Security Awareness Training Standard
This is a Controlled Document
In line with GitLab’s regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.Purpose
Security Trainings and Awareness is key to ensuring that GitLab team members are continuously provided with user education activities and exercises about evolving threats, compliance obligations, and secure workplace practices in order to refine and improve their awareness.
Scope
This standard applies to all GitLab team members, contractors/Temporary Service Providers (TSPs), consultants, vendors and other service providers that handle, manage, store or transmit GitLab data in support of GitLab’s statutory, regulatory and contractual requirements.
Definitions
- GitLab Team members: users with a gitlab.com email address
- Contractors/TSPs and Consultants: Personnel who are external to GitLab who do not have a gitlab.com email address and are under a contract/agreement that involves handling, managing, storing, or transmitting GitLab data in support of GitLab’s statutory, regulatory and contractual requirements.
Roles & Responsibilities
| Role | Responsibilities |
|---|---|
| GitLab Team Members | Responsible for following the requirements of this standard |
| Security Governance Team | Responsible for the management and execution of security trainings and programs outlined in this standard |
| Security Governance Management | Responsible for oversight, escalation and approval of exceptions for this standard |
| Security Assurance Management (Code Owners) | Responsible for approving significant changes and exceptions to this standard |
Standard
All GitLab Team members and contractors/TSPs are required to participate in GitLab’s General Security Awareness Training, New Hire Training and on-going phishing simulations and training, or show evidence of equivalent training completion within the calendar year. Security Trainings that require participation include the following:
New Hire Security Training
New Hire Security Training is required to be completed by all GitLab Team Members and contractors/TSPs during their onboarding at GitLab. This security training provides new hires with the knowledge to identify cybersecurity threats, vulnerabilities, and attacks.
General Security Awareness Training (GSAT)
The GitLab security awareness training program provides ongoing training to GitLab team members that enhances knowledge and identification of cybersecurity threats, vulnerabilities, and attacks as well as satisfying external regulatory requirements. GitLab’s handbook-first General Security Awareness Training is provided annually via ProofPoint, GitLab’s third-party provider, and requires participation and completion by all GitLab Team Members and contractors/TSPs.
Exceptions during the active campaign will be made for GitLab team members on extended leave.
Phishing Training
The GitLab Phishing Training Program is designed to educate and evaluate GitLab’s ability to detect and prevent phishing attempts. Ongoing phishing simulations and trainings are conducted once per quarter via ProofPoint, GitLab’s third-party provider, and requires participation and completion by all assigned GitLab Team Members and contractors/TSPs.
Remember: If you see something, say something, and always report suspicious emails via PhishAlarm.
Data Classification Training
To maintain our culture of security and transparency, and to minimize the risk to our sensitive data and our customers, GitLab team members are encouraged to complete Data Classification Training to help understand the different types of data at GitLab and how to keep it SAFE. This is a recommended training.
Secure Coding Training
The GitLab Secure Coding Training is a required training completed by a sub-group of GitLab Team Members and contractors/TSPs in the Engineering Department. This training contains descriptions and Secure Coding Guidelines from OWASP (Open Web Application Security Project) addressing security vulnerabilities commonly identified in the GitLab codebase. This training is intended to help developers identify potential security vulnerabilities early, with the goal of reducing the number of vulnerabilities released over time.
Exceptions during the active campaign will be made for GitLab team members on extended leave.
Other Security Trainings
As our Security Training Program matures, additional trainings will be identified and added.
Exceptions
Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.
References
- Parent Policy: Information Security Policy
- Security Awareness Training Program
- Phishing Program
- Data Classification Standard
- Secure Coding
7db9c423)
