Security Compliance, Commercial Team Page

Security Compliance Mission

Security Compliance (Commercial) Mission:

  1. Enable GitLab to be the most trusted DevSecOps offering on the market, demonstrated by security certifications and attestations.
  2. Achieve, maintain and grow industry specific security certifications and attestations for
  3. Identify and mitigate GitLab information security risk through continuous control monitoring of the SaaS offering and key in-scope auxiliary applications and third party sub-processors.
  4. Enable security to scale through the discovery and application of compliance automation.
  5. Identify and remediate observations to reduce risk and ensure continued maintenance of security certifications and attestations.
  6. Work across industries and verticals to support GitLab customers in their own compliance journey.

Core Competencies

  1. Third Party Security Certifications
    • Gap Analysis Program: feasibility for external certifiction expansion
    • External Audit coordination and hosting
    • Security Attestations
  2. Observation and Remediation Management
    • Specific to Tier 3 observations
    • Identify control weaknesses and gaps (observations)
    • Provide remediation recommendations and guidance
    • Track remediation to completion
  3. Continuous Control Monitoring of the GitLab Control Framework
    • Compliance production readiness assessment
    • User Access Review Program
    • Business Continuity Plan (BCP) testing
    • Information System Continuity Plan (ISCP) testing
  4. Compliance Automation discovery and implementation
    • Utilizing dogfooding and external tools to continue driving compliance by default features within the product and true CCM efforts

Where we work

We primarily work out of the Team-Commercial Compliance group project. This group includes subgroups and projects for:

  • Team information and directory
  • External Certifications
  • User Access Review Program
  • Audit Reports (output of CCM efforts)
  • Gap Analysis Program
  • ISCP and BCP tests and final reports
  • IT General Control Support (ITGC)

Work that overlaps with other teams including Dedicated Compliance can be found in the Security Compliance - All Teams group. This group includes subgroups and projects for:

  • GitLab Control Framework (GCF)
  • Observation Management
  • Security Compliance Intake (production readiness)
  • Third Party Penetration Testing Program
  • Exceptions

We also utilize external tooling including:

  • ZenGRC: control testing and observations
  • Authomize: User access review campaigns

How we work

We strive for transparency whenever possible through the use of non confidential issues within our group projects and handbook documentation. However, not all of our work is externally visible. In order to continue striving for transparency, we are committed to delivering value to our external customers through community outreach efforts such as blogs, keeping the handbook up to date and providing documentation that demonstrates how we dogfood to meet our security compliance core compentencies.

We utilize GitLab Epics and Issue to track projects, deliverables and milestones. We are currently working on upleveing our internal metrics and reporting through the use of insights charts, issue tasks and automation.

Metrics and Measures of Success

  1. Security Control Risk by System
  2. Securty Observations

Contact the Team

Program DRI Responsibilities
Security Compliance (Commercial) Team manager @lcoleman Establish direction, roadmap and oversight of the team core competencies and owned programs
External Certifications @madlake External Audit coordination and execution for existing certifications (SOC 2 Type 2, ISO 27001, 27017, 27018)
Observations @madlake Observation Program management and metrics including observation validation, remediation recommendations and progress reporting
User Access Reviews @alexfrank09 Oversight of UAR Program/ Automated UAR Tool including launching UAR campaigns, identifying access changes and removals, campaign ownership, metrics and reporting
Gap Analysis Program @DanEckhardt Oversight of Gap Analysis program and procedures, prioritize gap analysis requests, gap analysis status tracking and reporting
GitLab Control Framework @davoudtu Ongoing GCF review and refinement of applicable controls based on certifications and CCM coverage
BCP and ISCP @byronboots DRI for driving and documenting BCP and ISCP activities and remediation
CCM Automation @byronboots Stable counterpart for identifying, defining and driving automation activities for continuous control monitoring program

Contact the Team

  • Slack
    • Feel free to tag us with @commerical_compliance
    • The #sec-assurance slack channel is the best place for questions relating to our team (please add the above tag)
  • Tag us in GitLab
    • @gitlab-com/gl-security/security-assurance/team-commercial-compliance
  • Email
  • Commercial Compliance team project
  • Interested in joining our team? Check out more here!


Return to the Security Assurance Homepage

Access Review Procedure
This is a Controlled Document Inline with GitLab’s regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged. Purpose GitLab’s user access review is an important control activity required for internal and external IT audits, helping to minimize threats and provide assurance that the right people have the right access to critical systems and infrastructure. This procedure details process steps and provides control owner guidance for access reviews.
AM.1.01 - Inventory Management Control Guidance
Control Statement GitLab maintains an inventory of system devices, which is reconciled quarterly. Context The purpose of this control is to ensure we are monitoring the systems in use by GitLab. We can’t prove we are protecting all GitLab systems if we don’t have an up-to-date inventory of those systems. Current status of this control GitLab team-member endpoints: Team-member workstations are tracked with JAMF endpoint management A google form sent to all on-boarding team-members records the ownership and serial number of laptops Production systems: Backend system inventories are not maintained, but strong naming conventions exist For GCP, that constitutes most of GitLab’s production architecture; we can evaluate the GCP systems/services, discover new systems, and assign ownership Scope This control applies to all GitLab endpoint workstations as well as virtual assets within our hosting providers.
Gap Analysis Program
Purpose A gap analysis as it relates to security compliance refers to an in-depth review that helps organizations determine the difference between the current state of their information security and a given security standard (SOC 2 Type 2 Availability Criteria, ISO 27018, BSIMM, etc.) they might want to adopt or align against. The outcome of completing gap analysis procedures is a report to management: What, if any, gaps exist between GitLab’s current state and that new standard A recommendation for whether or not to pursue that new standard The impact of not pursuing that new standard The impact if that new standard is pursued Scope The scope of gap analysis procedures performed by the Security Compliance team are limited to information security and compliance related regulatory standards and frameworks.
GCF Security Control Lifecycle
This is a Controlled Document Inline with GitLab’s regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged. Process Overview Purpose As new GitLab security controls are identified that need to be implemented by the Security Compliance Teams for compliance or regulatory reasons, these controls follow an established process in order to make that implementation successful. These lifecycle phases are managed via GitLab’s governance, risk and compliance (GRC) application, ZenGRC.
GitLab Security Compliance Controls
Security controls are a way to state our company’s position on a variety of security topics. It’s not enough to simply say “We encrypt data” since our customers and teams will naturally want to know “what data do we encrypt?” and “how do we encrypt that data?”. When all of our established security controls are operating effectively this creates a security program greater than the sum of its parts. It demonstrates to our stakeholders that GitLab has a mature and comprehensive security program that will provide assurance that data within GitLab is reasonably protected. Security Certifications and Attestations
Purpose In support of our ongoing commitment to information security and transparent operations, the GitLab Security Compliance teams are dedicated to obtaining and maintaining industry recognized security and privacy third party certifications and attestations. The benefits from these activities include: For customers: increases visibility and confidence in our information security program increases ease in onboarding and managing GitLab as a vendor For GitLab: ensures we are meeting all requirements of a strong and comprehensive information security program aligned with industry best practices enables our field teams to quickly share the state of our security program with potential and existing customers reduces the need for GitLab’s security team to fill out individual customer security questionnaires or assessments Scope Generally, the scope of the items listed on this page include GitLab.
TPM.1.01 - Third Party Assurance Review Control Guidance
Control Statement A vendor security review is performed at the time of procurement for new third party vendors. A results report is created detailing vendor risk level and any observations noted and the results are considered as part of vendor contracting. Context It’s common for companies like GitLab to offload risk and services to third parties.; most SaaS companies these days rely heavily on other SaaS products. In order to create a chain of trust, the security control for any third party providers GitLab uses need to be validated.
Last modified September 6, 2023: Replace taps with spaces (69f17a79)