Security and Technology Policies Management

Purpose

This policy is intended to establish requirements for the creation and management of security and technology related policies.

Scope

This policy applies to security and technology policies that fall within the scope of GitLab’s security compliance audits and assessments.

Roles & responsibilities

Role Responsibility
Security Governance Team Responsible for conducting annual controlled documents review and enforcing this policy
Security Assurance Management (Code Owners) Responsible for approving changes to this policy

Policy

Policy creation and requirements

All in-scope policies must be created as version controlled documents in GitLab.

All in-scope policies must be listed in the policies section of the CODEOWNERS file with appropriate stakeholders listed as codeowners.

At a minimum, all in-scope policies must include a purpose, scope, roles and responsibilities, and policy statements.

All policy statements for in-scope policies must be mapped to the appropriate GCF control(s).

Policy review and approval

All in-scope policies must be reviewed and approved by appropriate stakeholders prior to merging the initial MR to create the policy.

All in-scope policies must be reviewed and approved by appropriate stakeholders on at least an annual basis in coordination with the Controlled Document Procedure annual review.

Policy communication and training

New and updated policies must be communicated to relevant team members upon creation or material update.

Relevant in-scope policies must be acknowledged by team members during onboarding training and annually thereafter.

Last modified August 16, 2024: Replace aliases with redirects (af33af46)