This page provides an overview of the various ZenGRC Activities that are carried out by the Security Assurance sub department. Additionally, this page will also provide information on when stakeholders outside of the Security Assurance sub department may engage with ZenGRC.
The Field Security team utilizes the following ZenGRC objects:
All activities related to the StORM program are executed exclusively within ZenGRC. There may be instances where the identification of a risk occurs on GitLab.com (e.g. incident issues, internal issues where security concerns are raised which may be an indicator of risk, etc.) and in these cases, the Risk & Field Security team will review the related details within GitLab and subsequently create a new risk record within ZenGRC for assessment. The wide variety of activities related to StORM that are carried out in ZenGRC include but are not limited to:
All activities related to TPRM begin in either a GitLab TPRM Issue or Coupa. Management of all phases of the [third party risk management program) is done via ZenGRC using the following objects:
The GitLab Security Compliance team manages all phases of the security control lifecycle via ZenGRC using the following objects:
Observations (aka: findings, exceptions, issues, deficiencies, Tier 3 operational risks) are recorded and managed within ZenGRC. This allows the Security Compliance team to map those observations out to any and all related systems, control assessments, vendors, etc. as well as capture meaningful data about the current state of our observation management program and program operating metrics.
Project-based work, Quarterly OKR work, and Ad-Hoc workstreams are all captured within ZenGRC tasks assigned to individual members of the Security Compliance team.
The Security Governance team manages the overall administrative activities on ZenGRC objects:
The Security Governance Team manages the review of all controlled documents confirming all controlled documents are unified and reviewed annually.
Controlled Documents identified as policies/procedures/standards reside within the ZenGRC Policies object and will be mapped to control assessments to identify which assessments rely on which policies/procedures/standards.
The Security Assurance Team may periodically engage stakeholders that are outside of the sub department using ZenGRC. The various activities that the sub deparment may engage stakeholders on can be found below. SlackBot will alert users when they are assigned a task or tagged in a comment within ZenGRC. Additionally, daily to-do emails are sent to users with a list of tasks assigned in ZenGRC.
Stakeholders may be occasionally engaged to complete a ZenGRC questionnaire. Questionnaires are utilized for various reasons, such as helping to gather and collect data to establish GitLab's Risk Appetite and Tolerance year over year. The Security Assurance Team utilizes the native questionnaire functionality within ZenGRC because it provides some mechanisms to automatically calculate risk scores and thresholds based off of responses.
Should any team member be engaged to complete a questionnaire from ZenGRC, an example of the email that the team member will receive can be found below.
In order to complete the questionnaire, team members should perform the following steps:
Team members will be presented with the questionnaire. Provide responses to each question until the final question is completed.
Instead of seeing a "submit" button once the final question is answered, team members will need to click on the "summary" button. This screen provides a summary of all of the responses that were provided for the team member to review. The final "submit" button can be found on the summary screen.
Submit the questionnaire. A confirmation screen will be presented.