GitLab performs an annual security operational risk assessment to identify risks impacting security. The assessment considers both internal and external security risk factors, considerations over fraud and the impact of changes to the system. Results from the assessment are compiled into an annual report which is reviewed by management. Identified security risks are risk rated, assigned to a risk owner, and tracked through to risk treatment completion or risk acceptance.
Security operational risk assessments are important because they identify, prioritize, and help track the treatment of secruity risks to GitLab. The purpose of this control is to have a formalized annual security operational risk assessment process for risk identification, analysis, and treatment.
The security operational risk assessment is performed at a level of precision that allows for the identification of security risks across the organization.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Risk Assessment control issue.
Examples of evidence an auditor might request to satisfy this control: