Automation and Compliance
Purpose The goal of this handbook page is to document the goals and priorities for the automation in …
Security Assurance
Security Assurance Mission and Vision
Our mission is to provide a high level of assurance that Gitlab (the platform and company) is secure.
Our vision is to be a trusted sales enablement partner that is recognized internally and externally for its collaborative and transparent security assurance program, powered by AI and automation. This will be achieved through 10 strategic objectives:
- Establish GitLab as a thought leader in DevSecOps and AI.
- Accelerate the sales cycle to enable Sales to acquire new customers and reduce customer churn.
- Align Security Assurance with strategic business objectives and develop oversight for continuous alignment
- Enhance the efficiency and effectiveness of Security Assurance through automated and custom-built solutions
- Facilitate strategic initiatives to expand and improve GitLab’s external Security brand.
- Identify, manage, and reduce security risk through cross-functional collaboration, strategic prioritization, and proactive mitigation including governance over data security and resilience programs.
- Proactive compliance initiatives to maintain competitive advantage and enable customer acquisition through alignment with regulatory and industry specific requirements.
- Intra-division collaboration to enable successful, timely, and cost effective program and project initiation, management, and delivery through repeatable and scalable processes with consistent measurement and actionable reporting.
- Influence product development and enhancement through deliberate use and delivery of actionable feedback.
- Intra and Inter-division collaboration to enable effective and efficient identification and remediation of compliance findings.
Security Assurance Department Structure
There are four teams in the Security Assurance department.
Governance & Field Security |
Security Compliance |
Security Risk |
Security Program Management |
|---|---|---|---|
|
Core Competencies
Field Security Core Competencies
- Sales Training (Security)
- Sales Enablement (Security)
- Customer Assurance (Security)
- Security Evangelization
Security Governance Core Competencies
- Security Policies, Standards and Control maintenance
- Security Assurance Metrics
- Regulatory Landscape Monitoring
- Security Awareness and Training
- Security Assurance Application Administration
- Security Assurance Automation
Security Risk Core Competencies
- Security Third Party Risk Management
- Tier 2 Operational Security Risk Management
- Business Impact Assessments
- Critical System Tiering
Security Compliance Core Competencies
- Continuous Control Monitoring
- Security Certifications and Attestations
- User Access Reviews (non-SOX)
- Observation management for control failures and Tier 3 (system-level) risks
- GitLab Production Readiness: Compliance Assessment
Core Tools and Systems
The Security Assurance sub department utilizes a variety of tools to carry out day to day activities. The system admin is responsible for the following:
- Configuration changes
- Onboarding/offboarding/transfers (ie Access)
- Upgrades/patching/incidents
- Migrations to new environments
- Restores from backup
- Admin level audit evidence
- Quality oversight (limited scope)
All other actions are the responsibility of the assigned DRI.
| System Name | System Description | Admin | DRI |
|---|---|---|---|
| Hyperproof | Key system utilized for initiating, tracking/documenting, and completing Governance, Risk, and Compliance related activities. | Donovan Felton | Security Compliance - Madeline Lake Security Risk - Ty Dilbeck |
| Authomize | Key system utilized by Security Compliance for User Access Reviews | Alex Frank | Platform - Alex Frank Custom Connectors - Byron Boots |
| Safebase | Trust center solution to host security collateral for customers to request. | Donovan Felton | Joe Longo |
| ProofPoint | Key system utilized for the creation and distribution of our security training and phishing simulations to provide ongoing testing for adherence of various compliance frameworks. | Donovan Felton | Joe Longo |
| BitSight | BitSight is used to assess and monitor software vendors as part of our Security Third Party Risk Management Program. | Ryan Lawson | Ty Dilbeck |
| GitLab - Security Assurance Projects | Primarily used to engage stakeholders via issues, updates to Security Assurance related handbook pages, etc. | Security Assurance Senior Director | Each Team is responsible for their Projects, but everyone can contribute |
Contacting the Team
- Join our slack channel: #sec-assurance
- Email: security-assurance@gitlab.com
Team READMEs
References
Check out these great security resources built with our customers in mind:
- GitLab’s Customer Assurance Package
- GitLab’s Security - Trust Center
- GitLab’s Security Team Page
Field Security Team
Governance and Field Security team charter
Field Security Team The Field Security team serves as the …
Observation Management Procedure
This procedure details the and remediation process for observations.
Production Readiness: Compliance Assessment
The Compliance Production Readiness Assessment is a process designed to make it clear what obligations systems owners have for configuring and hardening a system/tool/service in order for GitLab to meet its compliance and regulatory obligations.
Security Compliance Team
Security Compliance Team
Security Enablement Team Charter
Team Charter Mission The mission of the Security Enablement team is to: (i) drive the development of …
Security Governance Program
Security Governance Program
Security Risk Team
Security Risk Team Charter
Security Terms Glossary
A glossary of common Security Terms that may be encountered in Security Assurance documentation.
Technical and Organizational Security Measures for GitLab Cloud Services
Technical and Organizational Security Measures for GitLab Cloud Services
Technical Security Validation
Technical Security Validation
Last modified February 18, 2025: Adding updated vision to handbook (
b61b39aa)
