GitLab deploys control activities through policies and standards that establish what is expected and procedures that put policies and standards into action. The purpose of this procedure is to ensure that there is consistency in developing and maintaining controlled documents at GitLab utilizing a hierarchal approach for managing legal and regulatory requirements.
There are two types of documentation at GitLab:
Everyone at GitLab is welcomed and encouraged to submit an MR to create or suggest changes to controlled documents at any time.
This procedure applies to all controlled documents developed in support of GitLab's statutory, regulatory and contractual requirements. Uncontrolled documents are dynamic in nature and not in scope of this procedure.
|Security Compliance Team||Responsible for implementing and maintaining Security Policies and oversight of supporting standards and procedures as part of ongoing continuous control monitoring|
|Security Assurance Management||Responsible for approving changes to this procedure|
|Control Owners||Responsible for defining and implementing procedures to support Security policies and standards|
At minimum, controlled documents should cover the following key topic areas:
Creation of, or changes to, controlled documents must be approved by management, or a formally designated representative, of the owning department as defined in the Code Owners file prior to publishing.
Most controlled documents will be published to our publicly facing handbook, however if there is non public data included in the documentation it should be published via an internal facing only mechanism, e.g. an internal GitLab project or internal only handbook page. Controlled documents should be accessible to all internal team members.
Controlled documents are required to be reviewed and approved on a minimum of an annual basis and may be updated ad hoc as required by business operations.
Exceptions to controlled documents must be tracked and approved by the controlled document approver(s) via an auditable format. Exception process should be defined in each controlled document.
Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.