Automation and Compliance

Purpose

The goal of this handbook page is to document the goals and priorities for the automation in compliance within the Security Compliance team at GitLab. Automations are built and enabled through the support of GitLab’s Security Assurance Automation team for technical implementations.

Core Focuses

  1. Support the business by automating security processes, compliance controls, and finding automation efficiencies.
  2. Develop and maintain automated solutions that enhance our security posture, streamline compliance efforts, and provide continuous monitoring of our systems and infrastructure.
  3. Enable security to scale through the discovery and application of compliance automation.

Key priorities for Compliance Automation (in order)

  1. Control Automations - Automated testing and alert on failures of controls
  2. Control Automations - Automated testing and workbook creation
  3. Metrics - Key insights into compliance/risk metrics to inform scope
  4. User Access Reviews - Process automation and risk based review enablement
  5. Process Automations - Process automation around compliance activities such as observation management, audit management, etc.

Possible areas of opportunity

  1. Developing and implementing automated security controls and processes
  2. Creating and maintaining compliance automation tools and scripts
  3. Integrating security and compliance checks into CI/CD pipelines
  4. Automating vulnerability scanning and remediation processes
  5. Implementing automated security testing and validation
  6. Developing dashboards and reporting tools for security metrics and compliance status
  7. Collaborating with other security teams to identify automation opportunities
  8. Continuously improving and optimizing existing compliance automation solutions

Where and How we work

Metrics and Measures of Success

TBD

Automation and Compliance Roadmap

For FY25, the first Automation and Compliance Roadmap (internal-only link) was defined after a questionnaire and completed brainstorming session with Security Compliance team members.

Contact the Team

For questions related to Compliance Automation, please reach out to the #sec-assurance slack channel. Issues for Compliance Automation should be opened in the Security Assurance Automation Issue Landing project as is outlined in the Security Assurance Automation handbook page.

I have questions

  • Byron Boots, @byronboots, Senior Security Assurance Engineer, Compliance
Last modified August 15, 2024: Automation and Compliance hb page updates (642d24e8)
View page source - Edit this page - please contribute. Creative Commons License