A data classification policy is in place to establish a framework for classifying, securing and handling data. The policy is available in the Employee Handbook to all internal and external system users and reviewed and approved by management annually.
This control demonstrates that a data classification policy is currently in place, available, and reviewed annually. It provides classification coverage and handling requirements for various data levels.
The GitLab Data Classification Policy applies to all data handled, managed, stored, or transmitted by GitLab and GitLab team members, including that which is submitted to GitLab Support as part of a support request.
The policy outlines proper handling and storage requirements for various data classification levels.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in this control issue.
Examples of evidence an auditor might request to satisfy this control: