Physical Security Standard for Company Assets
This is a Controlled Document
In line with GitLab’s regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.Purpose
This document defines asset management measures and requirements to support the protection of information assets in GitLab’s all remote environment. The measures and requirements noted within the standard are designed to create a secure infrastructure, work environment, and protect sensitive information from physical threats.
Scope
This standard applies to all GitLab team-members, contractors, advisors, and contracted parties interacting with GitLab computing resources and accessing company or customer data.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Security Assurance | Responsible for implementing and executing this standard |
| Security Assurance Management (Code Owners) | Responsible for approving significant changes and exceptions to this standard |
| Team Members, Contractors, Advisors, Contracting Parties | Responsible for adhering to the ‘Physical Devices and Location’ requirements of this standard |
Overview
As an all remote company, physical protection of information assets can be broken out into a defined “security zone”. Security zones are defined as requirements for the handling of information assets in their physical location.
GitLab has two distinct security zones:
Infrastructure (for SaaS products)
-
Hosted and physically secured by third party service provider(s)
-
Adherance to physical security requrements reviewed annually as part of the Third Party Risk Management (TPRM) review and Complementary User Entity Contro (CUEC) review. This includes confirmation that independent third parties attest to effective physical security procedures including but not limited to:
- Visitor Management
- Premises Protection
- Environmental Securities
- Access Management
Physical Devices and Location
-
Laptops are protected through Endpoint Management Procedures and secured through system configurations defined in the IT Security - System Configurations handbook page which include, but are not limited to:
- Passwords
- Screen timeout
- Encryption
- Endpoint detection and response
-
Utilize trusted networks when available. If you are connecting from an untrusted network such as a public Wi-Fi, guest networks, or unsecured hotspots, you should use a personal VPN. GitLab has selected NordLayer as the preferred provider.
-
Implement Clear Desk/Clear Screen requirements.
-
Ensure devices are not left unattended in public areas and are locked when not in use. Activate a screensaver with password lock, lock the desktop, close the lid.
-
Personal mobile phone and tablet usage must be passcode protected.
-
Sensitive data should not be stored on removable storage devices, such as USB drives or external hard drives. External storage devices on company assets is not sanctioned.
-
Printing documents containing sensitive information as defined by the Data Classification Standard is prohibited.
-
Secure your data during travel including utilizing a VPN, ensuring that you are in a secure place and no-one can hear you when you are talking about restricted data, and locking your device when it is not in use.
-
Do not bring company-owned devices to embargoed countries without consulting the Legal Department.
Exceptions
Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.
