is usually the account technical contact but may change if the customer has a dedicated security team. The security contact ensures the customer manages the incident appropriately outside the scope of Atlassian assets.|
We define our security incident management responsibilities using the RACI model. While we make every effort to fulfill our defined responsibilities, customers are ultimately responsible for the security of their data as per the Atlassian Customer Agreement.
- Responsible - The party will do the work to achieve the task.
- Accountable - The party ultimately answerable for the correct and thorough completion of the activity.
- Consulted - The party whose opinions are sought and with whom there is two-way communication.
- Informed - The party who is kept up-to-date on progress, and with whom there is just one-way communication.
|Notification (to Customer)||Responsible||Informed|
|Notification (to Atlassian)|| |
|External reporting (law enforcement and compliance)|| |
|Aggregate data publication||Responsible||Informed|