This is a Controlled Document
Inline with GitLab's regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.
Security Trainings and Awareness is key to ensuring that GitLab team-members are continuously being provided user education activities and exercises about evolving threats, compliance obligations and secure workplace practices, in order to refine and improve their awareness to stay vigilant and trained in security core competencies.
Applies to all GitLab team members, contractors, consultants, vendors and other service providers that handle, manage, store or transmit GitLab data in support of GitLab's statutory, regulatory and contractual requirements.
|GitLab Team Members||Responsible for following the requirements of this procedure|
|Security Governance Team||Responsible for managing and execution of security trainings and programs outlined in this procedure|
|Security Governance Management||Responsible for oversight, escalation and approval of exceptions for this procedure|
|Security Assurance Management (Code Owners)||Responsible for approving significant changes and exceptions to this procedure|
All GitLab Team members are required to participate in New Hire Security training, Annual General Security Awareness Training, and on-going phishing simulations and training. Security Trainings that require participation include the following:
Security awareness training is provided by ProofPoint, GitLab's third-party provider, and requires participation and completion by all GitLab team members.
New Hire Security training is required to be completed by all GitLab team members during their onboarding at GitLab. This security training provides new hires with the knowledge to identify cybersecurity threats, vulnerabilities and attacks.
Annual Security Awareness training provides ongoing training to GitLab team members that enhances knowledge and identification of cybersecurity threats, vulnerabilities and attacks as well as satisfying external regulatory requirements and bolster customer assurance.
The GitLab Phishing Training Program is designed to educate and evaluate GitLab's ability to detect and prevent phishing attempts. Ongoing phishing simulations and trainings are conducted at a minimum, once per quarter, by ProofPoint, GitLab's third-party provider, and requires participation and completion by all assigned GitLab Team Members.
Remember: See something, say something and always report via PhishAlarm.
To maintain our culture of security, transparency and to minimize the risk to our sensitive data and our customers, GitLab team members are encouraged to complete Data Classification Training to help understand the different types of data at GitLab and how to keep it SAFE. This is a recommended training.
The GitLab Secure Coding Training is a required training completed by a sub-group of individuals in the Engineering Department. This training contains descriptions and Secure Coding Guidelines for OWASP (Open Web Application Security Project) for addressing security vulnerabilities commonly identified in the GitLab codebase. This training is intended to help developers identify potential security vulnerabilities early, with the goal of reducing the number of vulnerabilities released over time.
An updated version of Secure Coding Training is currently being developed and will be provided by ProofPoint, GitLab's third-party provider.
As our Security Training Program matures, additional trainings will be identified and added.
Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.