Security Governance Program

Security Governance Program

Governance and Field Security team charter

Mission

The ‘G’ in GRC, GitLab’s security governance discipline helps to define, train and measure security strategies and progress towards security objectives by creating a set of processes and practices that run across departments and functions. By following a Governance framework, GitLab ensures accountability, fairness and transparency in how the company runs and how it communicates with its stakeholders.

Core Competencies

These are the core responsibilities of the security governance discipline.

Security policies and standards

Keeping the organization on track and within established boundaries to ensure compliance with applicable laws and regulations while maintaining GitLab’s Information Security Policies. Providing guidance, consistency and accountability to streamline internal processes and align with GitLab’s values and mission.

Security handbook maintenance

Security Governance is responsible for the continuous maintenance and improvement of the security section in GitLab’s handbook. This includes the creation and maintenance of controlled documents, maintenance of the security section’s overall structure, content relevance and accuracy, and alignment with GitLab’s style guide. To request an update to the handbook’s security section, please open an issue using the link below.

Security Handbook Request

Security Assurance metrics

Security Governance supports the development, implementation, and maintenance of metrics across the Security Assurance department.

Regulatory and compliance landscape monitoring

To support GitLab’s regulatory and compliance requirements, the Security Governance team conducts quarterly monitoring for changes to such requirements. Material changes are reported to relevant team members for triage and action.

GCF Control Maintenance

Maintenance of the GCF control framework to include language, policy mapping, and relevancy updates.

Security Compliance Training

Creating and managing security compliance trainings to ensure GitLab team members are aware and trained in security core competencies.

GRC Application Administration

Managing a variety of tools used by the Security Assurance Team to support our day to day processes and strategic initiatives.

  • Configuration changes
  • User Access Management
  • Upgrades/patching/incidents/restores
  • High-Level quality oversight
  • etc.

We will assist in managing and providing guidance to carry out day to day activities related to the core competencies of all compliance activities within Hyperproof such as Control Testing, UARs, Vendor Reviews and Risk Assessments. We strive to automate, integrate and streamline business processes to increase GitLab’s Information Security Program maturity and deliver measurable ROI.

Contact the Team

Joe Longo, @jlongo_gitlab, Senior Manager, Governance and Field Security

References

Return to the Security Assurance Homepage

Phishing Program

Phishing Program

The GitLab Phishing Program is designed to educate and evaluate GitLab’s ability to detect and prevent phishing attempts. The goal of the program is to maintain up-to-date educational materials, provide ongoing training, and execute real-world simulations to provide GitLab Team Members the knowledge to identify, report, and block phishing attempts. Phishing simulations are provided by ProofPoint, GitLab’s third party provider, and will help satisfy external regulatory requirements and bolster customer assurance.

Security Assurance - Automations Library

Has this been automated for the team yet?

This page is intended to provide a jumping off point for what components of Security Assurance have been automated and are available for use by team members. It includes ad-hoc automations that should be run by team members whenever desired as well as ongoing scheduled automations in place.

Each automation includes a brief description of available functionality and links to a relevant project. Detailed guidance on how to run the automations including inputs to pipelines etc. are available in detailed READMEs for each automation as needed.

Security Assurance Automation

A team supporting Security Assurance’s growth

The Security Assurance program is expanding constantly, be it in breadth, headcount, complexity and scope. The Assurance department is composed of numerous teams with different processes, data sets and objectives. Having a single team focused on creating efficiencies through software allows the Department to scale faster and support the growth and impact of individual programs.

We provide to the Security Assurance department an ability to automate processes through developing scripts, building solutions and implementing fixes. Dedicated resources ensures custom solutions can be built and maintained in the future to provide continuous value-add.

Security Awareness Training Program

Security awareness training program

The GitLab security awareness training program provides ongoing training to GitLab team members that enhances knowledge and identification of cybersecurity threats, vulnerabilities, and attacks. Security awareness training is provided by ProofPoint, GitLab’s third party provider, and will help satisfy external regulatory requirements and bolster customer assurance. The training campaigns designed to provide GitLab team members with the information they need to protect themselves and GitLab from loss or harm, highlight their role in securing GitLab on a daily basis, and empower them to make the right decisions with security best practices.

Security Awareness Training Standard
Security Training Standard
Security Training
All about Security Training, including where to find it and how to create it.
Last modified October 30, 2024: Fix broken links (39532aab)
View page source - Edit this page - please contribute. Creative Commons License