Security Compliance Teams

1. You are here:
2. Handbook
3. Security at GitLab
4. Security Assurance
5. Security Compliance Teams

On this page

• Security Compliance Mission
• Roles & Responsibilities
• Goals
• Scope
• Strengths and Skills
• Metrics and Measures of Success
• Program DRI's
  • Commercial Program DRI's
  • Dedicated Program DRI's
• Contact the Team
• References

Security Compliance Mission

It is the goal of the GitLab Security Compliance teams to:

1. Enable GitLab sales by providing customers information and assurance about our information security program and removing security as a barrier to adoption by our customers.
2. Enable security to scale through the definition of security controls and determine the boundaries and applicability of the information security management system to establish its scope.
3. Work across industries and verticals to support GitLab customers in their own compliance journey.
4. Identify and mitigate GitLab information security risk through continuous control monitoring and automation.

Roles & Responsibilities

A member of the Security Assurance organization, these are the primary functions of the Security Compliance teams:

• Second line of defense to support and hold accountable our business and process owners
• Provide documentation as an output of our work
• Be compliance translators/guides/customer service reps to GitLab team members
• Programs include:
  • Continuous Control Monitoring via our GCF Security Controls
  • Observation Remediation
  • User Access Reviews
  • Business Continuity Plan (BCP) and Information System Continuity Plan (ISCP) testing
  • External Security Audit Management
  • Gap Assessments

Goals

• Enable Sales
• Build and maintain customer trust
• Reduce risk
• Strong documentation inside and outside of our team
• Successful security audits
• Support data-driven security/risk decisions

Scope

• Operate the following programs as they relate to the implementation and operation of security controls:
  • Continuous Control Monitoring
  • Observation Remediation
  • User Access Reviews
  • BCP/ISCP
  • External Security Audit Management
  • Gap Assessments

Strengths and Skills

• Effectively and efficiently test security controls
• Breaking complex compliance requirements into manageable, understandable, and actionable pieces
• Supporting fellow Compliance Engineers
• Communication (sync and async)
• GitLab product experts
• Managers of One

Metrics and Measures of Success

1. Security Control Health
2. Security Observations

Program DRI's

Commercial Program DRI's

Program	DRI	Responsibilities
GitLab's Security Control Framework (GCF)	@lcoleman	Establishment, monitoring, and iteration of the GCF control set
Observations	@madlake	Management overview of the Observation Program including observation documentation, workflows and observation assignment
SOC	@madlake	SOC preparation and documentation, external audit hosting, remediation activities
ITGC	@byronboots	ITGC Handover and automation improvements, external audit hosting, remediation activities
ISO	@lcoleman	ISO preparation and documentation, external audit hosting, remediation activities
User Access Reviews	@alexfrank09	Oversight of UAR Program/ Automated UAR Tool to help minimize threats and provide assurance that the right people have access to critical systems and infrastructure
Gap Analysis	@DanEckhardt	Overseeing & iterating on gap analysis program/procedures, review/assignment of gap analysis requests, gap analysis status tracking

Dedicated Program DRI's

Program	DRI	Responsibilities
GitLab Dedicated	@dchangkuon	Continuous monitoring, gap assessments, and external audit coordination (e.g. SOC 2 Type 2).
FedRAMP Information System Security Officer (ISSO)	@niben01	FedRAMP Vulnerability Deviation Requests, monthly Plan of Action & Milestone reporting, and security compliance oversight
FedRAMP Continuous Monitoring Program	@kbray	Continuous monitoring improvements, significant change identification, and compliance documentation maintenance

Contact the Team

• Slack
  • Feel free to tag is with @commerical_compliance or @sec-compliance-team to reach the entire Security Compliance team
  • The #sec-assurance slack channel is the best place for questions relating to our team (please add the above tag)
• Tag us in GitLab
  • @gitlab-com/gl-security/security-assurance/security-compliance-commercial-and-dedicated/sec-compliance
• Email
  • security-compliance@gitlab.com

• GitLab Security Compliance team project

• Interested in joining our team? Check out more here!

References

• Security Certifications
• GCF Security Control Lifecycle
• GCF Security Controls
• User Access Reviews
• Observation Methodology
• Gap Analysis Program