Security Compliance, Commercial Team Page
Security Compliance Mission
Security Compliance (Commercial) Mission:
- Enable GitLab to be the most trusted DevSecOps offering on the market, demonstrated by security certifications and attestations.
- Achieve, maintain and grow industry specific security certifications and attestations for GitLab.com
- Identify and mitigate GitLab information security risk through continuous control monitoring of the GitLab.com SaaS offering and key in-scope auxiliary applications and third party sub-processors.
- Enable security to scale through the discovery and application of compliance automation.
- Identify and remediate observations to reduce risk and ensure continued maintenance of security certifications and attestations.
- Work across industries and verticals to support GitLab customers in their own compliance journey.
Core Competencies
- Third Party Security Certifications
- Gap Analysis Program: feasibility for external certifiction expansion
- External Audit coordination and hosting
- Security Attestations
- Observation and Remediation Management
- Specific to Tier 3 observations
- Identify control weaknesses and gaps (observations)
- Provide remediation recommendations and guidance
- Track remediation to completion
- Continuous Control Monitoring of the GitLab Control Framework
- Compliance production readiness assessment
- User Access Review Program
- Business Continuity Plan (BCP) testing
- Information System Continuity Plan (ISCP) testing
- Compliance Automation discovery and implementation
- Utilizing dogfooding and external tools to continue driving compliance by default features within the product and true CCM efforts
Where we work
We primarily work out of the Team-Commercial Compliance group project. This group includes subgroups and projects for:
- Team information and directory
- External Certifications
- User Access Review Program
- Audit Reports (output of CCM efforts)
- Gap Analysis Program
- ISCP and BCP tests and final reports
- IT General Control Support (ITGC)
Work that overlaps with other teams including Dedicated Compliance can be found in the Security Compliance - All Teams group. This group includes subgroups and projects for:
- GitLab Control Framework (GCF)
- Observation Management
- Security Compliance Intake (production readiness)
- Third Party Penetration Testing Program
- Exceptions
We also utilize external tooling including:
- ZenGRC: control testing and observations
- Authomize: User access review campaigns
How we work
We strive for transparency whenever possible through the use of non confidential issues within our group projects and handbook documentation. However, not all of our work is externally visible. In order to continue striving for transparency, we are committed to delivering value to our external customers through community outreach efforts such as blogs, keeping the handbook up to date and providing documentation that demonstrates how we dogfood to meet our security compliance core compentencies.
We utilize GitLab Epics and Issue to track projects, deliverables and milestones. We are currently working on upleveing our internal metrics and reporting through the use of insights charts, issue tasks and automation.
Metrics and Measures of Success
- Security Control Risk by System
- Securty Observations
| Program |
DRI |
Responsibilities |
| Security Compliance (Commercial) Team manager |
@lcoleman |
Establish direction, roadmap and oversight of the team core competencies and owned programs |
| External Certifications |
@madlake |
External Audit coordination and execution for existing certifications (SOC 2 Type 2, ISO 27001, 27017, 27018) |
| Observations |
@madlake |
Observation Program management and metrics including observation validation, remediation recommendations and progress reporting |
| User Access Reviews |
@alexfrank09 |
Oversight of UAR Program/ Automated UAR Tool including launching UAR campaigns, identifying access changes and removals, campaign ownership, metrics and reporting |
| Gap Analysis Program |
@DanEckhardt |
Oversight of Gap Analysis program and procedures, prioritize gap analysis requests, gap analysis status tracking and reporting |
| GitLab Control Framework |
@davoudtu |
Ongoing GCF review and refinement of applicable controls based on certifications and CCM coverage |
| BCP and ISCP |
@byronboots |
DRI for driving and documenting BCP and ISCP activities and remediation |
| CCM Automation |
@byronboots |
Stable counterpart for identifying, defining and driving automation activities for continuous control monitoring program |
- Slack
- Feel free to tag us with
@commerical_compliance
- The #sec-assurance slack channel is the best place for questions relating to our team (please add the above tag)
- Tag us in GitLab
@gitlab-com/gl-security/security-assurance/team-commercial-compliance
- Email
security-compliance@gitlab.com
- Commercial Compliance team project
- Interested in joining our team? Check out more here!
References
Return to the Security Assurance Homepage
Purpose GitLab’s user access review is an important control activity required for internal and external IT audits, helping to minimize threats and provide assurance that the right people have the right access to critical systems and infrastructure. This procedure details process steps and provides control owner guidance for access reviews.
Benefits to the organization: Reduces security risk Identifies dormant and/or disabled accounts Ensures only required team members have access to a system Validates users who have changed roles have not retained access no longer relevant Ensures terminated team members no longer can access company systems Supports GitLab compliance and regulatory requirements which maintains customer trust Scope In-Scope Systems Security Compliance performs Access Reviews for Tier 1 and Tier 2 systems in scope for our compliance and regulatory programs.
Control Statement GitLab maintains an inventory of system devices, which is reconciled quarterly.
Context The purpose of this control is to ensure we are monitoring the systems in use by GitLab. We can’t prove we are protecting all GitLab systems if we don’t have an up-to-date inventory of those systems.
Current status of this control GitLab team-member endpoints: Team-member workstations are tracked with JAMF endpoint management A google form sent to all on-boarding team-members records the ownership and serial number of laptops Production systems: Backend system inventories are not maintained, but strong naming conventions exist For GCP, that constitutes most of GitLab’s production architecture; we can evaluate the GCP systems/services, discover new systems, and assign ownership Scope This control applies to all GitLab endpoint workstations as well as virtual assets within our hosting providers.
Purpose A gap analysis as it relates to security compliance refers to an in-depth review that helps organizations determine the difference between the current state of their information security and a given security standard (SOC 2 Type 2 Availability Criteria, ISO 27018, BSIMM, etc.) they might want to adopt or align against. The outcome of completing gap analysis procedures is a report to management:
What, if any, gaps exist between GitLab’s current state and that new standard A recommendation for whether or not to pursue that new standard The impact of not pursuing that new standard The impact if that new standard is pursued Scope The scope of gap analysis procedures performed by the Security Compliance team are limited to information security and compliance related regulatory standards and frameworks.
Process Overview Purpose As new GitLab security controls are identified that need to be implemented by the Security Compliance Teams for compliance or regulatory reasons, these controls follow an established process in order to make that implementation successful.
These lifecycle phases are managed via GitLab’s governance, risk and compliance (GRC) application, ZenGRC. If your GitLab team is interested in using ZenGRC for your risk and compliance needs, please reach out in the GitLab #sec-assurance slack channel.
Security controls are a way to state our company’s position on a variety of security topics. It’s not enough to simply say “We encrypt data” since our customers and teams will naturally want to know “what data do we encrypt?” and “how do we encrypt that data?”. When all of our established security controls are operating effectively this creates a security program greater than the sum of its parts. It demonstrates to our stakeholders that GitLab has a mature and comprehensive security program that will provide assurance that data within GitLab is reasonably protected.
Purpose In support of our ongoing commitment to information security and transparent operations, the GitLab Security Compliance teams are dedicated to obtaining and maintaining industry recognized security and privacy third party certifications and attestations. The benefits from these activities include:
For customers:
increases visibility and confidence in our information security program increases ease in onboarding and managing GitLab as a vendor For GitLab:
ensures we are meeting all requirements of a strong and comprehensive information security program aligned with industry best practices enables our field teams to quickly share the state of our security program with potential and existing customers reduces the need for GitLab’s security team to fill out individual customer security questionnaires or assessments Scope Generally, the scope of the items listed on this page include GitLab.
Control Statement A vendor security review is performed at the time of procurement for new third party vendors. A results report is created detailing vendor risk level and any observations noted and the results are considered as part of vendor contracting.
Context It’s common for companies like GitLab to offload risk and services to third parties.; most SaaS companies these days rely heavily on other SaaS products. In order to create a chain of trust, the security control for any third party providers GitLab uses need to be validated.
