This is a Controlled Document
Inline with GitLab's regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.
Security Trainings and Awareness is key to ensuring that GitLab team members are continuously being provided user education activities and exercises about evolving threats, compliance obligations and secure workplace practices, in order to refine and improve their awareness to stay vigilant and trained in security core competencies.
Applies to all GitLab team members, contractors/Temporary Service Providers (TSPs), consultants, vendors and other service providers that handle, manage, store or transmit GitLab data in support of GitLab's statutory, regulatory and contractual requirements.
| Role | Responsibilities |
|---|---|
| GitLab Team Members | Responsible for following the requirements of this procedure |
| Security Governance Team | Responsible for managing and execution of security trainings and programs outlined in this procedure |
| Security Governance Management | Responsible for oversight, escalation and approval of exceptions for this procedure |
| Security Assurance Management (Code Owners) | Responsible for approving significant changes and exceptions to this procedure |
All GitLab Team members and contractors/TSPs are required to participate in GitLab's General Security Awareness Training, New Hire Training and on-going phishing simulations and training, or show evidence of equivalent training completion within the calendar year. Security Trainings that require participation include the following:
New Hire Security Training is required to be completed by all GitLab Team Members and contractors/TSPs during their onboarding at GitLab and annually thereafter. This security training provides new hires with the knowledge to identify cybersecurity threats, vulnerabilities, and attacks.
The GitLab security awareness training program provides ongoing training to GitLab team members that enhances knowledge and identification of cybersecurity threats, vulnerabilities, and attacks as well as satisfying external regulatory requirements and bolster customer assurance. GitLab's handbook-first General Security Awareness Training is provided annually via ProofPoint, GitLab's third-party provider, and requires participation and completion by all GitLab Team Members and contractors/TSPs.
Exceptions during the active campaign will be made for GitLab team members on extended leave.
The GitLab Phishing Training Program is designed to educate and evaluate GitLab's ability to detect and prevent phishing attempts. Ongoing phishing simulations and trainings are conducted at a minimum, once per quarter, via ProofPoint, GitLab's third-party provider, and requires participation and completion by all assigned GitLab Team Members and contractors/TSPs.
Remember: See something, say something and always report via PhishAlarm.
To maintain our culture of security, transparency and to minimize the risk to our sensitive data and our customers, GitLab team members are encouraged to complete Data Classification Training to help understand the different types of data at GitLab and how to keep it SAFE. This is a recommended training.
The GitLab Secure Coding Training is a required training completed by a sub-group of GitLab Team Members and contractors/TSPs in the Engineering Department. This training contains descriptions and Secure Coding Guidelines for OWASP (Open Web Application Security Project) addressing security vulnerabilities commonly identified in the GitLab codebase. This training is intended to help developers identify potential security vulnerabilities early, with the goal of reducing the number of vulnerabilities released over time.
GitLab's handbook-first Secure Coding Training is provided via ProofPoint, GitLab's third-party provider.
Exceptions during the active campaign will be made for GitLab team members on extended leave.
As our Security Training Program matures, additional trainings will be identified and added.
Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.
