Security Governance Program

Security Governance Program

Governance and Field Security team charter

Security Governance Mission

The ‘G’ in GRC, GitLab’s security governance discipline helps to define, train and measure security strategies and progress toward security objectives by creating a set of processes and practices that run across departments and functions. By following a Governance framework, GitLab ensures accountability, fairness and transparency in both how the company runs and how it communicates with its stakeholders.

Core Competencies

These are the core responsibilities of the security governance discipline.

Security policies and standards

Keeping the organization on track and within established boundaries to ensure compliance with laws and regulations while maintaining GitLab’s Information Security Policies. Providing guidance, consistency and accountability to streamline internal processes and align with GitLab’s values and mission.

Security handbook maintenance

Security Governance is responsible for the continuous maintenance and improvement of the security section in GitLab’s handbook. This includes the creation and maintenance of security policies and standards, the creation and maintenance of controlled documents, maintenance of the security section’s overall structure, content relevance and accuracy, and alignment with GitLab’s style guide. To request an update to the handbook’s security section, please open an issue using the link below.

Security Handbook Request

Security Assurance metrics

Measuring performance effectiveness of our security controls, against a plan to prevent security incidents and safeguard sensitive data to improve the security posture of GitLab and the reduction of risk. “If you cannot measure it, you cannot improve it” -Lord Kevin.

Regulatory and compliance landscape monitoring

To support GitLab’s regulatory and compliance requirements, the Security Governance team conducts quarterly monitoring for changes to such requirements. Material changes are reported to relevant team members for triage and action.

GCF Control Maintenance

Managing the GCF control framework, to include changes as a result of the risks and regulatory requirements.

Security Compliance Training

Creating and managing security compliance trainings to ensure GitLab team members are aware and trained in security core competencies.

GRC Application Administration

Managing a variety of tools used by the Security Assurance Team carrying out defined administrative tasks such as

  • Configuration changes
  • User Access Management
  • Upgrades/patching/incidents/restores
  • High-Level quality oversight
  • etc.

We will assist in managing and providing guidance to carry out day to day activities related to the core competencies of all compliance activities within ZenGRC such as Control Testing, UARs, Vendor Reviews and Risk Assessments to automate, integrate and streamline business processes to increase GitLab’s Information Security Program maturity and deliver measurable ROI.

Metrics and Measures of Success

Under Construction

Contact the Team

Donovan Felton, @dfelton, Security Assurance Engineer, Automation

Joe Longo, @jlongo_gitlab, Manager, Governance and Field Security


Return to the Field Security Homepage

Phishing Program
Alert If you suspect you’ve received a phishing email and have not engaged with the sender, please see: What to do if you suspect an email is a phishing attack. If you have engaged a phisher by replying to an email, clicking on a link, have sent and received text messages, or have purchased goods requested by the phisher, please engage the Security Engineer on-call. Further information on GitLab’s security response program is described in our Incident Response guide.
Security Assurance Automation
A dedicated resource The Security Assurance department is continuously growing both in terms of personnel and breadth of the program. As we continue to scale, self-operating automated processes will become a critical catalyst to driving mission success. Security Assurance Automation Engineers are a critical dedicated resource that enable the Security Assurance department through the development, implementation, and maintenance of automated processes and controls. How does Security Assurance Automation operate? Intake process Security Assurance Automation maintains an internal Security Assurance Automation project that is dedicated to the intake of Security Assurance related automation requests.
Security Awareness Training Program
Security Awareness Training Program
Security Awareness Training Standard
Security Training Standard
Security Training
All about Security Training, including where to find it and how to create it.
Last modified September 27, 2023: Fix information-security-policies links (3abd2cd5)