Close

Our Atlassian Security Incident Responsibilities


Introduction

Just like any cloud service provider, we try our best to ensure our customers don't experience an outage or a security incident. However, we understand that a security incident is likely to happen. It's important to us that customers understand how they fit into our security incident response process and what responsibilities you have in the course of an incident. We plan for the worst so, if it happens, we are ready and Don't #@!% our Customer (DFTC). 

We do our best to handle the entirety of any security incident affecting our services and infrastructure. We'll do everything from breach detection to containment, and even disclosure. However, we can't possibly see everything; sometimes we need a helping hand from our customers to report an incident or from an external consultancy to provide specialized investigatory or forensic skills.

Roles

We've reviewed and utilize a number of security incident management models to ensure our incident response processes are not only comprehensive but world-class. We've pulled out the most significant activities from those models and described the responsibility for each.

Party

Role

Description

Atlassian

Role

Security Incident Response Coordinator

Description

Each security incident has a lead incident coordinator from our Atlassian security team to make security decisions, oversee the process and allocate tasks.

Atlassian

Role

Security incident analyst

Description

Security analysts perform the majority of incident investigations and analysis. On smaller incidents, this is often assumed by the security incident response coordinator.

Atlassian

Role

Customer communications lead

Description

A customer communications lead is assigned to each incident to make decisions about how customers should be engaged. Typically this person also delivers much of the customer communication.

Atlassian

Role

Red team

Description

The Atlassian red team mimics real world cyber adversaries and executes defined test scenarios designed to evaluate and identify improvements in our own detection and response capabilities.

Atlassian

Role

Supporting advisor

Description

Atlassian security incident management teams seek the advice of various internal subject matter experts (e.g. legal, privacy, risk, human resources etc.). These advisors provide specialist guidance on issues that impact their areas of expertise.

Security Consultancy

Role

Consultant

Description

Atlassian retains the services of a specialist cyber security consultancy in case of an incident. In general the consultancy is used to provide additional resources in case of shortage, specialist skills if unavailable internally, and independent advice and review of incidents.

Customer

Role

Reporter

Description

Customers are encouraged to report any unauthorized access or malicious behaviour to Atlassian assets.

Customer

Role

Security contact

Description

If an incident affecting a customer is confirmed, the customer's security contact will be notified. The security contact is usually the account technical contact but may change if the customer has a dedicated security team. The security contact ensures the customer manages the incident appropriately outside the scope of Atlassian assets.

Responsibilities

We define our security incident management responsibilities using the RACI model. While we make every effort to fulfill our defined responsibilities, customers are ultimately responsible for the security of their data as per the Atlassian Customer Agreement.

  • Responsible - The party will do the work to achieve the task. 
  • Accountable - The party ultimately answerable for the correct and thorough completion of the activity.
  • Consulted - The party whose opinions are sought and with whom there is two-way communication.
  • Informed - The party who is kept up-to-date on progress, and with whom there is just one-way communication.
 

Activity

Atlassian

Customer

Detection

Atlassian

Responsible

Customer

 

Triage

Atlassian

Responsible

Customer

 

Investigation

Atlassian

Responsible

Customer

 

Containment

Atlassian

Responsible

Customer

 

Eradication

Atlassian

Responsible

Customer

Informed

Recovery

Atlassian

Responsible

Customer

Informed

Notification (to Customer)

Atlassian

Responsible

Customer

Informed

Notification (to Atlassian)

Atlassian

Informed

Customer

Responsible

Improvement

Atlassian

Responsible

Customer

 

Testing

Atlassian

Responsible

Customer

 

External reporting (law enforcement and compliance)

Atlassian

AccountableResponsible

Customer

Informed

Aggregate data publication

Atlassian

Responsible

Customer

Informed