https://handbook.gitlab.com/tags/security_standard_acia/ Recent content in Security_standard_acia on The GitLab Handbook Hugo en-US https://handbook.gitlab.com/handbook/security/corporate/end-user-services/access-requests/ Mon, 01 Jan 0001 00:00:00 +0000 https://handbook.gitlab.com/handbook/security/corporate/end-user-services/access-requests/ <span class="gl-label gl-label-text-light" style=" --label-background-color: #E24329; --label-inset-border: inset 0 0 0 2px #E24329; " > <span class="gl-link gl-label-link"> <span class="gl-label-text"> Visibility: Audit </span> </span> </span> <p>Access Requests are owned by the IT team, while onboarding, offboarding and internal transition requests are owned by the People Operations Team.</p> <p>If you have any access requests related questions, please reach out to #it_help or the tool provisioner in Slack.</p> <h2 id="access-requests-related-pages">Access requests related pages<a class="td-heading-self-link" href="#access-requests-related-pages" aria-label="Heading self-link"></a></h2> <ul> <li><a href="https://handbook.gitlab.com/handbook/security/corporate/end-user-services/access-requests/#application-specific-templates">Frequently asked questions</a></li> <li><a href="https://gitlab.com/gitlab-com/www-gitlab-com/-/blob/master/data/tech_stack.yml">Tech Stack</a></li> <li><a href="https://internal.gitlab.com/handbook/security/corporate/end-user-services/access-request/baseline-entitlements/">Baseline Entitlements</a></li> <li><a href="https://internal.gitlab.com/handbook/security/corporate/end-user-services/access-request/temporary-service-providers/">Temporary service providers access requests and onboarding</a></li> </ul> <h2 id="get-started">Get Started<a class="td-heading-self-link" href="#get-started" aria-label="Heading self-link"></a></h2> <p>All open and closed ARs can be found in the <a href="https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/">access-requests project</a>, and you can create a new issue <a href="https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/new">here</a>.</p> https://handbook.gitlab.com/handbook/security/security-assurance/security-compliance/access-reviews/ Mon, 01 Jan 0001 00:00:00 +0000 https://handbook.gitlab.com/handbook/security/security-assurance/security-compliance/access-reviews/ <span class="gl-label gl-label-text-light" style=" --label-background-color: #E24329; --label-inset-border: inset 0 0 0 2px #E24329; " > <span class="gl-link gl-label-link"> <span class="gl-label-text"> Visibility: Audit </span> </span> </span> <h2 id="purpose">Purpose<a class="td-heading-self-link" href="#purpose" aria-label="Heading self-link"></a></h2> <p>GitLab&rsquo;s user access review is an important control activity required for internal and external IT audits, helping to minimize threats, and provide assurance that the right people have the right access to critical systems and infrastructure. This procedure details process steps and provides control owner guidance for access reviews.</p> <h3 id="benefits-to-the-organization">Benefits to the organization<a class="td-heading-self-link" href="#benefits-to-the-organization" aria-label="Heading self-link"></a></h3> <ul> <li>Reduces security risk</li> <li>Identifies dormant and/or disabled accounts</li> <li>Ensures only required team members have access to a system</li> <li>Validates users who have changed roles have not retained access no longer relevant</li> <li>Ensures terminated team members no longer can access company systems</li> <li>Supports GitLab compliance and regulatory requirements which maintains customer trust</li> </ul> <h2 id="scope">Scope<a class="td-heading-self-link" href="#scope" aria-label="Heading self-link"></a></h2> <h3 id="in-scope-systems">In-Scope Systems<a class="td-heading-self-link" href="#in-scope-systems" aria-label="Heading self-link"></a></h3> <p>Security Compliance performs Access Reviews for in-scope systems based on a subset of factors. Including:</p> https://handbook.gitlab.com/handbook/security/policies_and_standards/password-standard/ Mon, 01 Jan 0001 00:00:00 +0000 https://handbook.gitlab.com/handbook/security/policies_and_standards/password-standard/ <span class="gl-label gl-label-text-light" style=" --label-background-color: #E24329; --label-inset-border: inset 0 0 0 2px #E24329; " > <span class="gl-link gl-label-link"> <span class="gl-label-text"> Visibility: Audit </span> </span> </span> <h2 id="purpose">Purpose<a class="td-heading-self-link" href="#purpose" aria-label="Heading self-link"></a></h2> <p>This document outlines information security password standards intended to protect GitLab information systems and other resources containing confidential (Red and Orange) GitLab data from unauthorized use, where technically feasible.</p> <h2 id="scope">Scope<a class="td-heading-self-link" href="#scope" aria-label="Heading self-link"></a></h2> <p>Applies to all GitLab team members, contractors, advisors, and contracted parties interacting with GitLab computing resources and accessing confidential data.</p> <h2 id="roles--responsibilities">Roles &amp; Responsibilities<a class="td-heading-self-link" href="#roles--responsibilities" aria-label="Heading self-link"></a></h2> <table> <thead> <tr> <th>Role</th> <th>Responsibility</th> </tr> </thead> <tbody> <tr> <td>GitLab Team Members</td> <td>Responsible for adhering to the requirements outlined in this standard</td> </tr> <tr> <td>Security</td> <td>Responsible for defining and monitoring implementation of these standards for critical applications</td> </tr> <tr> <td>Security Management (Code Owners)</td> <td>Responsible for approving significant changes and exceptions to these standards</td> </tr> </tbody> </table> <h2 id="standard">Standard<a class="td-heading-self-link" href="#standard" aria-label="Heading self-link"></a></h2> <p>Constructing secure passwords and ensuring proper password management is essential. GitLab&rsquo;s password standards are based, in part, on the recommendations by <a href="https://pages.nist.gov/800-63-3/sp800-63b.html">NIST 800-63B</a>. To learn what makes a password truly secure, read this <a href="https://medium.com/peerio/how-to-build-a-billion-dollar-password-3d92568d9277">article</a> or watch this <a href="https://www.youtube.com/watch?v=vudZnjp5Uq0&amp;t=19183">conference presentation</a> on password strength.</p>