Corporate Security (CorpSec)
π Welcome to Corporate Security, we’re glad you’re here! You may also know us as the former IT Operations team that moved from the Finance to Security division in early 2024.
Need Help?
Please try exploring the following pages to see if your question has been answered in the handbook pages. If not, please ask in the #it_help channel and one of our Support Analysts will reply as soon as possible.
- CorpSec Onboarding 101 Guide
- CorpSec Support Guide
- CorpSec Services
- CorpSec Systems and Tech Stack Apps
- Internal Handbook
- System Administration and Runbooks Handbook
- Ask in the
#it_helpSlack channel
What We Do
Mission
As a remote company, we do not have office buildings, physical datacenters, or other traditional IT environments. All of our team members are issued a laptop that they use to work from home or on the road. Although our engineering and product teams are building software that is deployed on AWS and GCP, almost all of our corporate software is vendor-managed software-as-a-service (SaaS). Although this results in a simpler physical threat landscape, the cybersecurity threat landscape is vast and still requires a lot of attention to do it right.
Our mission is to empower our employees to be productive with the technology provided by the business, enable the business to be successful, protect our customers and their data, and provide internal security for GitLab (the company) and our team member’s use of GitLab (the product).
GitLab is both a company and a product. The Corporate Security department focuses on protecting the technology that the company uses to conduct business internally, and provides the hardware, software, and tools that our team members need to get their job done. We have a 24x5 technical support helpdesk for team members and have engineers that configure and maintain many of our company-wide tech stack applications. We also invest heavily in device trust and identity management to provide the highest level of security assurance for the administrators of our product and ensure all appropriate controls are in place when handling customer data.
Prime Directive
- Safeguard our organization’s digital assets, ensuring the integrity, confidentiality, and availability of all data.
- Implement robust security measures, fostering a culture of awareness and compliance among employees, and continuously monitoring and enhancing our information technology systems to protect against evolving threats.
- Leverage the GitLab platform (dogfooding) to assist us in the securing of GitLab.
- Provide reliable, secure and efficient IT and Security engineering, innovation, and services with Zero Trust principals to support cross-functional organizational goals
Scope
- Architecting next-generation automation and integration between security-related systems that provides data consistency, reliability, strong security, and auditability.
- Building relationships with cross-department system owners and proposing solutions to ensure our tech stack applications conform to our latest security best practices
- Consolidating and refactoring legacy tech debt
- Designing processes and choosing software tools that improves back office automation or mitigates security risks
- Escalation engineering and crisis response for leadership teams
- Factor in cost, security, compatibility, maintainability and user experience when making decisions
- Growing other team membersβ skill sets through mentorship to improve operational efficiency and encourage professional development
- Handbook documentation for processes and systems architecture
- Identity and access management (IAM)
- Joint collaboration with process and system owners across the company for improving automation efficiency, security posture, and vulnerability management
- Keeping leaders and stakeholders informed of next-gen initiatives and contributing to creating automated analytics for day-to-day IT and Security operations
- Leading innovation opportunities between several teams with a willingness to experiment and to boldly confront problems of large complexity and scope
- Making technical decisions on behalf of the department and organization while providing presentation support to leaders during technical discussions
- New tech stack (vendor) application onboarding and provisioning
- Onboarding provisioning, offboarding deprovisioning
- Policy and configuration management for organization-wide applications and systems that we manage
- Role-based access control (RBAC)
- Shipping laptops to new team members and refreshing older models
- Tech support for team members and temporary service providers
- User experience and productivity optimization for internal software and tools
- Vulnerability and malware risk mitigation
- Workflow automation for employee lifecycle
- X-Men, we are. Always be saving the day with a smile on your face!
- Yesterday’s problems are tomorrow’s opportunties for iteration
- Zero trust implementation
Direction and Strategy
- (Internal) CISO Multi-Year Information Security Goals and Priorities
- (Internal) CorpSec Direction and Strategy
- (Internal) CorpSec OKRs and Roadmap
- (Internal) CorpSec Projects and Initiatives
- Security Division OKRs
- (Internal) Corporate Security Epics List
- (Internal) Corporate Security Epics Gantt Chart
- (Internal) CorpSec Issue Tracker
- How We Work
Services
- π Please see CorpSec Support if you are looking for help.
- π Applications and Systems
- π Helpdesk Services
- π Access Requests
- π» Laptop and Logistics Services
- π¬ Onboarding
- π« Offboarding
- π§βπ» Tech Support (for Team Members)
- β Infrastructure Services
Engineering
- π How We Work
- π» Device Trust Engineering
- π Identity Engineering
- β Infrastructure Engineering
- π Platform Engineering
- π· SaaS Engineering
Who We Are
See the Team Directory.
Contact Us
- Tier 1 Self Service
- Tier 2 Helpdesk Support
- Tier 3 Escalation and Systems Engineering
- Tier 4 Automation Engineering
- Tier 5 Architecture and Crisis Management
- CorpSec Issue Tracker
- Engineers and System Owners - See CorpSec Systems for GitLab group handle and Slack group handle.
#corpsecSlack Channel (for technical support, please ask in#it_help)
- Helpdesk Team
#it_helpSlack Channel@it-helpSlack groupit-help [at] gitlab [dot] com@gitlab-com/gl-security/corp/services
- Management Team
@gitlab-com/gl-security/corp/managers- Tag the respective functional team manager or director in Slack.
- Director - Steve Manzuik
- Program Management - Steve Manzuik, Kim Waters
- Device Trust - Eric Rubin
- Helpdesk Support - Michael Beltran
- Infrastructure - Jeff Martin
- Laptops and Logistics - Michael Beltran
- Onboarding and Offboarding Day-to-Day Operations (Helpdesk Services) - Michael Beltran
- Onboarding and Offboarding Policy and Strategy (Identity Engineering) - David Zhu
- Platform Engineering (Custom Software Development) - Jeff Martin
- SaaS Engineering - David Zhu, Eric Rubin
- Sensitive Data or Employment Requests - Michael Beltran
Corporate Security (CorpSec) Support
As GitLab has grown organically, several departments and functional groups have their own System Administrators (“Tech Stack App/System Owners”) that handle day-to-day management of the tech stack applications that are specific to that department or functional group, within the framework of organization-wide compliance, infrastructure, and security best practices. Each tech stack application at GitLab has a System Owner that is the DRI for handling the implementation and day-to-day operational support for the team members that utilize that application (in their department or functional group).
CorpSec Direction
Thank you for your interest in the direction of Corporate Security. See the internal handbook for our direction and roadmap with OKRs.
CorpSec Engineering
The Engineering team members are organized functionally based on the category of tech stack applications that we manage.
System Owners Functional Team Systems Managers Engineers (Corporate) SaaS
Engineering 1Password
GitLab.com IAM Policies
Google Apps
Google Calendar
Google Drive
Google Groups
Google Mail
Google Users
Google Workspace (Org)
Nira
Okta Applications
Okta Groups
Okta Users
Okta Workflows
Service Accounts
Slack
Zoom
EM David Zhu
EM Eric Rubin
PM Kim Waters
Staff Mark Loveless Adam Huss
CorpSec Services
This is a placeholder page. Please see the links below for any child pages that exist.
CorpSec Systems and Tech Stack
The Corporate Security department provides configuration management engineering and tech support helpdesk services for team members and temporary service providers (aka contractors, vendors, etc.) for the company-wide systems that we manage. The systems directory provides a list of all of our systems with quick reference links to administration runbooks, end user documentation, issue templates, mentionable groups, and tags that are used in GitLab epics, issues, and merge requests.
CorpSec Team Directory
The Corporate Security department provides tech support helpdesk services for team members and temporary service providers (aka contractors, vendors, etc.), and configuration management engineering for the company-wide systems that we manage.
Team Directory Team Member Identity Roles Group Tags Adam Huss
AMER
ahuss
@adamhuss corpsec_eng_device_trust
corpsec_eng_saas @gitlab-com/gl-security/corp/team/device-trust
@gitlab-com/gl-security/corp/team/saas
Alex Krusiec
AMER
akrusiec
@akrusiec corpsec_svc_helpdesk @gitlab-com/gl-security/corp/team/helpdesk
Bruno Ferreira
EMEA
bferreira
@bruno.n.ferreira corpsec_svc_helpdesk @gitlab-com/gl-security/corp/team/helpdesk
Clayton Shank
AMER
cshank
@cshankgitlab corpsec_eng_device_trust
corpsec_eng_saas @gitlab-com/gl-security/corp/team/device-trust
How We Work
This is a placeholder page. Please see the links below for any child pages that exist.
Last modified July 1, 2024: Add Corporate Security handbook pages (
b684cdaf)
