Supporting Regulated Industries on Atlassian

May 15, 2024

On May 2, 2024 SoftComply hosted the 2nd edition of Regulated Industries workshop during Atlassian Team event. The workshop’s title was “How to best support Regulated Industries on Atlassian” and was aimed to discuss the customer feedback and best practices of collaboration between Atlassian, app vendors and solution partners to support our customers.

For 2 years in a row we have had the pleasure to come together at Team events as a group of like-minded people working in or with companies from regulated industries using Atlassian. Last year, it started as a discussion over breakfast in the Starbucks. This year we had a technical workshop with 6 speakers: Mix and Joe from Atlassian, Ulrich and Marion from Marketplace Partners & Jan and Geoff from Solution Partners.

The aim of the workshop was to discuss all things compliance that relate to the regulated industries where compliance is expected. Implementing and following compliance frameworks leads to (1) Risk reduction, (2) Enhanced security, (3) Operational efficiency, (4) Technical debt reduction, (5) Enhanced scalability and adaptability, (6) better software development quality, including documentation and Quality Assurance.

Below is a short summary of what was discussed.

DR. MARION LEPMETS – SoftComply

SoftComply is a marketplace partner helping regulated industries get their products to market faster by offering quality and risk management solutions to them. The majority of SoftComply customers are from the medtech space with strict requirements for validation of the software tools they use, data privacy and security requirements, etc.

Marion talked about the regulated industries often using Atlassian tools for software development but keeping quality and compliance management in separate standalone tools. The importance of breaking silos and bringing all departments to Atlassian requires better collaboration between Atlassian marketplace and solution partners.

A few challenges that the medtechs are struggling with on Atlassian Cloud are:

a) dynamic changes of the Atlassian tools which makes manual validation impossible;

b) data security, privacy and data localisation;

c) better permission control for regulated industries, especially for Confluence Cloud;

d) better page versioning in Confluence – old versions of a page can’t be exported and may break macros; etc.

NEWS:

After the 1st Compliance Breakfast at Team23, Izymes & SoftComply decided to create a Compliance Tech Hub site for the Regulated Industry clients who are looking for resources on and around Atlassian and the 3rd party apps that support them in compliance: Home Page


GEOFF METHER – Togetha Group

Geoff was telling us how they supported an Australian Government Office migration journey to Atlassian Cloud and the importance of Atlassian’s irap certificate.

He also mentioned that although the list of compliance certificates that Atlassian is working towards is quite long, there is little transparency when the certificates are expected to be attained, or when are the audits taking place.

For government organisations as with most organisations from regulated industries, the only way they can migrate to Cloud is if they can migrate to Jira Enterprise plan. Jira Cloud Enterprise level pricing for the regulated industries has to be relaxed if Atlassian wants to move its users to Cloud! 


MIX MIXON – Atlassian

Mix used to work as a Jira admin in a life-sciences company before she joined Atlassian so she has seen both sides now :wink:

Mix was talking about 21 CFR 11 and the requirement of having software tools validated. This means that Atlassian tools should be regularly tested to ensure that no change in Jira has compromised user data integrity or Jira’s performance. To do that, all changes in Jira have to be known but as it turns out not all changes are gated so the release tracks alone won’t work. Now that Mix is in Atlassian, she will try to find the best way to work towards an automated Jira validation. So far, SoftComply has developed an app for automated validation for Confluence Cloud but ideally there should be a framework that helps app vendors validate their apps as well.

Mix also talked about the advantages of having multiple number of sandboxes in larger organisations and the importance of being able to back up and restore data. Currently there is a number of 3rd party apps that help with that.


JAN SZCZEPANSKI – Jodocus

Jan was telling us how they supported a large enterprise customer in the Financial Industry migrate from on-prem to Cloud, just how complex it is and how long it takes.

Jan was also discussing about the work clients expect from solution partners in the sense that all Cloud apps that clients are migrating to have to adhere to strict data privacy and security requirements, performance requirements and the Cloud apps have to have feature parity with the on-prem apps the client was using before.

This got everyone discussing about the new Data and Security tab as well as the Cloud Fortified badges.

On one hand, the marketplace partners have to answer detailed questionnaires regarding how user data is stored and processed by their apps but a) Atlassian does not verify the information marketplace partners provide, b) end-users rarely know how to find this information in the marketplace.

We discussed about how to make the Data and Security tab is not as visible for business users including data access by vendors  -> how to make it more visible and how to make sure the partners are telling the truth in the questionnaire, e.g. perhaps there could be different levels of Cloud Fortified badges to make it more visible for users where the app is at like Silver, Gold, Platinum levels etc. 


ULRICH KUHNHARDT – Izymes

Ulrich had a fireside chat with Christine about Invesco’s Compliance Journey on Atlassian.

Christine was telling us how to establish compliant procedures, how to ensure they are followed and how to make better use of Atlassian Cloud toolset. As a global organisation in the financial industry, they are required to ‘play by the rules’ in every region they operate in, such as GDPR or SOX. It is beneficial to rely on proven, measurable, and consistent processes to ensure these ‘rules’ are adequately met. Being in compliance will reduce risks, legal fees, and potential penalties.

She admitted that it is typically more challenging to overcome a culture change, moving engineers away from the mindset of delivering to a date vs. delivering the right things at the right time. As such they are focusing on coupling accelerator frameworks with documented guidebooks, that explains the processes (what, why, how) and code snippets to enable the intended experience. Not only does this put the accountability back into the developer role where appropriate, but we are building a larger, stronger skilled community that understands potential impacts that could be introduced with a small code change.


JOE ELGABALAWI – Atlassian

Joe was telling us about the shift in focus from the speed of development to the detail, documentation and transparency, which are all truly important for working towards compliance. There will also be a major architecture change in Jira in regard to shared micro services and data residency/pinning of data. 

The FedRAMP journey has only just began and the target date is in 2025. FedRAMP Forge Controls will be built in directly, i.e. implemented in the SDKs.

In general discussion, it was said that it takes minimum 6 months for an enterprise from regulated industries to adopt Atlassian tools and a lot of this time is spent on evaluating Atlassian’s privacy, security and the industry certificates. Atlassian aims to make the regulated industries path to adoption of their tools smoother, from 6 months to less.


Conclusion

If you are interested in the topic of Compliance and supporting of the Regulated Industries on Atlassian, feel free to join us for upcoming webinars on the topic.

May 15th at 4pm CET: Compliance by Design: Integrating Compliance into Atlassian


Next year, Atlassian Team 25 will take place in California. See you there!

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

Medical Device Compliance Guide
Picture of Marion Lepmets

Marion Lepmets

CEO
September 23, 2024

Introduction This medical device compliance guide focuses on the key requirements and strategies for navigating the regulatory landscape. We will cover the role of major regulatory bodies like the FDA, the classification of devices, and the importance of quality management. We will also discuss the challenges of global compliance and...

CVSS-FDA-cybersecurity-medical-devices-1712x599-c
Picture of Matteo Gubellini

Matteo Gubellini

Regulatory Affairs Manager
September 16, 2024

This case study describes the experience of a multinational medical device manufacturer meeting the FDA cybersecurity requirements. The company is operating in the MedTech sector developing a class 2/IIb device consisting of hardware and software. The company spent about 2 years working on the security risk management of the device....

Information Security Risk Management Guide
Picture of Marion Lepmets

Marion Lepmets

CEO
September 13, 2024

Keeping your data safe is vital for every business. One way to do this is by following ISO 27001. But how can we manage these information security risks with a tool like Jira? Let’s dive in! What is Information Security Risk Management Information Security Risk Management is all about identifying,...