The GitLab security awareness training program provides ongoing training to GitLab team members that enhances knowledge and identification of cybersecurity threats, vulnerabilities, and attacks. Security awareness training is provided by ProofPoint, GitLab's third party provider, and will help satisfy external regulatory requirements and bolster customer assurance.
Security awareness training is an integral part of GitLab's overall security strategy. The Security Governance team utilizes ProofPoint to deliver training campaigns designed to provide GitLab team members with the information they need to protect themselves and GitLab from loss or harm, highlight their role in securing GitLab on a daily basis, and empower them to make the right decisions with security best practices.
New Hire security awareness training is required to be completed during onboarding. Annual security awareness training will occur in the second quarter of each fiscal year. Additional role-based awareness training may be assigned as needed. Prior to the security awareness training taking place, a general notification to the GitLab organization will be posted to the
#whats-happening-at-gitlab Slack channel.
The successful completion of new hire and annual security awareness training is a compliance requirement for GitLab, Inc. As part of these requirements, 100% of active GitLab team members, contractors/Temporary Service Providers (TSPs), and others with access to Red, Orange and Yellow data are required to successfully complete this training.
Exceptions will be made for any individuals on extended leave at the time the campaign is launched. Upon their return from extended leave, they will be added to a catch-up campaign at a later date.
Contractors/TSPs that are able to show evidence of equivalent training completion within the calendar year will also be marked as an exception to the campaign.
For annual security awareness training, all team members hired prior to May 1 of the current year will receive an email via ProofPoint from GitLab Security firstname.lastname@example.org that will contain a link to access the training(s). GitLab team members hired after May 1 of the current year will have undergone New Hire security orientation training as part of their onboarding and therefore will not be required to take the annual security awareness training until the following year.
An additional Secure Coding training module must also be completed by 100% of all active GitLab team members + contractors/TSPs.
By default, GitLab team members within the Engineering Department and the sub-departments of Cost of Sales, Development, Incubation Engineering, Infrastructure and Quality that have titles with
Developer AND write code as part of their role (even Infra-as-code) will be assigned the additional training.
Other departments outside of Engineering such as Finance and Marketing also include team members that write code and will be required to complete training.
Internal Contractors/TSPs (with a GitLab email address) and external Contractors/TSPs (non-GitLab email address) that have access to production data are required to complete new hire security training during onboarding and the annual security awareness training thereafter.
Internal contractors/TSPs will be assigned training via ProofPoint. External contractors/TSPs will be sent an email with a training video and handbook links to review.
Contractors/TSPs that do NOT have access to any internal systems or sensitive data are NOT required to complete GitLab's annual training. However, they must complete training during onboarding.
Contractors/TSPs that have been offboarded are not required to complete training, but an offboarding issue must be provided as proof of termination.
Contractors/TSPs that are able to show evidence of equivalent training completion within the calendar year will be marked as an exception to the campaign. An exception request must previously exist or be created.
People Ops + Security Governance are collaborating to create an automated process to mark exceptions for team members that are on extended leave. However, as this is currently a manual process, the list may not be real-time. The report is provided 1 week prior to the launch of the training campaign, and the team members included on the report will be removed from the current training campaign and marked as an exception.
If a team member is not able to complete their training by the active campaign due date, an exception request is required to be submitted and acknowledged by People Ops. The team member will be marked as an exception and removed from the active campaign.
If you are a manager and are notified that one of your direct reports has not completed training, but they are on extended leave, please submit an exception request, tag @sec-governance, and provide an update. We will follow the correct procedure to remove the team member from the active campaign.
The security awareness training(s) have been limited to 30 minutes in an effort to find the best return of security investment from team member's time.
Security awareness training is a critical component of GitLab's security program and key to ensuring that GitLab team members are continuously educated in security core competencies.
A GitLab customized handbook first training is provided via ProofPoint. To receive full credit, the training + annual policy reviews must be completed to identify what you have learned.
Team members will have up to 15 days to complete the training. If the training is not completed, Security Governance will send weekly reminder notifications requesting completion of the training.
If required, we will communicate incomplete assigned trainings to managers for assistance with completion and escalations to VPs if required. Demonstration of a completed training supports compliance with the Security awareness training program and will strengthen our regulatory requirements.
We are required to reach 100% participation for regulatory purposes. Team members that do not complete training within the required timeframe (minus exceptions) may have repercussions of their access being disabled until training has been completed. Further penalties may be incurred on a case by case basis.
The Security Governance team will track the annual security awareness training completion metrics and publish them in a GitLab Issue. Once the training campaign has completed, the Security Governance team will provide results in the Security Awareness Training Program project.
Why are we using an external vendor?
How will I access training?
Why was I chosen?
I just took New Hire training, why do I have to take it again?
I don't want to be included, how do I remove myself?
Will my training status be posted publicly?
How can I provide Feedback on my experience?
Please reach out to the Security Governance Team!