Start Trial
PortalMeridianKeystoneRMM
Audit & Compliance Manual

Remediation Bridge

Findings-to-action workflow, ownership handoff, and the model Meridian uses to keep remediation tied to real systems and teams.

Audience: Compliance operators and engineering or IT ownersFocus: Remediation follow-throughStatus: Public manual

Scope

Findings do not matter unless they reliably turn into accountable work. This page keeps the public-safe remediation model and removes the private integration plumbing that supports it internally.

What It Does

The remediation bridge connects Meridian compliance gaps to Jira. When Meridian detects a control failure, you can open a Jira ticket directly from the alert, finding, or MAP action item. The bridge tracks the ticket’s status in Jira and syncs it back into Meridian so the compliance dashboard reflects real operational progress.

Prerequisites

  • A Jira Cloud instance (or Jira Data Center / Server with REST API access).
  • An Atlassian API token with project write permissions.
  • A Jira project and issue type configured for remediation tickets.
  • Meridian.admin permission to configure the connector.
  • Meridian.manage permission to create remediation tickets.

Setting Up the Jira Connector

  1. Navigate to Connectors in the sidebar.
  2. Click New Connector and select Jira.
  3. Fill in:
  4. Name — descriptive name (e.g., “Jira Cloud — Security Project”).
  5. Atlassian Account Email — the email of the account the API token belongs to.
  6. Atlassian API Token — the token you created. Stored encrypted.
  7. Project Key — the Jira project key where tickets land (e.g., SEC).
  8. Issue Type ID — the Jira issue type ID (e.g., 10001 for Task). Use the numeric ID, not the name — IDs are stable across Jira customizations.
  9. Click Create Connector.
  10. Click Test Connection. The test verifies both authentication and project access.

Finding the Issue Type ID

In Jira, navigate to Project Settings > Issue Types. The issue type ID is in the URL when you click on a type, or use the Jira REST API:

Optional: Field Mapping

If you want Meridian fields to map to Jira custom fields, add a field_mapping in the connector config:

Optional: Priority Mapping

Override the default severity-to-priority mapping:

Without this, the default mapping applies: critical -> Highest, high -> High, medium -> Medium, low -> Low, info -> Lowest.

Creating Remediation Tickets

From an Alert

When a control failure fires an alert:

  1. Navigate to the alert detail page.
  2. Click Create Ticket (requires Meridian.manage permission).
  3. The bridge creates a Jira issue in the configured project with:
  4. Summary: [Meridian Alert] {message} — {severity}
  5. Description: alert type, severity, status, dedup key, timestamps, and details.
  6. Priority: mapped from the alert severity.
  7. Labels: meridian, alert, and the alert type.
  8. The remediation ticket appears in the program’s remediation ticket list.

From a Finding

After an auditor creates a finding:

  1. Navigate to the finding detail page.
  2. Click Create Ticket.
  3. The bridge creates a Jira issue with:
  4. Summary: [Meridian Finding] {title} — {classification} ({materiality})
  5. Description: finding ref, classification, materiality, status, and description.

From a MAP Action Item

When a MAP action item needs external tracking:

  1. Navigate to the MAP action item.
  2. Click Create Ticket.
  3. The bridge creates a Jira issue with:
  4. Summary: [Meridian MAP Item] {description} — {status}
  5. Description: item ID, status, target date, and description.

Duplicate Prevention

Viewing Remediation Tickets

Navigate to a compliance program and find the Remediation Tickets section. Each ticket shows:

  • External Key — the Jira issue key (e.g., SEC-42), linked to Jira.
  • External Status — the raw Jira status from the most recent sync.
  • Internal Status — Meridian’s state machine: open, in_progress, resolved, closed, or failed.
  • Last Synced — when Meridian last polled Jira for status.
  • Source — the alert, finding, or MAP item the ticket was created from.

Status Sync

Meridian periodically polls Jira for ticket status updates. When Jira reports a ticket as Done, Closed, or Resolved, Meridian transitions the internal status to resolved.

How Status Mapping Works

Common Jira statuses are mapped automatically:

Jira Status Meridian Status
Done, Closed, Resolved, Complete, Fixed, Won’t Do, Cancelled resolved
In Progress, In Review, In Development, Working in_progress
(anything else) No change — raw status recorded

If your Jira workflow uses custom status names that are not in this list, the sync will record the raw status but will not transition the internal state. Custom status mapping is a planned enhancement.

Auto-Advance MAP Items

When a remediation ticket for a MAP action item resolves in Jira, Meridian automatically marks the MAP item as completed. The parent MAP checks for all-items-complete on its regular sweep cycle.

Ticket Lifecycle

A remediation ticket moves through these states:

  • open: Ticket created in Jira. Waiting for Jira progress.
  • in_progress: Jira reports the ticket is being worked.
  • resolved: Jira ticket is done. Meridian can close the bridge row.
  • closed: Final state. The compliance gap has been addressed.
  • failed: Something went wrong (Jira API error, connector offline). Can retry.

Related Documentation

  • functional/remediation-bridge.md — ticket creation rules, state machine, status mapping
  • architecture/remediation-bridge.md — integration model, data model, service architecture
  • manual/connectors.md — general connector management