Enabling strategic, cost-effective, and risk-based decisions through proactive identification, management, and transparent reporting of operational risks impacting GitLab's security posture.
A Tier 2 Operational Risk Management program which focuses on the identification, assessment, tracking, and overall management of operational security risks across the organization. Check out the StORM Program & Procedures handbook page for additional details, including a quick introduction to Risk Management at GitLab as well as information about the purpose, scope, and specific procedures executed as part of the program.
Need to communicate a potential risk to the team?
Please refer to the communication section of the StORM Program & Procedures page for information on the various ways that team members can use to escalate potential risks to the Security Risk Team.
Every system at GitLab is assigned a critical system tier. The Security Risk Team owns the tiering methodology that establishes each system's tier. For more information about the methodology and inputs utilized to determine tiering, refer to the Critical Systems Tiering Methodology handbook page.
On an annual cadence, the Security Risk Team conducts a BIA over systems utilized across GitLab. The data collected as part of this process is used to ensure that various data sources, such as system inventories, are continuously maintained and up-to-date. For more information about the BIA process and procedures, refer to the Business Impact Analysis handbook page.
The TPRM Program is focused on identifying and assessing the incremental security risk impact that may develop over the lifecycle of GitLab's relationship with various third parties. Additional information on the scope of these reviews, including the various third parties subject to this program, can be found on the Third Party Risk Management handbook page.
| Team Member | Role |
|---|---|
| Ty Dilbeck | Manager, Security Risk |
| Darren Lamison-White | Senior Security Risk Engineer |
| Kyle Smith | Senior Security Assurance Engineer |
| Eric Geving | Security Assurance Engineer |
security-risk@gitlab.com@security-risk@gitlab-com/gl-security/security-assurance/security-risk-team