Our mission is to provide a high level of assurance that Gitlab (the platform and company) is secure.
Our vision is to be a trusted sales enablement partner that is recognized internally and externally for its collaborative and transparent security assurance program, powered by AI and automation. This will be achieved through 10 strategic objectives:
Establish GitLab as a thought leader in DevSecOps and AI.
Accelerate the sales cycle to enable Sales to acquire new customers and reduce customer churn.
Align Security Assurance with strategic business objectives and develop oversight for continuous alignment
Enhance the efficiency and effectiveness of Security Assurance through automated and custom-built solutions
Facilitate strategic initiatives to expand and improve GitLab’s external Security brand.
Identify, manage, and reduce security risk through cross-functional collaboration, strategic prioritization, and proactive mitigation including governance over data security and resilience programs.
Proactive compliance initiatives to maintain competitive advantage and enable customer acquisition through alignment with regulatory and industry specific requirements.
Intra-division collaboration to enable successful, timely, and cost effective program and project initiation, management, and delivery through repeatable and scalable processes with consistent measurement and actionable reporting.
Influence product development and enhancement through deliberate use and delivery of actionable feedback.
Intra and Inter-division collaboration to enable effective and efficient identification and remediation of compliance findings.
Security Assurance Department Structure
There are four teams in the Security Assurance department.
The Security Assurance sub department utilizes a variety of tools to carry out day to day activities. The system admin is responsible for the following:
Configuration changes
Onboarding/offboarding/transfers (ie Access)
Upgrades/patching/incidents
Migrations to new environments
Restores from backup
Admin level audit evidence
Quality oversight (limited scope)
All other actions are the responsibility of the assigned DRI.
Key system utilized for the creation and distribution of our security training and phishing simulations to provide ongoing testing for adherence of various compliance frameworks.
The Compliance Production Readiness Assessment is a process designed to make it clear what obligations systems owners have for configuring and hardening a system/tool/service in order for GitLab to meet its compliance and regulatory obligations.