ACSC - Essential 8 Maturity Model - 2023 Guidance Review

• The execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets is prevented on workstations from within standard user profiles and temporary folders used by the operating system, web browsers and email clients.

• Application control is implemented on workstations and internet-facing servers.
• Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.
• Allowed and blocked execution events on workstations and internet-facing servers are logged.

• Application control is implemented on workstations and servers.
• Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications, control panel applets and drivers to an organisation approved set.
• Microsoft’s ‘recommended block rules’ are implemented. Microsoft’s ‘recommended driver block rules’ are implemented.
• Application control rulesets are validated on an annual or more frequent basis.
• Allowed and blocked execution events on workstations and servers are centrally logged.
• Event logs are protected from unauthorised modification and deletion. Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected.

The use of utility programs in the production environment is restricted and controlled.All servers are configured using our centralised puppet configuration system to our standard operating environment, including removal of select packages from the default image and critical package updates. All server roles have a default deny all for incoming networking requests, with select ports opened only to the other server roles which require access to that port for their function.Atlassian's corporate network is segregated from our production network, and our machine images are hardened to only allow necessary ports and protocols.All production systems are currently hosted within US regions of our cloud provider. All data in transit outside of hardened virtual private cloud networks (VPC) are encrypted over industry standard channels.
Additionally, an IDS system is in place on all production servers, which includes realtime monitoring and alerting of any changes to the production system files or configuration and anomalous security events.

• An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
• A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in internet-facing services.
• A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.
• Patches, updates or other vendor mitigations for vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
• Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release.
• Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.

• An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
• A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
• A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in internet-facing services.
• A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.
• A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in other applications.
• Patches, updates or other vendor mitigations for vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
• Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release.
• Patches, updates or other vendor mitigations for vulnerabilities in other applications are applied within one month of release.
• Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.

• An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
• A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
• A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in internet-facing services.
• A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.
• A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in other applications.
• Patches, updates or other vendor mitigations for vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
• Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release, or within 48 hours if an exploit exists.
• Patches, updates or other vendor mitigations for vulnerabilities in other applications are applied within one month of release.
• Applications that are no longer supported by vendors are removed.

For all our products and service offerings, we have an extensive bug remediation process (utilising our own product Jira which captures issues and helps us to manage resolving requests). Underpinning this are numerous security bug fix policies, advisories services and SLOs that we adhere to. We take in bug reports via our Support Channel, our Bug Bounty program, and security@atlassian.com. Further information is available on our Trust Center about our Security Bug Fix SLOs.

More information about our Approach to Security Testing is also at our Trust Center at: Approach to External Security Testing

Our Atlassian Security Team uses multiple methods to detect vulnerabilities in both internal and external infrastructure. Jira tickets are created for tracking and remediation purposes, and due dates are assigned according to our SLO based on both severity and the source of the vulnerability. We have an on-going process to issue tickets for identified vulnerabilities to system owners, and our Security Management Team reviews any reported vulnerabilities and ensures action is taken against them.

• Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
• Microsoft Office macros in files originating from the internet are blocked.
• Microsoft Office macro antivirus scanning is enabled.
• Microsoft Office macro security settings cannot be changed by users.

• Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
• Microsoft Office macros in files originating from the internet are blocked. Microsoft Office macro antivirus scanning is enabled.
• Microsoft Office macros are blocked from making Win32 API calls.
• Microsoft Office macro security settings cannot be changed by users.
• Allowed and blocked Microsoft Office macro execution events are logged.

• Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
• Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute.
• Only privileged users responsible for validating that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations.
• Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View.
• Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis.
• Microsoft Office macros in files originating from the internet are blocked.
• Microsoft Office macro antivirus scanning is enabled.
• Microsoft Office macros are blocked from making Win32 API calls.
• Microsoft Office macro security settings cannot be changed by users.
• Allowed and blocked Microsoft Office macro execution events are centrally logged.
• Event logs are protected from unauthorised modification and deletion.
• Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected.

Atlassian works with third party sub-contractors to provide website, application development, hosting, maintenance, back-up, storage, virtual infrastructure, payment processing, analysis and other services. These service providers may have access to or process PII for the purpose of providing those services for us. Atlassian discloses to its relevant customers any use of sub-contractors whom may process their PII, via notification before processing occurs. An external facing list of sub-contractors Atlassian works with is provided on the Atlassian Subprocessors page at: List of Data Subprocessors. On this page, visitors are invited to subscribe to an RSS feed to be notified when we add new Atlassian Subprocessors.

We have implemented a centralised system management solution (Mobile Device Management) for our Mac laptop fleet.
We have implemented a mobile device management solution for our Windows endpoints and smartphones (VMware Workplace ONE).

• Web browsers do not process Java from the internet.
• Web browsers do not process web advertisements from the internet.
• Internet Explorer 11 does not process content from the internet.
• Web browser security settings cannot be changed by users.

• Web browsers do not process Java from the internet.
• Web browsers do not process web advertisements from the internet.
• Internet Explorer 11 does not process content from the internet.
• ACSC or vendor hardening guidance for web browsers is implemented.
• Web browser security settings cannot be changed by users.
• Microsoft Office is blocked from creating child processes.
• Microsoft Office is blocked from creating executable content.
• Microsoft Office is blocked from injecting code into other processes.
• Microsoft Office is configured to prevent activation of OLE packages.
• ACSC or vendor hardening guidance for Microsoft Office is implemented.
• Microsoft Office security settings cannot be changed by users.
• PDF software is blocked from creating child processes.
• ACSC or vendor hardening guidance for PDF software is implemented.
• PDF software security settings cannot be changed by users.
• Blocked PowerShell script execution events are logged.

• Web browsers do not process Java from the internet.
• Web browsers do not process web advertisements from the internet.
• Internet Explorer 11 is disabled or removed.
• ACSC or vendor hardening guidance for web browsers is implemented.
• Web browser security settings cannot be changed by users.
• Microsoft Office is blocked from creating child processes.
• Microsoft Office is blocked from creating executable content.
• Microsoft Office is blocked from injecting code into other processes.
• Microsoft Office is configured to prevent activation of OLE packages.
• ACSC or vendor hardening guidance for Microsoft Office is implemented.
• Microsoft Office security settings cannot be changed by users.
• PDF software is blocked from creating child processes.
• ACSC or vendor hardening guidance for PDF software is implemented.
• PDF software security settings cannot be changed by users.
• .NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.
• Windows PowerShell 2.0 is disabled or removed.
• PowerShell is configured to use Constrained Language Mode.
• Blocked PowerShell script execution events are centrally logged.
• Event logs are protected from unauthorised modification and deletion.
• Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected.

The AWS Linux AMI base OS image builds have limited ports, protocols and services. We compare our builds against the current AMI version to ensure appropriate settings.
Our Docker images are managed in a tightly controlled change environment to ensure appropriate review and approval of all changes.

Our endpoints are hardened to protect our users, however we do not limit access to hardware ports.

We use a 3rd party HTTP proxy product for our Jira/Confluence public edge and we've implemented L7 HTTP security rules on it (you could call it WAF, the functionality is essentially the same.)

• Requests for privileged access to systems and applications are validated when first requested.
• Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services.
• Privileged users use separate privileged and unprivileged operating environments.
• Unprivileged accounts cannot logon to privileged operating environments.
• Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.

• Requests for privileged access to systems and applications are validated when first requested.
• Privileged access to systems and applications is automatically disabled after 12 months unless revalidated.
• Privileged access to systems and applications is automatically disabled after 45 days of inactivity.
• Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services.
• Privileged users use separate privileged and unprivileged operating environments.
• Privileged operating environments are not virtualised within unprivileged operating environments.
• Unprivileged accounts cannot logon to privileged operating environments.
• Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.
• Administrative activities are conducted through jump servers.
• Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed.
• Privileged access events are logged.
• Privileged account and group management events are logged.

• Requests for privileged access to systems and applications are validated when first requested.
• Privileged access to systems and applications is automatically disabled after 12 months unless revalidated.
• Privileged access to systems and applications is automatically disabled after 45 days of inactivity.
• Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties.
• Privileged accounts are prevented from accessing the internet, email and web services.
• Privileged users use separate privileged and unprivileged operating environments.
• Privileged operating environments are not virtualised within unprivileged operating environments.
• Unprivileged accounts cannot logon to privileged operating environments.
• Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.
• Just-in-time administration is used for administering systems and applications.
• Administrative activities are conducted through jump servers.
• Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed.
• Windows Defender Credential Guard and Windows Defender Remote Credential Guard are enabled.
• Privileged access events are centrally logged.
• Privileged account and group management events are centrally logged.
• Event logs are protected from unauthorised modification and deletion.
• Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected.

Atlassian maintains restriction on the personnel that need this access for their job role and responsibilities. All tier 1 systems are managed via Atlassian centralized single sing-on (SSO) and directory solution. Users are given appropriate access rights based upon these profiles, driven via workflow from our HR management system. Atlassian utilizes MFA to access all tier 1 systems. We have enabled two-factor authentication to the hypervisor management console and AWS API and a daily audit report on all access to the hypervisor management functions. Access lists to the hypervisor management console and AWS API are reviewed quarterly. We also maintain an 8-hour sync between our HR System and our Identity store.

We maintain a twice annual review cycle for critical services in our entitlement review process. Validation of user access occurs regularly with System Owners for internal corporate user accounts.

• An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
• A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
• A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing services.
• A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, servers and network devices.
• Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
• Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, servers and network devices are applied within one month of release.
• Operating systems that are no longer supported by vendors are replaced.

• An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
• A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
• A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing services.
• A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in operating systems of workstations, servers and network devices.
• Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
• Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release.
• Operating systems that are no longer supported by vendors are replaced.

• An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
• A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
• A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing services.
• A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in operating systems of workstations, servers and network devices.
• Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
• Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release, or within 48 hours if an exploit exists.
• The latest release, or the previous release, of operating systems are used. Operating systems that are no longer supported by vendors are replaced.

For all our products and service offerings, we have an extensive bug remediation process (utilising our own product Jira which captures issues and helps us to manage resolving requests). Underpinning this are numerous security bug fix policies, advisories services and SLOs that we adhere to. We take in bug reports via our Support Channel, our Bug Bounty program, and security@atlassian.com. Further information is available on our Trust Center about our Security Bug Fix SLOs.

More information about our Approach to Security Testing is also at our Trust Center at: Approach to External Security Testing

Our Atlassian Security Team uses multiple methods to detect vulnerabilities in both internal and external infrastructure. Jira tickets are created for tracking and remediation purposes, and due dates are assigned according to our SLO based on both severity and the source of the vulnerability. We have an on-going process to issue tickets for identified vulnerabilities to system owners, and our Security Management Team reviews any reported vulnerabilities and ensures action is taken against them.

• Multi-factor authentication is used by an organisation’s users when they authenticate to their organisation’s internet-facing services.
• Multi-factor authentication is used by an organisation’s users when they authenticate to third-party internet-facing services that process, store or communicate their organisation’s sensitive data.
• Multi-factor authentication (where available) is used by an organisation’s users when they authenticate to third-party internet-facing services that process, store or communicate their organisation’s non-sensitive data.
• Multi-factor authentication is enabled by default for an organisation’s non-organisational users (but they can choose to opt out) when they authenticate to the organisation’s internet-facing services.

• Multi-factor authentication is used by an organisation’s users when they authenticate to their organisation’s internet-facing services.
• Multi-factor authentication is used by an organisation’s users when they authenticate to third party internet-facing services that process, store or communicate their organisation’s sensitive data.
• Multi-factor authentication (where available) is used by an organisation’s users when they authenticate to third-party internet-facing services that process, store or communicate their organisation’s non-sensitive data.
• Multi-factor authentication is enabled by default for an organisation’s non-organisational users (but they can choose to opt out) when they authenticate to the organisation’s internetfacing services.
• Multi-factor authentication is used to authenticate privileged users of systems.
• Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.
• Successful and unsuccessful multi-factor authentication events are logged.

• Multi-factor authentication is used by an organisation’s users when they authenticate to their organisation’s internet-facing services.
• Multi-factor authentication is used by an organisation’s users when they authenticate to thirdparty internet-facing services that process, store or communicate their organisation’s sensitive data.
• Multi-factor authentication (where available) is used by an organisation’s users when they authenticate to third-party internet-facing services that process, store or communicate their organisation’s non-sensitive data.
• Multi-factor authentication is enabled by default for an organisation’s non-organisational users (but they can choose to opt out) when they authenticate to the organisation’s internetfacing services.
• Multi-factor authentication is used to authenticate privileged users of systems.
• Multi-factor authentication is used to authenticate users of important data repositories.
• Multi-factor authentication is phishing-resistant and uses either: something users have and something users know, or something users have that is unlocked by something users know or are.
• Successful and unsuccessful multi-factor authentication events are centrally logged.
• Event logs are protected from unauthorised modification and deletion.
• Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected.

Regarding Confluence, Jira; multi-factor authentication is available for individual accounts. For more information on how to enable multi-factor authentication, see: Enforce two-step verification

BBC still supports 2FA as of Feb 2022 and, in general, is integrated with Atlassian Access and supports additional functionality offered through Access. Enforced multi-factor authentication can be set at the organization level with Atlassian Access. For more information, see: Enforce two-step verification

Regarding Specific Products

Bitbucket supports using MFA-based SSO options. For more information, see: Enforce two-step verification | Bitbucket Cloud

Halp uses SSO via Slack OAuth and MS Teams. Slack and MS Teams provide multiple Multi-factor authentication options. For more information please see: SAML single sign-on & Azure AD Connect: Seamless single sign-on

Opsgenie supports using MFA-based SSO options. For more information, see: Configure SSO for Opsgenie

Statuspage supports using MFA-based SSO options.

Trello supports Multi-factor authentication. For more information on how to enable multi-factor authentication, see: Enabling Two-Factor Authentication for your Trello account

Jira Align supports using MFA-based SSO options.

• Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements.
• Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time.
• Backups of important data, software and configuration settings are retained in a secure and resilient manner.
• Restoration of important data, software and configuration settings from backups to a common point in time is tested as part of disaster recovery exercises.
• Unprivileged accounts cannot access backups belonging to other accounts.
• Unprivileged accounts are prevented from modifying and deleting backups.

• Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements.
• Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time.
• Backups of important data, software and configuration settings are retained in a secure and resilient manner.
• Restoration of important data, software and configuration settings from backups to a common point in time is tested as part of disaster recovery exercises.
• Unprivileged accounts cannot access backups belonging to other accounts.
• Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts.
• Unprivileged accounts are prevented from modifying and deleting backups.
• Privileged accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups.

• Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements.
• Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time.
• Backups of important data, software and configuration settings are retained in a secure and resilient manner.
• Restoration of important data, software and configuration settings from backups to a common point in time is tested as part of disaster recovery exercises.
• Unprivileged accounts cannot access backups belonging to other accounts, nor their own accounts.
• Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts, nor their own accounts.
• Unprivileged accounts are prevented from modifying and deleting backups. Privileged accounts (including backup administrator accounts) are prevented from modifying and deleting backups during their retention period.

Atlassian maintains a Data Retention and Destruction Standard, which designates how long we need to maintain data of different types. Data is classified in line with our Atlassian Data Security & Information Lifecycle Policy, and controls implemented based on that.
For customer data on termination of an Atlassian contract, the data belonging to a customer team will be removed from the live production database and all file attachments uploaded directly to Atlassian will be removed within 14 days. The team’s data will remain in encrypted backups until those backups fall out of the 60-day backup retention window and are destroyed in accordance with our Atlassian data retention policy. In the event that a database restore is necessary within 60 days of a requested data deletion, the operations team will re-delete the data as soon as reasonably possible after the live production system is fully restored. For more information, see: Track storage and move data across products