IT Security and Compliance

Maintained by:

How to reach out to us?

Issue Trackers

System Change Log Automation User Export Automation Compliance Access Review IT Compliance Issue Tracker IT Security Issue Tracker

IT Security and Compliance works collaboratively with multiple functional teams throughout the GitLab organization. We partner with our Security and Legal teams to identify and manage privacy, data protection risks, and compliance requirements to help meet stakeholder expectations. We also partner with Management, Business Teams, and our Data Team to implement solutions.

Our work can be tracked in the IT Compliance GitLab Group.

Note The Compliance Access Review Project is where we are logging and storing the main issue IT Compliance uses to complete User Access Reviews. The actual User Access Review issues are still being tracked in our Access Request Project.

Who We Are

The IT Audit and Compliance function at GitLab is here to ensure as a company we are ready to pass a SOX Audit for our IT General Controls (ITGC). IT Audit and compliance builds the processes that allow us to stay compliant over time. The IT Security function at Gitlab is here to reduce the threat landscape to our internal tech stack, report on our existing security posture, and respond to security findings requiring mitigation. We are specialized around Business Technology and that is our area of focus. Our work rolls up to the overall Security portfolio of Audit and Compliance.

Vision

To identify and secure applications that are deemed to fall under SOX Audit.
Ensure that only current employees have access to the applications and the appropriate actions.
Manage all changes to SOX compliant systems to ensure their auditability and compliance with SOX level change management.
Constantly iterate to simplify and ensure processes are efficient and automated as much as possible. Goal is to weave these processes into the fabric of work so they are not noticed.
IT Audit and Compliance - Ensuring that all customer/business data is secure and can pass key audits for attestations and compliance with SOX, SOC, etc.
Work to reduce audit scope by enhancing general controls.

How we work

Our IT Compliance and IT Security boards are where some of our work can be tracked. If you need help with anything or have any questions, you can add our label IT Compliance or IT Security to the issue. If you are unsure of who you need to engage, IT Compliance or IT Security, please tag @gitlab-com/business-technology/it-compliance and someone will assist. You can also find us hanging around in the #it_compliance_security_help slack channel.

What we do

IT General Controls

Most Common:

The most common ITGCs:

Logical access controls over infrastructure, applications, and data.
System development life cycle controls.
Program change management controls.
Data center physical security controls.
System and data backup and recovery controls.
Computer operation controls.

GitLab’s IT Audit Function will focus on the following for the next 3 months:

Logical access controls over infrastructure, applications, and data.
System development life cycle controls.
Program change management controls.
System and data backup and recovery controls.

Business Continuity Plan

IT Compliance works closely with our Security Compliance team to ensure that GitLab's Business Continuity Plan is up to date.

Business Technology Change Management

IT Compliance works closely with our internal business partners for all Enterprise Application Change Management. More information can be found in our Business Technology Change Management handbook page.

IT Security and Compliance Tools

IT Security and Compliance have some tools at our disposal in order to help the company maintain a SAFE and Secure. These tools include a VPN Solution NordLayer and a Google Drive security tool called Nira. Please follow the link above for more information about these tools. If you have any questions about these tools, please reach out in the #it_compliance_security_help Slack channel.