閉じる

Atlassian's Common Controls Framework


As with many companies, Atlassian has a number of international control standards that are applicable to our product development and our operations environments. We decided to evaluate the overlap between many of these independent standards, and ensure we have a single view of applying those standards to our internal environments.  The primary environment where we are applying these standards is to our cloud-hosting platform, we understand that we need to show that we are taking appropriate efforts to protect our customers and their data. However, not all of the standards are applicable to all environments.  For example, the focus for Sarbanes-Oxley (SOX) is the systems that support our financial report, of which our cloud services are secondary at best. Let's take a look at the standards we evaluate and why.

Applicable International Standards

Below is a list of standards that we evaluated as we begun creating our internal common controls framework:

スタンダード
提供元
制御範囲
領域
ISO27001 国際標準化機構 26 要件 6 つの項
ISO27002 国際標準化機構 114 要件 14 領域
PCI-DSS Payment Card Industries 247 要件 6 領域
CSA CCM クラウドセキュリティアライアンス 133 の制御 16 領域
SOC 2 Service Organisation Controls 116 要件 5 の対象範囲
SOX 404 (IT) 米国連邦法 22 要件 5 領域
GAPP

米国公認会計士協会

106 要件 10 領域

 

共通コントロールフレームワーク

As you can see from the table above, there are a series of different and disparate requirements, many of which are applied to the same environments, systems or teams. In order to make it a bit easier to understand the overlap and the similarities from many of these standards for our teams, we evaluated each of the control requirements and identified where there was overlap - where each of the standards was essentially evaluating the same domain. As a result, we have a common controls framework that easily maps to each of the standards.

Conceptual Model for Applicability

As we evaluated each of the requirements, we realized that it would be inefficient to apply the entire stack of controls to each of our products or online services. We have designed the structure so that different portions of the controls framework are applied to different parts of the delivery stack, which can be inherited by the other portions of the organization.

Atlassian logo on a browser

Atlassian Applications

App Dev Security

Data Security & Information Lifecycle Management

Lock with key hole

アトラシアンのセキュリティ

Crypto & Encryption

Threat & Vulnerability Management

セキュリティインシデント管理

Connected nodes

Atlassian Infrastructure

Asset Management

Access Control

オペレーション

Communications Security

積み重ねられたサーバー

Atlassian Data Centers & Offices

Physical & Environmental Security

ブリーフケース

Atlassian Corporate

Security Governance

Organization of Security

Personnel Security

Supplier & Third Party Data Management

Mobile Security

Business Continuity

Audit / Compliance

プライバシー

結論

The organization of the Atlassian Common Controls Framework was important so our teams can utilize the mentality of "evaluate many times, perform once". Instead of asking multiple different teams, multiple different times, we used the efficiency of this framework to define where we would organize and apply controls so the entire company could understand the requirements and how each portion of our organization performs collectively to deliver security to all of our customers.