Security Compliance Team

1. You are here:
2. Engineering
3. Security
4. Security Assurance
5. Security Compliance Team

On this page

• Security Compliance Mission
• Core Competencies
• Metrics and Measures of Success
• Program DRI's
• Contact the Team
• References

Security Compliance Mission

It is the goal of the GitLab Security Compliance team to:

1. Enable GitLab sales by providing customers information and assurance about our information security program and remove security as a barrier to adoption by our customers.
2. Enable security to scale through the definition of security controls and determining the boundaries and applicability of the information security management system to establish its scope.
3. Work across industries and verticals to support GitLab customers in their own compliance journey.
4. Identify and mitigate GitLab information security risk through continuous control monitoring and automation.

Core Competencies

A member of the Security Assurance organization, these are the primary functions of the Security Compliance team:

1. Internal Security Compliance Audit
   • GCF Continuous Control Monitoring
   • Continuous Control Monitoring Automation
   • User Access Reviews
   • Business Continuity Plan (BCP) and Information System Continuity (ISCP) testing
2. Security Certifications
   • External Audits (e.g. SOC 2, SOC 3, ISO, etc.)
   • Gap Assessments/Readiness Assessments
3. Observation and Remediation
   • Security Control Testing Activities (CCM)
   • Internal Audit Activities
   • Third Party Risk Management (TPRM) Activities
   • Customer Assurance Activities
   • External Audits
   • Third Party Application Scanning
   • Ad-hoc Observations
   • Gap Assessment Activities

Metrics and Measures of Success

1. Security Control Health
2. Security Observations

Program DRI's

Program	DRI	Responsibilities
GitLab's Security Control Framework (GCF)	@jburrows001	Establishment, monitoring, and iteration of the GCF control set
Observations	@lcoleman	Management overview of the Observation Program including observation documentation, workflows and observation assignment
SOC	@madlake	SOC preparation and documentation, external audit hosting, remediation activities
ITGC	@byronboots	ITGC Handover and automation improvements, external audit hosting, remediation activities
ISO	@lcoleman	ISO preparation and documentation, external audit hosting, remediation activities
User Access Reviews	@alexfrank09	Oversight of UAR Program/ Automated UAR Tool to help minimize threats and provide assurance that the right people have access to critical systems and infrastructure
Gap Analysis	@DanEckhardt	Overseeing & iterating on gap analysis program/procedures, review/assignment of gap analysis requests, gap analysis status tracking

Contact the Team

• Slack
  • Feel free to tag is with @sec-compliance-team
  • The #sec-assurance slack channel is the best place for questions relating to our team (please add the above tag)
• Tag us in GitLab
  • @gitlab-com/gl-security/security-assurance/security-compliance-commercial-and-dedicated/sec-compliance
• Email
  • security-compliance@gitlab.com

• GitLab Security Compliance team project

• Interested in joining our team? Check out more here!

References

• Security Certifications
• GCF Security Control Lifecycle
• GCF Secrity Controls
• User Access Reviews
• Observation Methodology
• Gap Analysis Program