One thing that never fails to be important in the day-to-day operations of businesses is compliance. Whether it's security compliance, financial compliance—such as keeping your website PCI compliant—or even making sure teams are aware of HR policies, it's critical to properly track and manage compliance issues that occur in your organization.
Across the board, I have found the Atlassian toolset to be very effective in tracking information regarding day-to-day compliance concerns, as well as annual audits, and I'd like to share a way that I've done this that worked out well for our organization:
Setting Up a Jira Service Desk Project
We started out simply enough with a dedicated Jira Service Desk (JSD) project named Compliance (COMP). At first glance, you might wonder why we went in this direction for an audit-focused project. While it's true that JSD is mostly designed for customer and internal services, it offers some other benefits that we wanted to take advantage of.
Determining Issue Types
Once we had the project set up, we slimmed down the issue types to just a couple: Service Request, and a custom one we simply named Audit (the audit issue type was quickly adopted by other teams across the company that were looking to manage their own internal quarterly audits). Once we had these simple issue types, we set them up so that the Service Request was handled through the portal requests, and the Audit clearly was for tracking things we needed to look over.
Creating Checkboxes and Text Fields
The Audit screen started out pretty simple, as well. Our auditor at the time just wanted a few tabs for what they were reviewing, and some multi-text boxes. Over time, though, this proved to be hard to pull historical data from, so we broke this out into a series of checkboxes and text fields to indicate what we reviewed. For instance, for Account Access, we created individual text boxes to notate that accounts were provisioned securely in all their stages and/or deactivated in all their stages.
We ended up with a sweet, clean compilation of six tabs, with all their needed questions and areas for notation. Any time this is updated, it's saved in the history, where it can be tracked, is searchable, and is easy to pull into clean reports. While I'm going pretty in depth into how this was set up, it's not that complicated. Think of it as kind of a "rinse and repeat" process: once you have the first tab set up, you repeat the same basic process for the next tab. This, of course, may not work for every checkbox question and text field, but it was quite suitable for us.
Adding a Layer of Security
As things developed over time, we realized that we were starting to capture some sensitive information related to compliance, holes that we had found, and areas that would create vulnerability issues, among other things. At this point, we recognized that we needed to start adding issue security and tightening the permission scheme on this project. We did this by creating a role on the project for Auditors and limiting view access to just them and the participants on the ticket. This helped seal up the security quite a bit.
Submitting Concerns through a Portal
Now, back to the portal. You've probably been wondering why we needed it! Very simply, we wanted to create a place where people who had compliance concerns, questions, or comments could submit a simple inquiry or information. Say, for example, someone observed a new hire's passwords being delivered in an unsafe fashion. The portal provides a place to submit issues so our specialized compliance team can address them, and/or escalate them to the audit team for investigation—all while keeping the ticket secure to only the person who raised the concern and the team managing it.
Bridging the Gap with JSD
In the end, by using Jira Service Desk, we were able to go from multiple spreadsheets in secure shared storage, email chains, and a SharePoint site with historical data to a centralized, searchable, user-friendly method for tracking information over time. By consolidating our compliance audits and management under JSD, we were able to securely bridge the gap between the compliance team and the rest of the company.