Our Atlassian Security & Technology Policies

Access Management

This policy sets out the general principles and guidelines for Access Management.

The basic principles (tl;dr) include:

• Atlassian will maintain an Access Control policy outlining how to manage access to systems
• User accounts will be used to manage access
• All users have responsibility to manage access to their systems
• Systems will be logged and monitored for potential inappropriate access
• Remote access will be enabled via multi-factor authentication
• Duties should be segregated where appropriate

Asset Management

This policy sets out the general principles and guidelines for management of Atlassian's IT assets and how those assets should be handled.

The basic principles (tl;dr) of asset management at Atlassian include:

• Atlassian will maintain an inventory of assets;
• Assets maintained in an asset management database will have identified owners;
• Acceptable use of assets will be identified, documented and implemented;
• Assets will be returned to Atlassian if employment is terminated.

Business Continuity & Disaster Recovery

This policy sets out the general principles that establish our approach toward resilience, availability and continuity of processes, systems and services at Atlassian. It defines requirements around business continuity, disaster recovery and crisis management processes.

The basic principles (tl;dr) include:

• Mission critical system, process or Service Owners must ensure proper Business Continuity and/or Disaster Recovery that is inline with the tolerance for disruption in case of disaster.
• Continuity plans must include appropriate "last stand" environment, that provides core functionality (at the minimum), and a plan to fail to that environment. Considerations for business-as-usual resumption must also be included.
• No mission critical system, process or function could be deployed in production without appropriate continuity plan
• Plans must be tested quarterly and issues identified and addressed.
• Maximum time for recovery (RTO) starts from event detection until the core functionality is operational. Services are grouped into Tiers that define maximum RTO and RPO.

Communications Security

This policy sets out the general principles and guidelines for managing the security of our communications and our networks.

The basic principles (tl;dr) include:

• Network access should be controlled
• Network access is supplied and all users should be familiar with the Policy - Electronic System and Communications
• Networks should be segregated based on criticality

Cryptography & Encryption

This policy sets out the general principles to ensure that Atlassian implements appropriate encryption & cryptography to ensure confidentiality and integrity of critical data. Atlassian deploys cryptographic mechanisms to mitigate the risks involved in storing sensitive information and transmitting it over networks, including those that are publicly accessible (such as the internet). Facilitating the use of encryption technologies that are reliable, secure and proven to work effectively is a key objective of this standard in order to mitigate the risk of unauthorised access to and/or modification of sensitive company information.

The basic principles (tl;dr) include:

• Sensitive data is encrypted appropriately;
• Strength of selected encryption corresponds with information classification;
• Cryptographic keys will be securely managed;
• Only approved cryptographic algorithms and software modules will be used.

Data Classification

This policy establishes and defines data classification ratings and includes descriptions, examples, requirements, and guidelines regarding the treatment of data included within each classification rating. The classification ratings are based on legal requirements, sensitivity, value, and criticality of the data to Atlassian, Atlassian’s customers, and Atlassian’s partners and vendors.

The basic principles (tl;dr) include:

• Data must be classified in terms of legal requirements, value, and criticality to Atlassian
• Data must be identified and labeled and kept current in a data flow map to ensure appropriate handling
• Media being disposed of must be securely deleted
• Media containing company information must be protected against unauthorized access, misuse, or corruption during transport

Mobile & Bring Your Own Device (BYOD)

This policy sets out the general principles and guidelines for the use of personal devices with Atlassian networks and systems.

The basic principles (tl;dr) include:

• The philosophy behind this Bring Your Own Device Policy (referred to here as the BYOD Policy or the Policy) is to be as unobtrusive and flexible as possible with regard to BYOD usage to maintain the autonomy of Atlassians whilst ensuring we have the ability to protect our customer and corporate data.
• As such, the focus will be on configuration / posture checking and monitoring of compliance of devices, with the least restrictive principles that reasonably achieve the required security objectives, rather than enforcement of restrictions. Where restrictions do need to be applied, this will be done selectively depending on the data that can be accessed.
• This Policy covers both our current and our anticipated future needs. Some of the capabilities outlined may not be implemented immediately.

Operations

This policy sets out the general principles and guidelines for technology operational practices at Atlassian.

The basic principles (tl;dr) include:

• procedures should be documented for operational activities
• backups should be taken regularly and the backups tested
• changes should be managed and evaluated by multiple people
• capacity should be evaluated and planned for
• software installation should be limited and unnecessary software should be restricted
• logs should be configured and forwarded to the centralized logging platform
• any operational incidents should be managed according to our standard HOT process

Personnel Security

This policy sets out the general principles and guidelines for personnel security at Atlassian.

The basic principles (tl;dr) include:

• Security responsibilities will be outlined in job definitions
• All employees and users will regularly view security awareness training
• All employees and contractors have a duty to report security incidents or weaknesses
• Upon employee termination, access and return of assets will occur in a reasonable time frame

Physical & Environmental Security

This policy sets out the general principles and guidelines for securing our buildings, our offices and securing our equipment.

The basic principles (tl;dr) include:

• Provide for secure areas to work
• Secure our IT equipment wherever it may be
• Restrict access to our buildings and offices

Privacy

This policy sets out principles to ensure that Atlassian implements appropriate security measures that help protect data privacy.

Atlassian recognizes that while encryption and other Privacy Enhancing Technologies (PETs) are powerful tools, thoughtful consideration is required during technology selection and implementation. Atlassian takes a risk-based approach to privacy that considers the nature, scope, context, and purposes of data processing as well as the likelihood and severity of risks for the rights and freedoms of natural persons.

The basic principles (tl;dr) include:

• PETs should be chosen according to a risk-based approach
• PETs must not prevent Atlassian from meeting regulatory requirements regarding privacy rights
• PETs should not impair the security of systems and services that process data
• PETs should not impair the ability to restore private data access and availability in the event of a breach
• PETs should allow for regular testing, assessing, and evaluation of effectiveness

Security Incident Management

This policy sets out the general principles and guidelines to ensure that Atlassian reacts appropriately to any actual or suspected security incidents. Atlassian has a responsibility to monitor for incidents that occur within the organisation that may breach confidentiality, integrity or availability of information or information systems. All suspected incidents must be reported and evaluated. The policy has been implemented so that Atlassian Security can limit their duration and adverse impact on Atlassian and its customers as well as learn from incidents.

The basic principles (tl;dr) include:

• Anticipate security incidents and prepare for incident response
• Contain, eradicate and recover from incidents
• Invest in our people, processes and technologies to ensure we have the capability to detect and analyze an security incident when it occurs
• Make protection of Personal data and customer data the top priority during security incidents
• Regularly exercise the security incident response process
• Learn from and improve the security incident management function
• Communicate critical security incidents to the Atlassian Leadership Group

Supplier Management

This policy sets out the general principles and guidelines to select, engage, monitor and off-board suppliers.

The basic principles include:

• Atlassian will be purposeful in managing our vendor selection process
• All suppliers must be onboarded and managed in accordance with Atlassian supplier risk assessment and due diligence processes
• The business owner requesting the vendor relationship is responsible for utilizing standard Atlassian contracts
• Atlassian will perform oversight of the relationship to ensure it meets our Atlassian standards
• Atlassian reserves the right to terminate the contract with any vendor when the service is no longer required

System Acquisition, Development, and Maintenance

This policy sets out the general principles and guidelines for development of applications, both internally and customer-facing, as well as creating limitations on how to manage pre-production environments and incorporating open source software into any of our Products and Services.

The basic principles (tl;dr) include:

• Security requirements will be included and incorporated to any environment or application development or acquisition;
• Product development will follow our internal quality assurance process, which includes integration of security checks;
• Production data that is Restricted according to the Data Security Information Lifecycle Management Policy will be anonymized or masked when being used in pre-production environments; and
• Integration of any open source frameworks or libraries will follow our internal Standard - Using Third Party Code in an Atlassian Product

Threat & Vulnerability Management

This policy sets out the general principles and guidelines for managing security threats and vulnerabilities both in our environment and in our products.

The basic principles (tl;dr) include:

• Manage security vulnerabilities in our products and services, including issuing updates, patches or advisories
• Manage security threats and vulnerabilities throughout our environment, both internal and hosted environments
• Manage the threat of malware in the environment

Audit & Compliance Management

This policy sets out the general principles for managing and auditing control compliance at Atlassian.

The basic principles (tl;dr) include:

• We implement controls to properly manage risk and ensure compliance with relevant policies, regulations and external industry standards
• We use audits as a way to verify the appropriateness and operational effectiveness of our controls
• Audits are coordinated and delivered as appropriate to achieve high level of confidence in our control environment, as well as to achieve internal or external certification
• Atlassian seeks external validation of controls
• Atlassian maintains a consolidated view of all its relevant control objectives, control activities and tests