_How do Jira and Confluence help you build your Information Security Management System?

The turn of June and July 2019 was an intense time for us. Due to the increasingly dynamic development of companies in the TT Capital Group, it was gradually becoming clear that in the long term it was impossible to maintain a central IMS (which, in addition to ISO9001, ISO20000, and OHSAS also included ISO27001). It was time to act.

We decided that the responsibility for ensuring the security of information (and of other systems) would fall on each of the companies that use it. It was quite a subversive idea for the warm, lazy summer holiday period (indeed, at that time the possibility of travel far exceeded the boundaries of the living room, terrace, and garden, which many of us were happy to take advantage of). A task as lofty as it was ambitious. At our disposal, we had the functioning central system of the TTCG and a great deal of experience gained over the many years of working with it. We only had to use this knowledge, documentation, and existing tools… or, perhaps, could it be better to start from scratch? For some reason, that question kept bothering us.

Evolution or revolution?

An eternal dilemma. In one of my previous articles, “How to efficiently perform a digital transformation in your company?“, I argued that if we do not have a good argument for a revolution, then we should stick to evolution. Then, if we make a wrong decision, going back a step or two is much easier. Well, precisely – that’s if we do not have a good argument. Overall, the task that was facing us required three things:

1. Defining the scope of IMS that we needed in the organisation – here the choice was simple, because as a provider of programming services we focus primarily on information security.
2. Analysing the entire IMS and pinpointing documents, processes, practices, and ways of ensuring information security.
3. Adopting the above in our business needs, organisational structure, and good practices.

Step one was a matter of minutes. A piece of cake. Step two was where the trouble started. The Integrated Management System indeed proved to be substantially integrated. There was no easy and quick way to simply extract just the information security part. The only option was to catalogue all the documents, analyse them meticulously, and then rewrite and adapt them to our needs. No shortcuts. But this made us see the light at the end of the tunnel. If we couldn’t speed up our work by simply incorporating parts of the system, why not use tools that would allow us to implement and supervise the system more conveniently, faster, and more efficiently? We had found the argument for the revolution. The third item on our list began to take shape.

Where Excel fails, Jira excels

It is not my intention to criticise Excel. It’s a great tool, but it does not necessarily give you the level of performance and ease of maintenance we require from our ISMS here at TTPSC. And the status of Atlassian Platinum Partner comes with some responsibility. We have been working with the Jira and Confluence systems and using a whole range of extensions for years. Once we analysed the IMS documentation (yes, we did it document by document, sentence by sentence), the structure and content of Information Security policies that will be applied in TTPSC, we had to think about tools. And so:

• We replaced the document repository (Word, Excel, PDF, and more) in Sharepoint with content posted on Confluence websites – and that solved the issues of versioning, employee access, and control of changes. We rely only on integrated mechanisms available as standard. No encryption. It’s quick, efficient, and there’s no need for any additional tools.
• Reporting incidents, activities, and other events relevant from the point of view of ISMS – fortunately, this item combines all the standards that were part of the IMS. Throughout the years of IMS operation, TT CG developed a great mechanism for event reporting and management, based on Jira. Each report has its own type (Incident, Improvement Potential, Nonconformity, Action) and a number of attributes to help classify the event, which then enables precise analysis and monitoring. Reports have their life cycle, they can be delegated to specific people, provide records of activity, allow for grouping and merging, as well as many other things, which can all be achieved with Jira’s basic functions. This is a key element of the system.

• Monitoring the effectiveness and measuring the achievement of objectives – a structured form of reporting incidents or activities is fundamental. A manual analysis or reporting of the results of measurements in Excel would be heresy. This must be automated, legible, and accessible online with appropriate permissions. Sounds complicated. Nothing could be further from the truth – the integrated Jira and Confluence mechanisms and a very high degree of integration of both systems can also help here. This is why we have access to the most important indicators and the degree of objective achievement at all times, without even one operation, database query, or macro in excel. We only use filters, reports, macros, and widgets.

• The risk matrix. I saved the best for last. On the web, we can find hundreds of excel templates with samples of a risk matrix. All of them have one thing in common – they cannot be integrated with other parts of the ISMS. Why is that? With 30 or more risks, Excel becomes completely unmanageable. We do not like the look of it. It’s difficult to read the contents of the cells. It’s even more difficult to see the connections between them. And tracking risk activities becomes mental gymnastics. Impossible? And yet. The awesome Jira add-on – Big Picture came to our rescue. Whole articles could be written about the add-on itself, but for our purposes it was the module for risk management that proved invaluable. It allows you to create (and visualise!) a matrix, easily transfer risks between sections of the matrix, and, because each risk is a task in Jira – we can use metadata, links, life cycles, and change history. The icing on the cake is that the risks can easily be linked to their source (design analysis, system implementation, incident), can be filtered and constitute a basis for advanced reports. Quick, simple, and effective.

It is worth mentioning that while the analysis of documentation took us weeks, creating these tools for ISMS management turned out to be a matter of… a few days. For one person. The combination of good practices, even better tools, and the gut feeling that old, established patterns can be replaced by something fresh, better, and more efficient, gave exceptional results.

And this is only the beginning…

If that’s the case, then what’s next? Integration More and more integration. Jira and Confluence are accompanied by dedicated systems which analyse reports from partners and providers. Results are automatically reported as actions, incidents, or other events, and these consequently provide us with indicators and reports. The unification of communication and cooperation tools gives you greater control over the processed data. Analysis of the requirements of the ISO standard in terms of monitoring the effectiveness of ISMS pushes us to implement solutions based on the digitisation of processes in Jira. As long as we are guided by security, standardisation, automation, and data integration in these activities, although the system covers new, additional areas with every month, it does not require any additional effort to operate and manage it. After all, this is not about creating a system whose operation will be a mystery in itself and will only hinder the work of production departments. The idea is that the solutions we have developed should create conditions in which the risk of loss of integrity, confidentiality, and availability of data processed by employees becomes increasingly lower. At the lowest possible cost.