Security Assurance - ZenGRC Activities

The Field Security team utilizes the following ZenGRC objects:

• Requests are used for each Customer Assurance Request
• Issues are used when an observation is noted during the assessment
• Metrics and Reporting are used to track status, types of requests, and data related to each customer for trend analysis

All activities related to the StORM program are executed exclusively within ZenGRC. There may be instances where the identification of a risk occurs on GitLab.com (e.g. incident issues, internal issues where security concerns are raised which may be an indicator of risk, etc.) and in these cases, the Risk & Field Security team will review the related details within GitLab and subsequently create a new risk record within ZenGRC for assessment. The wide variety of activities related to StORM that are carried out in ZenGRC include but are not limited to:

• Documenting the identification of a risk
• Documenting the results of risk assessments
• Scoring of security operational risks
• Documenting risk response
• Maintaining the Risk Register
• Task tracking for activities such as execution of the StORM Annual Risk Assessment

All activities related to TPRM begin in either a GitLab TPRM Issue or Coupa. Management of all phases of the [third party risk management program) is done via ZenGRC using the following objects:

• Audits and Asessment are used in the Testing phase
• Issues are used when observations are identified
• Metrics and Reporting are used in the Operating phase

The GitLab Security Compliance team manages all phases of the security control lifecycle via ZenGRC using the following objects:

• Programs, Standards, Section, Objectives, and Controls are all used in the Preparation phase
• Assessments and Requests are used in the Testing phase
• Issues are used in the Remediation phase
• Metrics and Reporting are used in the Operating phase

Observations (aka: findings, exceptions, issues, deficiencies, Tier 3 operational risks) are recorded and managed within ZenGRC. This allows the Security Compliance team to map those observations out to any and all related systems, control assessments, vendors, etc. as well as capture meaningful data about the current state of our observation management program and program operating metrics.

The Security Governance team manages the overall administrative activities on ZenGRC objects:

• Configuration changes
• Onboarding/offboarding/transfers
• Upgrades/patching/incidents/Restores
• Quality oversight

The Security Governance Team manages the review of all controlled documents confirming all controlled documents are unified and reviewed annually.

Controlled Documents identified as policies/procedures/standards reside within the ZenGRC Policies object and will be mapped to control assessments to identify which assessments rely on which policies/procedures/standards.

Completing ZenGRC Questionnaires

Stakeholders may be occasionally engaged to complete a ZenGRC questionnaire. Questionnaires are utilized for various reasons, such as helping to gather and collect data to establish GitLab’s Risk Appetite and Tolerance year over year. The Security Assurance Team utilizes the native questionnaire functionality within ZenGRC because it provides some mechanisms to automatically calculate risk scores and thresholds based off of responses.

Should any team member be engaged to complete a questionnaire from ZenGRC, an example of the email that the team member will receive can be found below.

In order to complete the questionnaire, team members should perform the following steps:

1. Click on the Open Questionnaire link to open a web browser window with the questionnaire.

2. Team members will be presented with the questionnaire. Provide responses to each question until the final question is completed.

   

3. Instead of seeing a “submit” button once the final question is answered, team members will need to click on the “summary” button. This screen provides a summary of all of the responses that were provided for the team member to review. The final “submit” button can be found on the summary screen.

   

4. Submit the questionnaire. A confirmation screen will be presented.