Security Assurance

Overview

As a member of the Security department, the Security Assurance sub-department provides GitLab customers with a high level of assurance around the security of GitLab SaaS service offerings.

There are five teams in the Security Assurance sub-department.

Security Assurance Sub-Department

Governance & Field Security
Security Compliance
Security Risk

Core Competencies

Field Security Core Competencies

Security Governance Core Competencies

Security Risk Core Competencies

Security Compliance, Commercial Core Competencies

Core Tools and Systems

The Security Assurance sub department utilizes a variety of tools to carry out day to day activities. The system admin is responsible for the following:

  • Configuration changes
  • Onboarding/offboarding/transfers (ie Access)
  • Upgrades/patching/incidents
  • Migrations to new environments
  • Restores from backup
  • Admin level audit evidence
  • Quality oversight (limited scope)

All other actions are the responsibility of the assigned DRI.

System Name System Description Admin DRI
Hyperproof Key system utilized for initiating, tracking/documenting, and completing Governance, Risk, and Compliance related activities. Donovan Felton Security Compliance - Madeline Lake
Security Risk - Ty Dilbeck
Authomize Key system utilized by Security Compliance for User Access Reviews Alex Frank Platform - Alex Frank
Custom Connectors - Byron Boots
Safebase Trust center solution to host security collateral for customers to request. Donovan Felton Joe Longo
ProofPoint Key system utilized for the creation and distribution of our security training and phishing simulations to provide ongoing testing for adherence of various compliance frameworks. Donovan Felton Joe Longo
BitSight BitSight is used to assess and monitor software vendors as part of our Security Third Party Risk Management Program. Ryan Lawson Ty Dilbeck
GitLab - Security Assurance Projects Primarily used to engage stakeholders via issues, updates to Security Assurance related handbook pages, etc. Security Assurance Senior Director Each Team is responsible for their Projects, but everyone can contribute

Contacting the Team

Team READMEs

References

Check out these great security resources built with our customers in mind:

Automation and Compliance

Purpose

The goal of this handbook page is to document the goals and priorities for the automation in compliance within the Security Compliance team at GitLab. Automations are built and enabled through the support of GitLab’s Security Assurance Automation team for technical implementations.

Core Focuses

  1. Support the business by automating security processes, compliance controls, and finding automation efficiencies.
  2. Develop and maintain automated solutions that enhance our security posture, streamline compliance efforts, and provide continuous monitoring of our systems and infrastructure.
  3. Enable security to scale through the discovery and application of compliance automation.

Key priorities for Compliance Automation (in order)

  1. Control Automations - Automated testing and alert on failures of controls
  2. Control Automations - Automated testing and workbook creation
  3. Metrics - Key insights into compliance/risk metrics to inform scope
  4. User Access Reviews - Process automation and risk based review enablement
  5. Process Automations - Process automation around compliance activities such as observation management, audit management, etc.

Possible areas of opportunity

  1. Developing and implementing automated security controls and processes
  2. Creating and maintaining compliance automation tools and scripts
  3. Integrating security and compliance checks into CI/CD pipelines
  4. Automating vulnerability scanning and remediation processes
  5. Implementing automated security testing and validation
  6. Developing dashboards and reporting tools for security metrics and compliance status
  7. Collaborating with other security teams to identify automation opportunities
  8. Continuously improving and optimizing existing compliance automation solutions

Where and How we work

Metrics and Measures of Success

TBD

Field Security Team

Governance and Field Security team charter

Field Security Team

The Field Security team serves as the public representation of GitLab’s internal Security function. Our vision is to be the leading example in collaborative and transparent Customer Assurance Programs. Our mission is to empower the GitLab community with confidence and trust that their data is protected with high levels of security assurance to drive revenue growth. We partner with our fellow GitLab team members and customers to provide a pathway to yes!

Governance and Field Security Team Charter
Governance and Field Security Team Charter
Observation Creation Procedure
This procedure details the creation process for observations.
Observation Remediation
This details the remediation process for observations.
Production Readiness: Compliance Assessment
The Compliance Production Readiness Assessment is a process designed to make it clear what obligations systems owners have for configuring and hardening a system/tool/service in order for GitLab to meet its compliance and regulatory obligations.
Security Compliance Team
Security Compliance Team
Security Governance Program
Security Governance Program
Security Risk Team
Security Risk Team
Security Terms Glossary
A glossary of common Security Terms that may be encountered in Security Assurance documentation.
System Risk Scoring Procedure
This procedure details the process for determining System Risk Score.
Technical and Organizational Security Measures for GitLab Cloud Services
Technical and Organizational Security Measures for GitLab Cloud Services
Technical Security Validation
Technical Security Validation
Last modified November 5, 2024: Updating broken links in sec comp page (1f23f12e)
View page source - Edit this page - please contribute. Creative Commons License