Security Assurance

Übersicht

As a member of the Security department, the Security Assurance sub-department provides GitLab customers with a high level of assurance around the security of GitLab SaaS service offerings.

There are five teams in the Security Assurance sub-department.

Security Assurance Sub-Department

Governance & Field Security
Security Compliance
Security Risk

Core Competencies

Field Security Core Competencies

Security Governance Core Competencies

Security Risk Core Competencies

Security Compliance, Commercial Core Competencies

Security Compliance, Dedicated Core Competencies

Core Tools and Systems

The Security Assurance sub department utilizes a variety of tools to carry out day to day activities. The system admin is responsible for the following:

  • Configuration changes
  • Onboarding/offboarding/transfers (ie Access)
  • Upgrades/patching/incidents
  • Migrations to new environments
  • Restores from backup
  • Admin level audit evidence
  • Quality oversight (limited scope)

All other actions are the responsibility of the assigned DRI.

System Name System Description Admin DRI
Hyperproof Key system utilized for initiating, tracking/documenting, and completing Governance, Risk, and Compliance related activities. Donovan Felton Security Compliance - Madeline Lake
Security Risk - Ty Dilbeck
Authomize Key system utilized by Security Compliance for User Access Reviews Alex Frank Platform - Alex Frank
Custom Connectors - Byron Boots
Safebase Trust center solution to host security collateral for customers to request. Donovan Felton Joe Longo
ProofPoint Key system utilized for the creation and distribution of our security training and phishing simulations to provide ongoing testing for adherence of various compliance frameworks. Donovan Felton Joe Longo
BitSight BitSight is used to assess and monitor software vendors as part of our Security Third Party Risk Management Program. Ryan Lawson Ty Dilbeck
GitLab - Security Assurance Projects Primarily used to engage stakeholders via issues, updates to Security Assurance related handbook pages, etc. Security Assurance Senior Director Each Team is responsible for their Projects, but everyone can contribute

Contacting the Team

Team READMEs

References

Check out these great security resources built with our customers in mind:

Automation and Compliance
Purpose The goal of this handbook page is to document the goals and priorities for the automation in compliance within the Security Compliance team at GitLab. Automations are built and enabled through the support of GitLab’s Security Assurance Automation team for technical implementations. Core Focuses Support the business by automating security processes, compliance controls, and finding automation efficiencies. Develop and maintain automated solutions that enhance our security posture, streamline compliance efforts, and provide continuous monitoring of our systems and infrastructure.
Control Health and Effectiveness Rating (CHER) Procedure
Control Health and Effectiveness Ratings (CHER) determine a GitLab Security Control's overall control health and effectiveness.
Field Security Team
Governance and Field Security team charter Field Security Team The Field Security team serves as the public representation of GitLab’s internal Security function. Our vision is to be the leading example in collaborative and transparent Customer Assurance Programs. Our mission is to empower the GitLab community with confidence and trust that their data is protected with high levels of security assurance to drive revenue growth. We partner with our fellow GitLab team members and customers to provide a pathway to yes!
Governance and Field Security Team Charter
Governance and Field Security Team Charter
Observation Creation Procedure
This procedure details the creation process for observations.
Observation Remediation
This details the remediation process for observations.
Production Readiness: Compliance Assessment
The Compliance Production Readiness Assessment is a process designed to make it clear what obligations systems owners have for configuring and hardening a system/tool/service in order for GitLab to meet its compliance and regulatory obligations.
Security Compliance Commercial Team
Security Compliance, Commercial Team Page
Security Compliance, Dedicated Markets Team
Security Compliance (Dedicated Markets) Mission Our Mission is to advance customer trust with a focus on customers operating in highly regulated industries or who otherwise have unique security and compliance requirements. We will accomplish this mission by: Enabling GitLab Dedicated to be the most trusted DevSecOps offering in the market, demonstrated by security certifications and attestations. Achieving and maintaining industry-specific security certifications such as FedRAMP and FIPS 140-2 compliance for the U.
Security Governance Program
Security Governance Program
Security Risk Team
Security Risk Team
Security Terms Glossary
A glossary of common Security Terms that may be encountered in Security Assurance documentation.
System Risk Scoring Procedure
This procedure details the process for determining System Risk Score.
Technical and Organizational Security Measures for GitLab Cloud Services
Technical and Organizational Security Measures for GitLab Cloud Services
Technical Security Validation
Technical Security Validation
Last modified August 28, 2024: Resolve "Fix headings for /handbook/security/security-assurance" (f2b40c78)
View page source - Edit this page - please contribute. Creative Commons License