GitLab performs account and access reviews quarterly; corrective action is taken where applicable.
Access review is often viewed as a pain, but it's among the easiest ways to secure an environment. Many other security controls depend on the assumption that only authorized individuals have access to production systems. This control is meant to capture any deficiencies in our access provisioning and de-provisioning processes.
This control applies to all individuals and groups with access to the GitLab production environment. This can include access to any systems which in turn have any interaction with GitLab's production environment.
For detailed implementation guidance relevant to GitLab team-members, refer to the full guidance documentation.
For all reference links relevant to this control, refer to the full guidance documentation.
For examples of evidence an auditor might request, refer to the full guidance documentation.