Book a demo
Atlassian

How to efficiently embed compliance into your Atlassian tech stack

Picture of AppFox

AppFox

Share:

How to embed compliance in enterprise techstack by AppFox

No matter which tools comprise your tech stack, compliance with data protection and information security best practice must lie at the center.

But how do you achieve this?

In today’s article, we’ll explore how you can use the Atlassian Cloud Platform (and Atlassian Marketplace apps) to enable essential compliance best practice.

Let’s start with the compliance metrics you’ll want to monitor and analyze, before moving on to exploring the following areas in a little more depth:

Ready? Let’s go 🦊

What compliance actions and data should your Atlassian tooling support?

This is a big question. Those of you working in highly-regulated industries will each have specific legislation with which you need to comply. Think DORA for financial entities across Europe, or NIS2, which impacts ‘essential’ sectors (such as finance, energy and utilities, healthcare and so on).

Then we have the more general cyber security and data protection regulations, like the GDPR for EU firms, the UK Data Protection Act, HIPAA for organizations operating in the US, ISO 9001, ISO 27001, SOC 2, and more.

Each of these regulations come with their own list of requirements – but often you’ll see similar key principles based on policy documentation, internal education, risk management, and auditing.

Compliance data and metrics

Reporting is a key component of compliance with multiple frameworks. You need access to relevant data in the first place, and you need a way to make sense of your stats, and be able to share it.

Again, we know that there will be certain industry regulations for which you’ll need very specific data. For now, we’re taking a high level look at those more general data protection and information security frameworks.

What will you need to report on?

Relevant insights could include:

  • User access and permissions: How are you keeping track of which users are accessing what, and if changes are made? You can view this information in Confluence.
  • Sensitive data detection and steps taken to protect it: The Compliance for Confluence app has a central Admin Dashboard, which enables you to view core metrics around how you manage PII. (For more on how you can actually protect sensitive data, head over to this section.)

De-siloing your Compliance for Confluence data

Imagine if you could bring all your compliance data in one place, rather than context-switching between different sources? We developed the Compliance for Confluence REST API to address this issue.

With the API, you can push insights from the app into your BI dashboard or reporting tools.

For example, you could request metrics on the volume of pages containing PII, and the Compliance app API will deliver it to your primary compliance or BI dashboard.

  • Change history: Confluence provides full versioning history, including changes made, which users updated content, and when.
  • Data classification levels applied to pages: View your data classification level insights through the Compliance for Confluence app Admin Dashboard. Or, with the free REST API, integrate it with your central reporting tools or dashboard, for a more holistic view.
  • How many integrations/plugins if you have: It’s vital to keep track of your Atlassian Marketplace apps and plugins, from both a security and governance standpoint.
  • Whether team members have accepted or viewed policies: Native Confluence metrics will show which team members have viewed documentation. Time spent on page can indicate a read-time to determine rough engagement levels.
  • Data subject access requests: Data subjects have the right to request access to the data you hold about them, and to request its erasure. If you use Jira Service Management to handle these kinds of requests, you can report on the frequency of such tickets, and their resolution metrics.
  • Where PII is stored: You may need access to this information when handling a data subject access request, or require PII insights for compliance reporting. You can find this data in your Compliance for Confluence Admin Dashboard, or push it through into your central BI or compliance console via the REST API.

Spotlight on the Compliance for Confluence REST API

We’ve mentioned our new REST API a couple of times already in this article. Let’s do a quick summary to better understand its scope and suggested use cases:

  • You can use the Compliance for Confluence REST API to connect your app data with your wider reporting or BI dashboards as well as other tools within your tech stack.
  • Doing this reduces information in silos, eliminates context-switching (and therefore saves time), and provides a big-picture view of your compliance metrics and actions across multiple platforms.
  • It can also significantly support your auditing process, by centralizing all compliance data into one singular dashboard.
  • You can do so much more with your Compliance for Confluence data. How about pushing it into a data visualisation tool, so you can share your compliance insights with stakeholders in a more engaging, visual way that makes sense to them?

So, we’ve had a quick look at the kind of data you can pull through and use within your Atlassian tech stack. Now it’s time to dig into some of the actions you can take with your tooling.

Compliance actions and processes

To demonstrate compliance with these key principles, you’ll need your Atlassian tech stack to enable the following:

Centralized and secure documentation

It’s essential to have clearly documented policies and procedures to align with legislative requirements. From your incident reporting policy, to ISMS documentation, this collateral needs to be saved in a shared space, with clear access controls.

Confluence is ideal for this:

  • You can organize policies by team, business area or regulation.
  • Policy-makers or key stakeholders can collaborate transparently and securely.
  • You can manage access via user or user groups to ensure sensitive documentation is protected.
  • Use Confluence labels to mark pages as confidential or internal-only.

Sensitive data protection and management

PII (Personally Identifiable Information) needs to be protected in compliance with regulations.

You can use a combination of Confluence native features, and Atlassian Marketplace apps, like Compliance for Confluence, to safeguard PII across your organization’s written content:

  • Use Confluence to store pages containing PII in a separate space, and limit access to certain user groups.
  • Label pages as ‘confidential’ or ‘high risk’ to avoid accidental data leaks or sharing.
  • Clearly document your sensitive data protection measures in centrally-shared policies.
  • Use the Compliance for Confluence app to take your sensitive data protection to the next level…

Spotlight on Compliance for Confluence

If you’re not already using the Compliance for Confluence app, it’s a super powerful way to protect your data and embed compliance best practice across your tech stack.

  • Apply data classification levels: Set company-wide classification levels to instantly flag whether your pages are public-facing, internal only or high risk. Create up to five custom levels, unique to your organization’s processes.
  • Create a Rovo Agent to automatically assign classification levels: Using the Compliance for Confluence REST API, you can create a custom Rovo Agent to scan the content of a page and instantly apply a suitable classification level.
  • Detect sensitive data: Using both pre-configured and custom queries, Compliance for Confluence will scan your pages for sensitive data – be that email addresses, financial information, and more, and automatically flag when PII is identified.
  • Redact sensitive data: Once the app has found PII, it can automatically redact it, to further protect it.
  • Available now on the Atlassian Marketplace, why not try Compliance for Confluence for free, to enhance your internal data protection and information security compliance actions?

Risk management

You’ll likely have various documentation from risk assessments and audits, right through to incident reporting controls and disaster recovery plans.

Again, Confluence is an excellent place to create, edit, store and share these documents. However, complying with risk management best practice goes further than written assets. We’re talking:

  • Well-documented integration strategy and request management process (more on this shortly).
  • Regular auditing of Atlassian Marketplace apps and plugins.
  • Consistent housekeeping and maintenance of your Atlassian apps themselves, like Jira. A well-governed instance reduces the risk of human error and the possibilities of unauthorized user access (such as team members who have left the organization, but have slipped through the net and not yet had access revoked).
  • Optimizer for Jira, an Atlassian Marketplace app which can help with this. It provides a high-level overview of your Jira instance, identifying problem areas like duplicate custom fields, inactive users, old projects and so on. Make bulk updates, such as deleting duplicates at the touch of a button, and understand how a well-maintained instance contributes to process optimization and compliance best practice.

Did you know?

                    Optimizer for Jira Advanced Edition now supports Jira Service Management!                   So you can extend your compliance best practice and instance governance to JSM too!

 

Try it for free today

A formal change management process

To avoid a ‘Wild West’ situation of sprawling integrations, configuration changes and users, align with information security best practice and consider embedding a formal change management process, particularly if your organization is growing.

Without a change management request procedure, you run the risk of users installing ad-hoc plugins without consent, unknowingly duplicating custom fields, or embarking on custom configuration which could compromise existing workflows or processes.

  • Use Confluence to document and share your request management strategy and process.
  • You can use Jira Service Management to enabled team members to submit tickets for changes, which can then be reviewed by your Service Desk or Admins in line with your policy.

Demonstrable education and awareness amongst team members

From reviewing and accepting company policies, to running staff training, it’s vital to demonstrate an ongoing commitment to information security, data protection and other regulatory elements.

  • Confluence enables secure cross-team sharing.
  • With Confluence on-page analytics, you can monitor page views and read-times to understand team engagement and which users have read and accepted certain policies.

A comprehensive audit trail and change history

You may need to provide audit trails and demonstrate that you can record and report on certain data, to comply with regulatory frameworks and industry legislation.

Document version history for policy documents, risk assessments or ISMS documentation, is one example. Here’s an initial outline of some of the measures that your Atlassian apps can enable.:

  • Confluence (once again!) is ideal for this. Each page provides a full version history, and you can compare two versions side-by-side to understand what changes have been made.
  • You can also view a record of when a page was created, who by, and which users have contributed since.
  • Using Rovo Studio – or, depending on your team’s technical skill, Atlassian Forge – you could create a custom Rovo Agent which can review and summarise page changes, so you can instantly understand your compliance documentation’s journey.

 

                          Do you have an idea for a custom Rovo Agent, but you’re not                         sure how to build it?

                                       Or do you need help identifying areas for automation and optimisation?                                                             Our teammates at Automation Consultants, Atlassian Platinum Solution partners,                         have the expertise to help!
 
 
Discover more here

Embedding compliance in your Atlassian tech stack

It’s vital that Atlassian apps enable and support compliance best practice. Your tooling plays a key role in your ability to meet regulatory requirements and protect your data, people, IP and reputation.

But your tech stack is only one part of the equation. The other, perhaps greater element, is the range of actions that your teams take each day to meet industry regulations and wider data protection or information security legislation.

We’re talking about the commitment to documentation and following due process. Educating team members and making compliance a shared responsibility. Promoting compliance not as a burden, but as an opportunity.

Strengthen your internal compliance efforts today with powerful and secure Atlassian Marketplace apps.

Built to extend and enhance Confluence’s native capabilities, Compliance for Confluence equips you with the tools you need for robust data protection and management. And, with the new REST API, you can now embed your compliance data even more effectively within your wider tech stack. Try it today, for free, from the Atlassian Marketplace!

In this article:
Picture of AppFox
AppFox

You might also like

Compliance for Confluence REST API by AppFox
3 Clever Ways to Protect Your Data: Compliance, Classification and Rovo
3 Clever Ways to Protect Your Data: Compliance, Classification and Rovo
Smarter Document Management for HR Teams by AppFox
Smarter Document Management for HR Teams
Smarter Document Management for HR Teams
Advanced Edition of Optimizer for Jira by AppFox
Introducing Optimizer for Jira: Advanced Edition
Introducing Optimizer for Jira: Advanced Edition

part of

Level up your favourite software applications.

Products

Resources

Support

Our company (Automation Consultants) are proud to have the following accreditations: