Critical systems are monitored in accordance to predefined security criteria and alerts are sent to authorized personnel. Confirmed incidents are tracked to resolution.
Having standards for security configurations and performance is useless without the ability to detect deviations from those standards. This control requires all critical systems to be monitored to ensure those systems are configured and performing the way we intend. If this monitoring identifies a security incident, this control also requires us to manage that incident fully until it is marked as resolved. To test this control, review relevant issues in the Security Operations issue tracker. This testing is sufficient because it shows security incidents are being reported on, acknowledged, handled, and closed appropriately by authorized team members.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
It is up to us as a company to define what criteria we use for this monitoring and how an incident is defined. This control simply holds GitLab accountable for fully monitoring systems and managing resulting incidents.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the System Security Monitoring control issue.
Examples of evidence an auditor might request to satisfy this control: