Security Risk Team
Security Risk Team Charter
Mission Statement
To drive security risk treatment at GitLab by empowering teams to make informed and intelligent decisions through proactive identification, monitoring, prioritization, and reporting of security risks.
Value Proposition
We perform thorough, collaborative, and efficient risk assessments as well as drive risk reduction so that GitLab can achieve it’s goals while maintaining a high level of security.
Core Competencies
Security Operational Risk Management (StORM) Program
The Security Risk team manages an integrated Operational Risk Management program focused on the identification, assessment, continuous monitoring, and reporting of Security Risks across the organization. Risk Reduction is 1 of 5 of the Security Department’s operating principles (Security Vision and Mission). As such, the Security Risk Team takes a leading role in providing the information required by leadership to establish our Strategic Roadmap and our quarterly Objectives and Key Results (OKRs). Visit the StORM Program & Procedures handbook page for additional details, including a quick introduction to Risk Management at GitLab as well as information about the purpose, scope, and specific procedures executed as part of the program.
Security Third Party Risk Management (TPRM) Program
GitLab maintains an industry-leading Third Party Risk Management (TPRM) Program through the use of automation, continuous monitoring, and deep integration across business functions to validate the security of GitLab data shared with external parties. The integration of GitLab’s TPRM program within the vendor Procurement flow enables cross-functional collaboration between Privacy, Legal, IT, and People Operations to facilitate transparent, risk-based decision making, Business and Stakeholder-focused Results, and adherence to GitLab’s Regulatory and Compliance Obligations. The vendor relationships maintained through this program are leveraged to create efficiencies across the organization.
Business Impact Analysis (BIA) and Critical System Tiering (CST)
The Business Impact Analysis (BIA) helps determine the systems critical to serving GitLab’s Customers. The output of the BIA is the designation of a Critical System Tier (CST) for a new system by the Security Risk Team.
Asset Inventory Maintenance
Establishing a complete and accurate inventory of assets is key to the success of GitLab’s Risk Program. As such, the Security Risk Team collaborates closely with IT and Business Owners to ensure new systems are added to the Tech Stack.
Operating Model
Core Processes
Engagement Models
- Request a TPRM Review
- Report Security Operational Risk
- In GitLab, tag the team across GitLab using
@gitlab-com/gl-security/security-assurance/security-risk-team
- Email:
securityrisk@gitlab.com
- Slack: #sec-assurance channel (includes the broader Security Assurance Team) - Mention
@security-risk
- GitLab: Tag the team across GitLab using
@gitlab-com/gl-security/security-assurance/security-risk-team - Mention @security-risk
Team Members
Success Metrics
| Key Metric |
Why It Matters |
How it’s Calculated |
Target Thresholds |
Measurement Frequency |
Reporting Mechanism |
Additional Notes |
| Top 5 Risk Reduction over Time |
The Top 5 risks represent the top 5 security risks to GitLab the company. These risks need to be reduced and managed effectively to reduce the likelihood of a significant security incident |
Risk scores are calculated based on impact and likelihood. |
Risks are considered in tolerance with a risk score of 10 or below. |
Quarterly |
Tableau Dashboard (internal only) |
n/a |
| Third Party Risk Management Capacity |
An indicator of third party risk, third party risk assessments proactively identify potential vendor security risks as part of onboarding or contracting, enabling business owners to make risk based decisions throughout the vendor lifecycle. |
Count of total number security assessments completed QoQ |
Less than 70 per quarter. |
Quarterly |
TPRM Metrics Sheet (internal only) |
Will be added back into Tableau in FY26Q2 |
FY26 Strategic Initiatives
| # |
Objective |
Key Deliverables |
Timeline |
| 1 |
Enhance our Acceptable Use Policy Program |
- Block unnecessary or insecure integrations
- Define processes for new integrations
- Restrict privileges to install integrations without security and privacy reviews |
Ongoing, FY26-27 |
| 2 |
Consolidate Security Division Issues/Recommendations |
- Inventory of all sources of recommendations from the Security Division
- Centralized view of all issues/recs. across Security Division
- Standardization across issues/recs. with documentation standards
- Scalable management of issues/recs. to improve adoption |
In progress
Target Comp.: Q3 |
| 3 |
Corporate and Product Disaster Recovery Planning and Governance |
- Collaborate with Business Teams to plan and govern the execution of BC/DR control activities to fulfill external certification requirements
- Perform RTO/RPO analysis for critical vendor systems, escalate gaps/discrepancies compared to RTO/RPO recommendations, and draft a resolution plan |
In progress; Target completion: Q2-end |
| 4 |
Update Security Assurance KPIs |
Develop a comprehensive Security Assurance metrics dashboard to monitor, measure, and validate that all security process success criteria are being effectively tracked and achieved |
In progress; Target completion: Q2 |
Review and Updates
This charter will be reviewed and updated quarterly to ensure alignment with:
- GitLab Strategy
- Security Division Mission and Vision
- Security’s Multi-year Strategy (internal only)
- Security Assurance Mission and Vision
- Security Assruance Multi-year Strategy - In Development
Next scheduled review: 2025-06-16
We receive feedback from GitLab team members regularly and we wanted to provide a mechanism for non-GitLab team members to provide feedback as well to help us iterate and align more closely with our values. If you are not a GitLab team member and would like to provide feedback on our Security Operational Risk Management (StORM) program or methodology, plese use this feedback form to submit anonymous feedback.
GitLab’s Integrated Third-Party Risk Management Program
GitLab maintains an industry-leading Third Party Risk Management (TPRM) Program through the use of automation, continuous monitoring, and deep integration across business functions to validate the security of GitLab data shared with external parties.
The integration of GitLab’s TPRM program within the vendor Procurement flow enables cross-functional collaboration between Privacy, Legal, IT, and People Operations to facilitate transparent, risk-based decision-making, Business and Stakeholder-focused Results, and adherence to GitLab’s Regulatory and Compliance Obligations. The vendor relationships maintained through this program are leveraged to create efficiencies across the organization.
Purpose
In accordance with ITGC SR.1 - SOC Report Review, GitLab executes annual CUEC mappings of our internal controls to each SOC report associated with a SOX in scope application to ensure controls are adequately designed to address the CUEC requirements outlined in the SOC report. This activity is executed in Q1 of each fiscal year in order to gain the greatest coverage for the prior fiscal year.
