Here at Isos we have assisted many large and small organizations in their quest to insure they are in compliance with whatever burdensome imposed regulation they are subject to. These rules, be they internally or externally imposed, have always been a source of friction in teams getting whatever project being worked on done. In almost every case, the main issue with implementing procedures to insure compliance is the creation of extra work that has nothing to do with the actual tasks at hand.
However, it doesn’t have to be this way. When organizations implement their process workflows in Jira, the following procedures become easy. Jira guides you through your defined process. Team members don’t have to think about what step is next. Jira captures and logs every step. The very act of using Jira ensures your are in compliance with whatever rules you define. Following the rules, doing the ‘right thing’ is a by-product of doing your job -- not an obstacle.
For our first article on Atlassian and compliance we present a grab bag of tips anyone can utilize to make sure your configuration is sound when making the Atlassian suite part of your compliance framework:
- Start with example workflows from the Atlassian Marketplace: When you are building a workflow in Jira to follow a certain regulation or process (like ITIL), look in the Atlassian marketplace first for examples. In our experience, those shared plugins never fulfil an organization’s needs 100% but they serve as a good jumping off point to customized for your needs.
- Reduce the number of administrators in Jira: It is common to see 10 or more users with “Administrator” access in a Jira instance. (Heck, we’ve seen 100s in some cases.) Functionality like creating or modifying workflows, unfortunately, requires elevated access. As you start to lean on Jira for enforcing your processes for compliance purposes, you need to make sure your workflows and other system information isn’t accidentally modified in an approved manner. Isos highly suggests making the list of administrator users as tight as possible.
- Turn on “Audit Log” in Jira: You still will have more than a few users that are administrators even after your admin purge. That’s fine. Starting in Jira 6.X Atlassian added the “Audit Log” feature that logs Administrator actions when performing system admin functions within the Jira gui.
- Utilize a log aggregation service: The “Audit Log” and the basic history capture abilities of Jira cover a lot of ground when showing an audit trail as part of your compliance documentation. Isos suggests utilizing services such as Splunk or Logstash to archive Jira logs to capture any historical data that might be missed by either methodology mentioned above.
- Preserve full system backups when generating audit artifacts: When Isos clients export from Jira (and other Atlassian products) artifacts for auditing purposes, we suggest they do a full system backup that is archived for a defined amount of time. This backup will allow the team to ‘go back in time’ to verify or validate questions from auditors.
- Use Bamboo for CI Builds: Many Isos clients use build systems like Jenkins or AnthillPro for CI (Continuous Integration) builds. If you want the CI system to help enforce process workflows, especially with functions like code reviews, Bamboo is the only game in town.
So that wraps up a few foundational things you can do to make your Jira (and other Atlassian products) ready for your compliance needs. In a future blog post we’ll show you very specific examples of how to make Jira enforce compliance processes.