This is a Controlled Document
Inline with GitLab's regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.
Data Management covers practices and policies around managing, securing, and governing the Enterprise Data Platform and activities related to it. The technical components of the Enterprise Data Platform are listed in the GitLab Tech Stack.
The Enterprise Data Platform captures, processes, and stores data collected from many systems. Not all of this data is of the same importance and we use the Critical System Tier framework and Data Classification Standard to help us determine what data is most important and how to best secure it.
Role | Responsibility |
---|---|
GitLab Team Members | Responsible for following the requirements in this procedure |
Data Management Team | Responsible for implementing and executing this procedure |
Data Management (Code Owners) | Responsible for approving significant changes and exceptions to this procedure |
We deploy a Role-Based Data Access Scheme in Sisense:
Additional controls include:
We deploy a Role-Based Data Access Scheme in Snowflake:
Additional controls include:
IMPORTANT
: Customer Private RED data is prohibited from permanent storage in the Enterprise Data Platform.Control | RED | ORANGE | YELLOW |
---|---|---|---|
General Data Controls | |||
Data Registry Listing | Required | Required | Recommended |
Encryption At Rest | Required | Required | Required |
Encryption In Transit | Required | Required | Required |
Privacy Review | Required | Recommended | Not Required |
Data Retention Procedures | Required | Recommended | Not Required |
Data Infrastructure Controls | |||
Multi-Factor Authentication | Required | Required | Required |
Role Based Access | Required | Required | Required |
Access Logging | Required | Required | Recommended |
Data Warehouse Controls | |||
Quarterly Snowflake User Audits | Required | Required | Required |
Quarterly SiSense User Audits | Required | Required | Required |
Quarterly Change Management Review | Required | Recommended | Not Required |
Quarterly RED Data Scanner | Required | N/A | N/A |
Endpoint Devices | |||
Anti-Malware | Required | Required | Required |
Full-Disk Encryption | Required | Required | Required |
Quarterly Data Purge | Required | Required | Required |
A Quarterly Audit is performed to validate system security, such as ensuring the right people have correct data access configuration and data pipelines are running correctly.
The process is supported by the Quarterly Data Health and Security issue template. The label ~"Quarterly Data Health and Security Audit"
is used for all issues and merge requests related to the Quarterly audit.
Here is a sample checklist of activities:
SAFE Dashboard
Space access after 90 days not logged-in within the past 90 days from the moment of performing an audit.
SAFE Dashboard
Space that hasn't logged-in for more than 90 days will be deprovisioned from the SAFE Dashboard
Space. If a GitLab team member wants to have access provisioned back again, a new AR needs to be created and all approvals need to be obtained again.Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.