APRA Prudential Standard CPS 234 OUTSOURCING GUIDANCE

15. An APRA-regulated entity must maintain an information security capability commensurate with the size and extent of threats to its information assets, which enables the continued sound operation of the entity

This is a customer consideration. Please see row 3 for information on Atlassian’s security capabilities.

16. Where information assets are managed by a related party or third party, the APRA-regulated entity must assess the information security capability of that party, commensurate with the potential consequences of an information security incident affecting those assets.

As a provider of Cloud Products to APRA-regulated entities, Atlassian maintains a robust information security program commensurate with the size and extent of the threats we face. We have made available several resources that provide details regarding the design, implementation, and operation of Atlassian's information security capability. Ultimately, it is up to APRA-regulated entities to use this information to make an assessment of whether Atlassian's product(s) meet their requirements:

• Compliance Resource Center—a resource that provides detailed information about our security, third-party audits, and certifications, all available to support our customers' compliance needs
• Atlassian Trust Center—for information about how Atlassian connects you to the latest information on the security, reliability, privacy, and compliance of our products and services.
• Security Practices page—an effective approach to security starts with getting our own house in order. This resource provides details about how we do this by -
  • building security into our network architecture
  • securing access to our networks through ZeroTrust which simply stated means "never trust, always verify"
  • securing access to our systems and services
  • securing endpoint devices
  • building secure design and testing processes

• Incentivizes external researchers to identify vulnerabilities in our products via cash awards from our bug bounty program. As part of our initiative to be open and transparent, we invite anyone to visit our bug bounty program page, sign up for the program and test us.
• Encourages customers to report vulnerabilities, and aims to fix security vulnerabilities within the relevant service level objectives (SLOs) outlined in our Security Bug Fix Policy.
• Regularly hires specialist security consulting firms to conduct penetration testing on our high risk products and infrastructure, and post Letters of Assessment from our penetration testing partners at Our Approach to External Security Testing. 
• Allows Security Assessments (pen tests, vulnerability assessments) to be performed by customers, subject to certain rules designed to keep our products safe for all customers.

17. An APRA-regulated entity must actively maintain its information security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment.

APRA-regulated entities can use the resources and information in row 3 to evaluate our information security capabilities in line with their information assets stored in Atlassian's products and platforms.

18. An APRA-regulated entity must maintain an information security policy framework commensurate with its exposures to vulnerabilities and threats.

This is a customer consideration. For its part, Atlassian has documented an information security policy framework that has been structured to cover the domains included in both the ISO27001 standard as well as the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM).

Our Policy Management Program (PMP) includes obligations related to ownership, availability, and review cycle, and outlines our general objectives. Our policies are reviewed at least annually and approved by senior management. More information about our PMP can be found at Our Atlassian Trust Management System (ATMS).

We have also published excerpts and summaries of each of our major security and technologies policies at Our Atlassian Security & Technology Policies

19. An APRA-regulated entity’s information security policy framework must provide direction on the responsibilities of all parties who have an obligation to maintain information security.

Our Personnel Security policy sets out the general principles and guidelines for personnel security at Atlassian. It highlights that security responsibilities will be outlined in job definitions. Furthermore, each policy in our security policy suite covers more detailed aspects of responsibilities that apply to particular job functions or teams.

The Atlassian Cloud Security Shared Responsibilities whitepaper outlines the responsibilities customers have and the decisions they must make as they determine how to secure their data.

20. An APRA-regulated entity must classify its information assets, including those managed by related parties and third parties, by criticality and sensitivity. This classification must reflect the degree to which an information security incident affecting an information asset has the potential to affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers.

As Customers are responsible for determining which Atlassian Products to utilize and for what purposes, it is a Customer's responsibility to determine which information assets are managed by Atlassian and classify any such information assets. For its part, Atlassian handles information classification as follows and described in our Data Classification Standard:

• Data must be classified in terms of legal requirements, value, and criticality to Atlassian
• Data must be identified and labeled and kept current in a data flow map to ensure appropriate handling
• Media being disposed of must be securely deleted
• Media containing company information must be protected against unauthorized access, misuse, or corruption during transport

21. An APRA-regulated entity must have information security controls to protect its information assets, including those managed by related parties and third parties, that are implemented in a timely manner and that are commensurate with: (a) vulnerabilities and threats to the information assets; (b) the criticality and sensitivity of the information assets; (c) the stage at which the information assets are within their life cycle; and (d) the potential consequences of an information security incident

Our security practices describe Atlassian's approach to security. We provide details on our approach by:

• building security into our network architecture 
• securing access to our networks through ZeroTrust which simply stated means "never trust, always verify" 
• secure access to our systems and services
• securing endpoint devices 
• securing our products 
• securing data

22. Where an APRA-regulated entity’s information assets are managed by a related party or third party, the APRA-regulated entity must evaluate the design of that party’s information security controls that protects the information assets of the APRA-regulated entity.

Our Vulnerability Management Program, describes Atlassian's approach to detecting and handling security vulnerabilities in our products, including key controls we have in place to protect our customers' information.

We have also detailed Our Approach to Managing Security Incidents across our system.

Together, these resources provide APRA-regulated entities with detailed information on the design of our security controls across key areas, so that they can determine whether their CPS 234 obligations are satisfied.

23. An APRA-regulated entity must have robust mechanisms in place to detect and respond to information security incidents in a timely manner.

While the obligations in CPS 234 regarding managing security incidents are imposed on APRA-regulated entities, Atlassian recognizes that, where such an entity uses Atlassian products with respect to some or all of its information assets, Atlassian's approach to security incident management is also an important consideration.

We have a documented Security Incident Response Policy that includes the following key principles:

• Anticipate security incidents and prepare for incident response
• Contain, eradicate and recover from incidents
• Invest in our people, processes, and technologies to ensure we have the capability to detect and analyze a security incident when it occurs
• Make protection of personal data and customer data the top priority during security incidents
• Regularly exercise the security incident response process
• Learn from and improve the security incident management function
• Communicate critical security incidents to Atlassian leadership.

24. An APRA-regulated entity must maintain plans to respond to information security incidents that the entity considers could plausibly occur (information security response plans).

25. An APRA-regulated entity’s information security response plans must include the mechanisms in place for (a) managing all relevant stages of an incident, from detection to post-incident review; and (b) escalation and reporting of information security incidents to the Board, other governing bodies and individuals responsible for information security incident management and oversight, as appropriate.

26. An APRA-regulated entity must annually review and test its information security response plans to ensure they remain effective and fit for purpose.

27. An APRA-regulated entity must test the effectiveness of its information security controls through a systematic testing program. The nature and frequency of the systematic testing must be commensurate with: (a) the rate at which the vulnerabilities and threats change; (b) the criticality and sensitivity of the information asset; (c) the consequences of an information security incident; (d) the risks associated with exposure to environments where the APRA-regulated entity is unable to enforce its information security policies; and (e) the materiality and frequency of change to information assets

The effectiveness of our security controls are tested through multiple external audits and verifications that we undertake. While each Customer is responsible for testing the effectiveness of its own information security controls and escalating any security control deficiencies it discovers in its internal review, Atlassian provides several resources with respect to Atlassian’s own testing program to aid Customers in determining whether their CPS 234 obligations are satisfied.

Our cloud products regularly undergo independent verification of their security, privacy, and compliance controls, achieving certifications, attestations of compliance, or audit reports against standards globally. We provide customers with access to these attestations, compliance certificates, and audit reports (such as SOC2 and ISO2700x) in the Compliance Resource Center to enable customers to review these as part of their risk assessments. Each relevant certification or audit report contains additional information about the certifying or auditing party.

Our Compliance Resource Center also contains control mappings against frameworks and laws where formal certifications or attestations may not be required or applied.

Atlassian continually improves the suitability, adequacy, and effectiveness of its ISMS. The Atlassian Trust Management System (ATMS) is reviewed annually, both internally and by third parties, so Atlassian customers are able to rely on third-party validation of the effectiveness of the ATMS. The commitment to continual improvement is outlined internally on our ATMS definition page and serves to evolve the ATMS over time and address any gaps.

Further information and validation of our approach can be found across multiple resources on our Trust Center -

• ISO 27001 certification
• SOC 2 certification
• All attestations and certifications

28. Where an APRA-regulated entity’s information assets are managed by a related party or a third party, and the APRA-regulated entity is reliant on that party’s information security control testing, the APRA-regulated entity must assess whether the nature and frequency of testing of controls in respect of those information assets is commensurate with paragraphs 27(a) to 27(e) of this Prudential Standard.

29. An APRA-regulated entity must escalate and report to the Board or senior management any testing results that identify information security control deficiencies that cannot be remediated in a timely manner.

30. An APRA-regulated entity must ensure that testing is conducted by appropriately skilled and functionally independent specialists.

31. An APRA-regulated entity must review the sufficiency of the testing program at least annually or when there is a material change to information assets or the business environment.

32. An APRA-regulated entity’s internal audit activities must include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties (information security control assurance).

33. An APRA-regulated entity must ensure that the information security control assurance is provided by personnel appropriately skilled in providing such assurance

34. An APRA-regulated entity’s internal audit function must assess the information security control assurance provided by a related party or third party where: (a) an information security incident affecting the information assets has the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; and (b) internal audit intends to rely on the information security control assurance provided by the related party or third party.

35. An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident that: (a) materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; or (b) has been notified to other regulators, either in Australia or other jurisdictions.

Atlassian understands how important it is for you to be notified promptly of any data breach. That is why Atlassian has built out an extensive cross-functional team and process to handle security incidents as described on our Security Incident Management page.

Atlassian has a strong track record of timely and proactive notification of incidents and working with our customers on any necessary mitigations. Atlassian commits in its Data Processing Addendum and other legal terms to notifying customers of security incidents without undue delay. To the extent customers need this notification for compliance purposes, we encourage them to sign and submit the DPA located here. Once a customer has been notified of an incident by Atlassian, the customer is then responsible for determining whether notification to APRA is required under paragraph 35 of CPS 234 and, if so, for notifying APRA within the 72-hour timeframe, which begins tolling once the customer is in receipt of Atlassian's notice.

Atlassian operates a public bug bounty program for our products via our partner, Bugcrowd, to help customers stay on top of any vulnerabilities that may impact our products. Material updates are provided for customers via Statuspage. Furthermore, if a customer chooses to purchase a “Premium” or “Enterprise” plan  of any Jira Software Cloud, Jira Service Management Cloud or Confluence Cloudt, they will receive the benefit of our enhanced performance warranty, wherein we warrant that we will not materially decrease the functionality or overall security of the cloud product during the applicable subscription term. If we receive an expanded performance warranty claim from a customer related to the security of a cloud product and we cannot correct the non-conformity, we will notify thecCustomer of this. Once a customer has received this notification, the customer is responsible for determining whether notification to APRA is required under paragraph 36 of CPS 234 and, if so, for notifying APRA within the 10 business day timeframe, which begins tolling once the customer is in receipt of Atlassian's notice.

36. An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 10 business days, after it becomes aware of a material information security control weakness that the entity expects it will not be able to remediate in a timely manner.