GitLab oversees the execution of cybersecurity and privacy controls to create appropriate evidence of due care and due diligence, demonstrating compliance by ensuring controls are in place to be aware of and comply with all applicable statutory, regulatory and contractual compliance obligations, as well as internal company standards.
This applies to all GitLab policies and standards having a direct impact to how GitLab carries out it's IT/Security practices.
The specific policies and standards described in the Policy Reference section below are subject to this control.
This control is owned by Security Compliance.
| Control Number | Control Title | Control Statement | Goal | TOD | TOE |
|---|---|---|---|---|---|
| CPL-01 | Statutory, Regulatory & Contractual Compliance | GitLab Inc. has implemented mechanisms to facilitate the identification and implementation of relevant legislative statutory, regulatory and contractual security controls. | Does the organization facilitate the implementation of relevant legislative statutory, regulatory and contractual controls? | 1. Identify policies and procedures responsible for identification and implementation of relevant legislative statutory, regulatory and contractual security controls. 2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements. |
1. Identify applicable federal laws, Executive Orders, directives, regulations, policies, standards, contractual requirements, and guidance. 2. Examine security controls to ensure coverage of applicable federal laws, Executive Orders, directives, regulations, policies, standards, contractual requirements, and guidance. |
| CPL-02 | Security Controls Oversight | GitLab Inc. has implemented mechanisms responsible for security controls oversight. | Does the organization provide a security controls oversight function? | 1. Inspect security collateral for evidence of assignment of security controls oversight. 2. Interview security leadership to ensure the responsible party has the correct level of authority and autonomy to achieve program objectives. |
1. Examine change control records, or other relevant records, for a sample of security control reviews, updates and management approvals. |
| CPL-03 | Security Assessments | GitLab Inc. has established mechanisms to ensure team members regularly review controlled documents within their area of responsibility for accuracy and adherence to appropriate security policies, standards and other applicable requirements. | Does the organization ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate security policies, standards and other applicable requirements? | 1. Examine organizational policies and procedures for the requirements and frequency of controlled document review. | 1. Pull a population of all controlled documents. 2. Inspect a sample of controlled document to for evidence they are reviewed and approved in accordance to TOD. |
| CPL-04 | Audit Activities | GitLab Inc. has implemented mechanisms to plan and execute compliance audits that minimize the impact of audit activities on business operations. | Does the organization plan audits that minimize the impact of audit activities on business operations? | 1. Examine security documentation for a security assessment plan for the information systems. 2. Examine the security assessment plan for a description of the scope of the assessment including: security controls and sub-controls under assessment; assessment procedures to be used to determine security control effectiveness; and assessment environment, assessment team, and assessment roles and responsibilities. |
1. Obtain a population of audit activities performed during the period. 2. Examine the audit activities for evidence they are executed in accordance to TOD. |
