Security Risk Team
Security Risk Mission
To improve security at GitLab by enabling informed and intelligent decision making through proactive identification, monitoring, and reporting of security risks.
Core Competencies
Security Operational Risk Management (StORM) Program
An integrated Operational Risk Management program which focuses on the identification, assessment, continuous monitoring, and reporting of security risks across the organization. Visit the StORM Program & Procedures handbook page for additional details, including a quick introduction to Risk Management at GitLab as well as information about the purpose, scope, and specific procedures executed as part of the program.
Please refer to the communication section of the StORM Program & Procedures page for information on the various ways that team members can use to escalate potential risks to the Security Risk Team.
Security Third Party Risk Management (TPRM) Program
The TPRM Program is focused on identifying and assessing the incremental security risk impact that may develop over the lifecycle of GitLab’s relationship with various third parties. Our program is integrated within the Procurement process and is built to continuously monitor third parties based on risk. Additional information can be found on the Third Party Risk Management handbook page.
Business Impact Analysis (BIA) and Critical System Tiering (CST)
The Business Impact Analysis (BIA) helps determine the systems critical to serving GitLab’s Customers. It also helps determine the prioritization of system restoration efforts in the event of a disruption.
The Security Risk Team facilitates a BIA for all new systems. A BIA is performed or previously collected BIA data is validated for existing systems based on Critical System Tiering (CST).
Asset Inventory Maintenance
Establishing a complete and accurate inventory of assets is key to the success of GitLab’s Risk Program. As such, the Security Risk Team collaborates closely with IT and Business Owners to ensure new systems are added to the Tech Stack and that associated data is maintained via our BIA processes.
Metrics and Measures of Success
Team Members
Functional DRIs
While the DRI is the individual who is ultimately held accountable for the success or failure of any given project, they are not necessarily the individual that does the tactical project work. The DRI should consult and collaborate with all teams and stakeholders involved to ensure they have all relevant context, to gather input/feedback from others, and to divide action items and tasks amongst those involved.
DRIs are responsible for ensuring a handbook-first approach to their project(s) and challenging existing processes for efficiency.
Function | DRI |
---|---|
Annual Risk Assessment | Kyle Smith |
Business Impact Analysis - Design And Requirements | Kyle Smith |
Business Impact Analysis - Reporting and Periodic BIA Execution | Nirmal Devarajan |
Critical System Tiering | Kyle Smith |
Ongoing SecRisk-Related Observations Management | Ty Dilbeck |
Ongoing Risk Treatment | Kyle Smith |
Ongoing TPRM Assessments | Ryan Lawson |
Periodic SOX CUEC Facilitation | Eric Geving |
Periodic TPRM Assessments | Eric Geving |
TPRM Data Quality and Emerging Requirements Management | Eric Geving |
StORM Metrics and Reporting | Kyle Smith |
TPRM Metrics and Reporting | Ryan Lawson |
Contact the Team
- Email:
securityrisk@gitlab.com
- Slack:
- #security-risk-management channel
- #sec-assurance channel (includes the broader Security Assurance Team)
- Mention
@security-risk
- GitLab: Tag the team across GitLab using
@gitlab-com/gl-security/security-assurance/security-risk-team
Return to the Security Assurance Homepage
Security Third Party Risk Management
SOX CUEC Mapping Procedure
69f17a79
)