Critical systems are monitored in accordance to predefined availability criteria and alerts are sent to authorized personnel.
This control is related to GitLab control # SYS.3.01 (Availability Monitoring Alert Criteria). The purpose of this control is to ensure that there is monitoring and alerting based on that availability criteria. This control is meant to create actionable information from the uptime/availability thresholds we have established for ourselves. The idea is to clearly state what our availability requirements are and then hold ourselves accountable to those requirements.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
The particular tooling used isn't as important as the use of those tools being applied consistently across production and there being documented process of its use. This control can be tested by viewing the availability monitoring tool dashboards. To validate availability monitoring for a specific day, the dashboard can be filtered by day.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the System Availability Monitoring control issue.
Examples of evidence an auditor might request to satisfy this control: