Physical Security Standard for Company Assets

This is a Controlled Document

In line with GitLab’s regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.

Purpose

This document defines asset management measures and requirements to support the protection of information assets in GitLab’s all remote environment. The measures and requirements noted within the standard are designed to create a secure infrastructure, work environment, and protect sensitive information from physical threats.

Scope

This standard applies to all GitLab team-members, contractors, advisors, and contracted parties interacting with GitLab computing resources and accessing company or customer data.

Roles & Responsibilities

Role	Responsibility
Security Assurance	Responsible for implementing and executing this standard
Security Assurance Management (Code Owners)	Responsible for approving significant changes and exceptions to this standard
Team Members, Contractors, Advisors, Contracting Parties	Responsible for adhering to the ‘Physical Devices and Location’ requirements of this standard

Overview

As an all remote company, physical protection of information assets can be broken out into a defined “security zone”. Security zones are defined as requirements for the handling of information assets in their physical location.

GitLab has two distinct security zones:

Infrastructure (for SaaS products)

Hosted and physically secured by third party service provider(s)
Shared responsibility model
Adherence to physical security requirements reviewed annually as part of the Third Party Risk Management (TPRM) review and Complementary User Entity Controls (CUEC) review. This includes confirmation that independent third parties attest to effective physical security procedures including but not limited to:
- Visitor Management
- Premises Protection
- Environmental Securities
- Access Management

Physical Devices and Location

Laptops are protected through Endpoint Management Procedures and secured through system configurations defined in the IT Security - System Configurations handbook page which include, but are not limited to:
- Passwords
- Screen timeout
- Encryption
- Endpoint detection and response
Utilize trusted networks when available. If you are connecting from an untrusted network such as a public Wi-Fi, guest networks, or unsecured hotspots, you should use a personal VPN. GitLab has selected NordLayer as the preferred provider.
Implement Clear Desk/Clear Screen requirements.
Ensure devices are not left unattended in public areas and are locked when not in use. Activate a screensaver with password lock, lock the desktop, close the lid.
Personal mobile phone and tablet usage must be passcode protected.
Sensitive data should not be stored on removable storage devices, such as USB drives or external hard drives. External storage devices on company assets is not sanctioned.
Printing documents containing sensitive information as defined by the Data Classification Standard is prohibited.
Secure your data during travel including utilizing a VPN, ensuring that you are in a secure place and no-one can hear you when you are talking about restricted data, and locking your device when it is not in use.
Do not bring company-owned devices to embargoed countries without consulting the Legal Department.

Exceptions

Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.

References

Last modified August 22, 2024: Move top-level pages to folders (4f6668ca)

View page source - Edit this page - please contribute.