Security Compliance, Commercial Team Page
Security Compliance Mission
Security Compliance (Commercial) Mission:
- Enable GitLab to be the most trusted DevSecOps offering on the market, demonstrated by security certifications and attestations.
- Achieve, maintain and grow industry specific security certifications and attestations for GitLab.com
- Identify and mitigate GitLab information security risk through continuous control monitoring of the GitLab.com SaaS offering and key in-scope auxiliary applications and third party sub-processors.
- Enable security to scale through the discovery and application of compliance automation.
- Identify and remediate observations to reduce risk and ensure continued maintenance of security certifications and attestations.
- Work across industries and verticals to support GitLab customers in their own compliance journey.
Core Competencies
- Third Party Security Certifications
- Gap Analysis Program: feasibility for external certifiction expansion
- External Audit coordination and hosting
- Security Attestations
- Observation and Remediation Management
- Specific to Tier 3 observations
- Identify control weaknesses and gaps (observations)
- Provide remediation recommendations and guidance
- Track remediation to completion
- Continuous Control Monitoring of the GitLab Control Framework
- Compliance production readiness assessment
- User Access Review Program
- Business Continuity Plan (BCP) testing
- Information System Continuity Plan (ISCP) testing
- Compliance Automation discovery and implementation
- Utilizing dogfooding and external tools to continue driving compliance by default features within the product and true CCM efforts
Where we work
We primarily work out of the Team-Commercial Compliance group project. This group includes subgroups and projects for:
- Team information and directory
- External Certifications
- User Access Review Program
- Audit Reports (output of CCM efforts)
- Gap Analysis Program
- ISCP and BCP tests and final reports
- IT General Control Support (ITGC)
Work that overlaps with other teams including Dedicated Compliance can be found in the Security Compliance - All Teams group. This group includes subgroups and projects for:
- GitLab Control Framework (GCF)
- Observation Management
- Security Compliance Intake (production readiness)
- Third Party Penetration Testing Program
- Exceptions
We also utilize external tooling including:
- ZenGRC: control testing and observations
- Authomize: User access review campaigns
How we work
We strive for transparency whenever possible through the use of non confidential issues within our group projects and handbook documentation. However, not all of our work is externally visible. In order to continue striving for transparency, we are committed to delivering value to our external customers through community outreach efforts such as blogs, keeping the handbook up to date and providing documentation that demonstrates how we dogfood to meet our security compliance core compentencies.
We utilize GitLab Epics and Issue to track projects, deliverables and milestones. We are currently working on upleveing our internal metrics and reporting through the use of insights charts, issue tasks and automation.
Metrics and Measures of Success
Contact the Team
Program | DRI | Responsibilities |
---|---|---|
Security Compliance (Commercial) Team manager | @lcoleman | Establish direction, roadmap and oversight of the team core competencies and owned programs |
External Certifications | @madlake | External Audit coordination and execution for existing certifications (SOC 2 Type 2, ISO 27001, 27017, 27018) |
Observations | @madlake | Observation Program management and metrics including observation validation, remediation recommendations and progress reporting |
User Access Reviews | @alexfrank09 | Oversight of UAR Program/ Automated UAR Tool including launching UAR campaigns, identifying access changes and removals, campaign ownership, metrics and reporting |
Gap Analysis Program | @DanEckhardt | Oversight of Gap Analysis program and procedures, prioritize gap analysis requests, gap analysis status tracking and reporting |
GitLab Control Framework | @davoudtu | Ongoing GCF review and refinement of applicable controls based on certifications and CCM coverage |
BCP and ISCP | @byronboots | DRI for driving and documenting BCP and ISCP activities and remediation |
CCM Automation | @byronboots | Stable counterpart for identifying, defining and driving automation activities for continuous control monitoring program |
Contact the Team
- Slack
- Feel free to tag us with
@commerical_compliance
- The #sec-assurance slack channel is the best place for questions relating to our team (please add the above tag)
- Feel free to tag us with
- Tag us in GitLab
@gitlab-com/gl-security/security-assurance/team-commercial-compliance
- Email
security-compliance@gitlab.com
- Commercial Compliance team project
- Interested in joining our team? Check out more here!
References
- Security Certifications
- GCF Security Control Lifecycle
- GCF Security Controls
- User Access Reviews
- Observation Methodology
- Gap Analysis Program
Return to the Security Assurance Homepage
AM.1.01 - Inventory Management Control Guidance
Gap Analysis Program
GCF Security Control Lifecycle
GitLab Security Compliance Controls
GitLab.com Security Certifications and Attestations
TPM.1.01 - Third Party Assurance Review Control Guidance
69f17a79
)