Skip to content
Snippets Groups Projects
Commit b684cdaf authored by Jeff Martin's avatar Jeff Martin
Browse files

Add Corporate Security handbook pages

parent df0b3604
No related branches found
No related tags found
1 merge request!5649Add Corporate Security handbook pages
Showing
with 723 additions and 0 deletions
---
title: Corporate Security (CorpSec)
---
👋 Welcome to Corporate Security, we're glad you're here! You may also know us as the former IT Operations team that moved from the Finance to Security division in early 2024.
## Need Help?
Please try exploring the following pages to see if your question has been answered in the handbook pages. If not, please ask in the `#it_help` channel and one of our Support Analysts will reply as soon as possible.
- [CorpSec Onboarding 101 Guide](/handbook/security/corporate/support/onboarding)
- [CorpSec Support Guide](/handbook/security/corporate/support)
- [CorpSec Services](/handbook/security/corporate/services)
- [CorpSec Systems and Tech Stack Apps](/handbook/security/corporate/systems)
- [Internal Handbook](https://internal.gitlab.com/handbook/security/corporate)
- [System Administration and Runbooks Handbook](https://handbook.gitlab.systems)
- Ask in the `#it_help` Slack channel
## What We Do
### Mission
[Security Division Mission](/handbook/security/#i-classfas-fa-rocket-idbiz-tech-iconsi-security-vision-and-mission)
As a remote company, we do not have office buildings, physical datacenters, or other traditional IT environments. All of our team members are issued a laptop that they use to work from home or on the road. Although our engineering and product teams are building software that is deployed on AWS and GCP, almost all of our corporate software is vendor-managed software-as-a-service (SaaS). Although this results in a simpler physical threat landscape, the cybersecurity threat landscape is vast and still requires a lot of attention to do it right.
Our mission is to empower our employees to be productive with the technology provided by the business, enable the business to be successful, protect our customers and their data, and provide internal security for GitLab (the company) and our team member's use of GitLab (the product).
GitLab is both a company and a product. The Corporate Security department focuses on protecting the technology that the company uses to conduct business internally, and provides the hardware, software, and tools that our team members need to get their job done. We have a 24x5 technical support helpdesk for team members and have engineers that configure and maintain many of our company-wide tech stack applications. We also invest heavily in device trust and identity management to provide the highest level of security assurance for the administrators of our product and ensure all appropriate controls are in place when handling customer data.
### Prime Directive
- Safeguard our organization's digital assets, ensuring the integrity, confidentiality, and availability of all data.
- Implement robust security measures, fostering a culture of awareness and compliance among employees, and continuously monitoring and enhancing our information technology systems to protect against evolving threats.
- Leverage the GitLab platform (dogfooding) to assist us in the securing of GitLab.
- Provide reliable, secure and efficient IT and Security engineering, innovation, and services with Zero Trust principals to support cross-functional organizational goals
### Scope
- Architecting next-generation automation and integration between security-related systems that provides data consistency, reliability, strong security, and auditability.
- Building relationships with cross-department system owners and proposing solutions to ensure our tech stack applications conform to our latest security best practices
- Consolidating and refactoring legacy tech debt
- Designing processes and choosing software tools that improves back office automation or mitigates security risks
- Escalation engineering and crisis response for leadership teams
- Factor in cost, security, compatibility, maintainability and user experience when making decisions
- Growing other team members’ skill sets through mentorship to improve operational efficiency and encourage professional development
- Handbook documentation for processes and systems architecture
- Identity and access management (IAM)
- Joint collaboration with process and system owners across the company for improving automation efficiency, security posture, and vulnerability management
- Keeping leaders and stakeholders informed of next-gen initiatives and contributing to creating automated analytics for day-to-day IT and Security operations
- Leading innovation opportunities between several teams with a willingness to experiment and to boldly confront problems of large complexity and scope
- Making technical decisions on behalf of the department and organization while providing presentation support to leaders during technical discussions
- New tech stack (vendor) application onboarding and provisioning
- Onboarding provisioning, offboarding deprovisioning
- Policy and configuration management for organization-wide applications and systems that we manage
- Role-based access control (RBAC)
- Shipping laptops to new team members and refreshing older models
- Tech support for team members and temporary service providers
- User experience and productivity optimization for internal software and tools
- Vulnerability and malware risk mitigation
- Workflow automation for employee lifecycle
- X-Men, we are. Always be saving the day with a smile on your face!
- Yesterday's problems are tomorrow's opportunties for iteration
- Zero trust implementation
### Direction and Strategy
- (Internal) [CISO Multi-Year Information Security Goals and Priorities](https://internal.gitlab.com/handbook/security/information_security_goals_and_priorities/)
- (Internal) [CorpSec Direction and Strategy](https://internal.gitlab.com/handbook/security/corporate/direction)
- (Internal) [CorpSec OKRs and Roadmap](https://internal.gitlab.com/handbook/security/corporate/roadmap)
- (Internal) [CorpSec Projects and Initiatives](https://internal.gitlab.com/handbook/security/corporate/projects)
- [Security Division OKRs](/handbook/security/okr/)
- (Internal) [Corporate Security Epics List](https://gitlab.com/groups/gitlab-com/gl-security/corp/-/epics?state=opened&page=1&sort=start_date_desc)
- (Internal) [Corporate Security Epics Gantt Chart](https://gitlab.com/groups/gitlab-com/gl-security/corp/-/roadmap?state=opened&sort=START_DATE_ASC&layout=QUARTERS&timeframe_range_type=THREE_YEARS&progress=WEIGHT&show_progress=true&show_milestones=false&milestones_type=ALL&show_labels=true)
- (Internal) [CorpSec Issue Tracker](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues)
- [How We Work](/handbook/security/corporate/how-we-work)
### Services
- 👀 **Please see [CorpSec Support](/handbook/security/corporate/support) if you are looking for help.**
- 📚 [Applications and Systems](/handbook/security/corporate/systems)
- 🛟 [Helpdesk Services](/handbook/security/corporate/services/helpdesk)
- 🔐 [Access Requests](/handbook/security/corporate/services/access-requests)
- 💻 [Laptop and Logistics Services](/handbook/security/corporate/services/laptops)
- 🛬 [Onboarding](/handbook/security/corporate/services/onboarding)
- 🛫 [Offboarding](/handbook/security/corporate/services/offboarding)
- 🧑‍💻 [Tech Support (for Team Members)](/handbook/security/corporate/support/)
-[Infrastructure Services](/handbook/security/corporate/services/infrastructure)
### Engineering
- 📋 [How We Work](/handbook/security/corporate/how-we-work)
- 💻 [Device Trust Engineering](/handbook/security/corporate/engineering/device-trust)
- 🔐 [Identity Engineering](/handbook/security/corporate/engineering/identity)
-[Infrastructure Engineering](/handbook/security/corporate/engineering/infrastructure)
- 🏗 [Platform Engineering](/handbook/security/corporate/engineering/platform)
- 👷 [SaaS Engineering](/handbook/security/corporate/engineering/saas)
## Who We Are
See the [Team Directory](/handbook/security/corporate/team).
### Contact Us
- [Tier 1 Self Service](/handbook/security/corporate/support/#tier-1-self-service)
- [Tier 2 Helpdesk Support](/handbook/security/corporate/support/#tier-2-helpdesk-support)
- [Tier 3 Escalation and Systems Engineering](/handbook/security/corporate/support/#tier-3-escalation-and-systems-engineering)
- [Tier 4 Automation Engineering](/handbook/security/corporate/support/#tier-4-automation-engineering)
- [Tier 5 Architecture and Crisis Management](/handbook/security/corporate/support/#tier-5-architecture-and-crisis-management)
- [CorpSec Issue Tracker](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues)
- Engineers and System Owners - See [CorpSec Systems](/handbook/security/corporate/systems) for GitLab group handle and Slack group handle.
- `#corpsec` Slack Channel (for technical support, please ask in `#it_help`)
- Helpdesk Team
- `#it_help` Slack Channel
- `@it-help` Slack group
- `it-help [at] gitlab [dot] com`
- `@gitlab-com/gl-security/corp/services`
- Management Team
- `@gitlab-com/gl-security/corp/managers`
- Tag the respective [functional team manager](/handbook/security/corporate/team) or director in Slack.
- Director - Steve Manzuik
- Program Management - Steve Manzuik, Kim Waters
- Device Trust - Eric Rubin
- Helpdesk Support - Michael Beltran
- Infrastructure - Jeff Martin
- Laptops and Logistics - Michael Beltran
- Onboarding and Offboarding Day-to-Day Operations (Helpdesk Services) - Michael Beltran
- Onboarding and Offboarding Policy and Strategy (Identity Engineering) - David Zhu
- Platform Engineering (Custom Software Development) - Jeff Martin
- SaaS Engineering - David Zhu, Eric Rubin
- Sensitive Data or Employment Requests - Michael Beltran
---
title: Google Workspace Deprovisioning
---
IT Ops has an automated workflow that triggers upon a notification from PeopleOps of a team-member offboarding. This automated workflow is composed of 2 parts that are outlined below. The first part happens within 1 hour of the offboarding. The second part occurs after 90 days of the offboarding. This workflow will send out notifications throughout this 90 day period to let the Former Team member's manager know that the final deadline is approaching.
#### These are the steps that follow immediately upon termination of a team-member
- The former team-member (FTM) is removed from all Google groups
- The former team-member (FTM) is locked from access to their laptop
- The former team-member (FTM) is removed from access to all GitLab provisioned services linked to their Okta account
- The former team-member (FTM) is removed from access to all GitLab provisioned services not linked to their Okta account
- Unless there is a legal hold on their laptop, the laptop is securely wiped
- The FTM’s manager is setup as a delegate to their Gmail and Google Calendar
- The FTM’s manager gains editor privileges to all “My Drive” Google Drive Files
- The FTM’s account is moved to the Former Team Members OU
- Remove the FTM account from the Global Address List
- All of the account’s sign in cookies/sessions are cleared and the account password is reset to a random 64 character password
- The account’s recovery email is set to null
- The account’s recovery phone number is set to null
- The FTM’s auto-response email message is setup.
#### These are the steps that follow after the Former Team Member has been gone for 90 days
- All of the former team-member (FTM) aliases are removed
- Archive of all Google Drive files in the users My Drive that are marked as owner
- These are saved in the Offboarded Users Drive Archive
- Each user has their own folder in the following format
- <emailUsername>_google_drive
- The FTM’s account is suspended
- The FTM’s account will be moved to NoGSuiteLicense OU
- The Google Workspace License is removed from the account
#### The following notifications will be sent out to the FTM’s manager and IT over Slack
**Immediate Slack notification:**
> Hello `<Manager Firstname>``<Manager Lastname>`, you are receiving this notification to let you know that one of your direct reports `<Firstname>``<LastName>` has been deprovisioned from GitLab’s Google Workspace. In keeping with our standard offboarding policy you will receive a copy of this user’s Google Drive data as well as delegated access to their email and calendar account. This delegate access will remain available to you for 90 days after which the account will be closed, and all data will be archived. Please be sure to copy anything you wish to keep to your own account before this time. For more information about how to access this data please see information in this Handbook page (provide link).
>
> You will receive another notification 30 days before and then a final notification at 1 week before this account is closed. If you have any questions about this process, or need assistance with access the data, please feel free to reach out to the Corp IT team in the #it_help Slack channel.
**30 Days Slack notification**
> Hello `<Manager Firstname>``<Manager Lastname>`, you are receiving this notification to let you know that one of your direct reports `<Firstname>``<LastName>` was deprovisioned from GitLab’s Google Workspace 60 days ago. In keeping with our standard offboarding policy you will continue to have delegated access to their email and calendar account for another 30 days after which the account will be closed, and all data will be archived. Please be sure to copy anything you wish to keep to your own account before this time. For more information about how to access this data please see information in this Handbook page (provide link).
>
> You will receive another notification at 1 week before this account is closed. If you have any questions about this process, or need assistance with access the data, please feel free to reach out to the Corp IT team in the #it_help Slack channel.
**7 Days Slack notification**
> Hello `<Manager Firstname>``<Manager Lastname>`, you are receiving this notification to let you know that one of your direct reports `<Firstname>``<LastName>` was deprovisioned from GitLab’s Google Workspace 83 days ago. In keeping with our standard offboarding policy you will continue to have delegated access to their email and calendar account for another 7 days after which the account will be closed, and all data will be archived. Please be sure to copy anything you wish to keep to your own account before this time. For more information about how to access this data please see information in this Handbook page (provide link).
>
> This is the final notification. If you have any questions about this process, or need assistance with access the data, please feel free to reach out to the Corp IT team in the #it_help Slack channel.
**Final Slack notification**
> The GitLab Google Workspace account for `<Firstname>``<LastName>` has been archived after 90 days as per our standard offboarding policy.
---
title: CorpSec Helpdesk Slack Issue Automation
---
## Overview
When you ask for help in the `#it_help` channel, this automation will automatically create a new GitLab issue that creates a long term record of your support request, while providing the ease-of-use of a Slack thread.
Each comment in the Slack thread is added to the GitLab issue.
This allows us to dogfood GitLab, and also link to related GitLab issues if additional triage is needed or we are cross-linking the audit trail of change management activity, laptop requests, etc.
## Technical Details
[IT-Help Slack Issue Creator wiki](https://gitlab.com/groups/gitlab-com/it/end-user-services/-/wikis/IT-Help-Slack-Issue-Creator/How-To-Use)
The script scans the IT help Slack channel and performs the following actions:
- Creates a new GitLab issue if a user adds an 👀 reaction to a message and the issue has not been created yet.
- Closes the GitLab issue if a user adds a check mark (✔) reaction and the issue has been created but not closed.
- Reopens the GitLab issue if it has been closed, but the check mark reaction is removed.
- Adds system labels to the GitLab issue based on specific emoji reactions in the Slack channel.
- Parses the Slack thread and adds comments to the related GitLab issue.
- Adds comments from GitLab issue into Slack thread.
---
title: CorpSec Direction
---
Thank you for your interest in the direction of Corporate Security. See the internal handbook for our [direction](https://internal.gitlab.com/handbook/security/corporate/direction) and [roadmap with OKRs](https://internal.gitlab.com/handbook/security/corporate/direction).
---
title: CorpSec Engineering
---
The Engineering team members are organized functionally based on the category of tech stack applications that we manage.
## System Owners
<table>
<thead>
<tr>
<th>Functional Team</th>
<th>Systems</th>
<th>Managers</th>
<th>Engineers</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>(Corporate) SaaS<br>Engineering</strong></td>
<td>
<a href="/handbook/security/corporate/systems/1password">1Password</a><br>
<a href="/handbook/security/corporate/systems/gitlab">GitLab.com IAM Policies</a><br>
<a href="/handbook/security/corporate/systems/google/app">Google Apps</a><br>
<a href="/handbook/security/corporate/systems/google/cal">Google Calendar</a><br>
<a href="/handbook/security/corporate/systems/google/drive">Google Drive</a><br>
<a href="/handbook/security/corporate/systems/google/group">Google Groups</a><br>
<a href="/handbook/security/corporate/systems/google/mail">Google Mail</a><br>
<a href="/handbook/security/corporate/systems/google/user">Google Users</a><br>
<a href="/handbook/security/corporate/systems/google/workspace">Google Workspace (Org)</a><br>
<a href="/handbook/security/corporate/systems/nira">Nira</a><br>
<a href="/handbook/security/corporate/systems/okta/app">Okta Applications</a><br>
<a href="/handbook/security/corporate/systems/okta/group">Okta Groups</a><br>
<a href="/handbook/security/corporate/systems/okta/user">Okta Users</a><br>
<a href="/handbook/security/corporate/systems/okta/workflows">Okta Workflows</a><br>
Service Accounts<br>
<a href="/handbook/security/corporate/systems/slack">Slack</a><br>
<a href="/handbook/security/corporate/systems/zoom">Zoom</a><br>
</td>
<td>
<code>EM</code> David Zhu<br>
<code>EM</code> Eric Rubin<br>
<code>PM</code> Kim Waters<br>
<code>Staff</code> Mark Loveless
</td>
<td>
Adam Huss<br>
Clayton Shank<br>
Erik Lentz<br>
Jacob Waters<br>
Justin Bisutti<br>
Marcus Whitaker<br>
Mohammed Al Kobaisy<br>
</tr>
<tr>
<td><strong>Device Trust<br>Engineering</strong></td>
<td>
<a href="/handbook/security/corporate/systems/drivestrike">DriveStrike</a><br>
<a href="/handbook/security/corporate/systems/jamf">Jamf MDM</a><br>
<a href="/handbook/security/corporate/services/phones">Mobile Devices</a><br>
<a href="/handbook/security/corporate/systems/vpn">NordLayer VPN</a><br>
<a href="/handbook/security/corporate/systems/okta/verify">Okta Verify</a><br>
<a href="/handbook/security/corporate/systems/sentinelone">SentinelOne EDR</a><br>
<a href="/handbook/security/corporate/services/laptops/security/updates">Software Updates</a><br>
<a href="/handbook/security/corporate/systems/yubikey">YubiKey</a><br>
</td>
<td>
<code>EM</code> Eric Rubin<br>
<code>PM</code> Kim Waters<br>
<code>Staff</code> Mark Loveless
</td>
<td>
Adam Huss<br>
Clayton Shank<br>
Justin Bisutti<br>
</tr>
<tr>
<td><strong>Identity<br>Engineering</strong></td>
<td>
ABAC and RBAC<br>
AuthN and AuthZ Policies<br>
Identity Governance (IGA)<br>
No Code Automation<br>
Onboarding<br>
Offboarding<br>
Role Entitlements<br>
</td>
<td>
<code>EM</code> David Zhu<br>
<code>PM</code> Kim Waters<br>
<code>Staff</code> Jeff Martin
</td>
<td>
Erik Lentz<br>
Jacob Waters<br>
Marcus Whitaker<br>
Mohammed Al Kobaisy<br>
</tr>
<tr>
<td>
<strong>Infrastructure<br>Engineering</strong><br>
<br>
<small>Related <a href="/handbook/security/corporate/how-we-work/services/infrastructure">Infrastructure Services</a></small>
</td>
<td>
<a href="/handbook/security/corporate/systems/aws">AWS</a><br>
<a href="/handbook/security/corporate/systems/azure">Azure</a><br>
<a href="/handbook/security/corporate/systems/dns">DNS</a><br>
<a href="/handbook/security/corporate/systems/domains">Domain Names</a><br>
<a href="/handbook/security/corporate/systems/google/cloud">Google Cloud</a><br>
Tech Debt Cleanup<br>
<a href="/handbook/security/corporate/systems/teleport">Teleport Bastion</a><br>
</td>
<td>
<code>EM (Acting)</code> Jeff Martin<br>
<code>PM</code> Kim Waters<br>
<code>Staff</code> Jeff Martin
</td>
<td>
Mohammed Al Kobaisy<br>
Vlad Stoianovici<br>
</tr>
<tr>
<td>
<strong>Platform Engineering</strong><br>(Self-Service Internal<br>Provisioning Software)<br>
<br>
<small>Related <a href="/handbook/customer-success/demo-systems">Demo Systems</a></small><br>
<small>Related <a href="/handbook/security/corporate/services/infrastructure">Sandbox Cloud</a></small>
</td>
<td>
<a href="/handbook/security/corporate/systems/accesschk">Access Check (accesschk)</a><br>
<a href="/handbook/security/corporate/systems/accessctl">Access Control (accessctl)</a><br>
<a href="/handbook/security/corporate/systems/demosys">Demo Systems (gitlabdemo.com/cloud)</a><br>
<a href="/handbook/security/corporate/systems/hackystack">HackyStack</a><br>
<a href="https://gitlab.com/provisionesta">Provisionesta Open Source Packages</a><br>
<a href="/handbook/security/corporate/systems/handbook">Systems Administration Handbook</a><br>
<a href="/handbook/security/corporate/systems/trainingctl">Training Systems (trainingctl)</a><br>
<a href="/handbook/security/corporate/systems/">(Corporate) Terraform Config Mgmt</a><br>
</td>
<td>
<code>Staff</code> Jeff Martin
</td>
<td>
Jeff Martin<br>
AJ Romaniello (People Ops)<br>
Byron Boots (Sec Assurance)<br>
James Sandlin (Sec Assurance)<br>
Jacob Waters (CorpSec Identity)<br>
Logan Stucker (Demo)<br>
Scott Cosentino (Training)<br>
</tr>
</tbody>
</table>
---
title: CorpSec Device Trust Engineering
---
This is a placeholder page. Please see the links below for any child pages that exist.
---
title: CorpSec Identity Engineering
---
This is a placeholder page. Please see the links below for any child pages that exist.
---
title: CorpSec Infrastructure Engineering
---
This is a placeholder page. Please see the links below for any child pages that exist.
---
title: CorpSec Platform Engineering
---
This is a placeholder page. Please see the links below for any child pages that exist.
---
title: CorpSec SaaS Engineering
---
This is a placeholder page. Please see the links below for any child pages that exist.
---
title: How We Work
---
This is a placeholder page. Please see the links below for any child pages that exist.
---
title: How We Work (Engineering)
---
This is a work in progress.
## Epics
TODO
## Issue Tracker
All issues are created in the [CorpSec issue tracker](https://gitlab.com/gitlab-com/gl-security/corp/issue-tracker/-/issues) for work that we have to either spend significant time performing or perform configuration and provisioning work that we need an easy-to-discover audit trail for. We can also be tagged in other team's issue trackers for consultative questions and support.
### Due Dates
Due dates are based on the delivery date by CorpSec, not the due date of the requester. Any expectations should be mentioned in the issue description or comments.
For example, the Infrastructure team works on 2 week agile iteration cadences and the due date is set to the last day of the iteration cadence that it was scheduled in. The date may be updated by the engineer as the work is performed to a more accurate date.
### Time Tracking
When issues are prioritized and scheduled to be worked on, they can optionally have a time estimate added (in hours) using `/estimate {##}h`. This allows the engineer to be a manager of one and work on the issue however they see fit by the iteration end date.
As engineers work on issues, they can optionally add `/spent {1.5}h` to keep track of their progress. This is optional has two benefits:
1. It allows the engineer to validate whether the time estimate was accurate.
2. It surfaces to the management team how much work was put into the issue.
Any issue that an engineer adds a time spent to will automatically show up on management and team status reports with the title and time spent. Any issue without a time spent will show up on status reports with the count of issues worked on in a specific project. A best practice is that if it takes more than 30-60 minutes, you should consider adding time spent. If something is important that should appear on a status report, then even a 5 minutes of time spent can be added.
See [weight](#weight) as an alternative to time tracking.
### Weight
Some engineers do not like tracking their time and just see the list of issues to work on.
Instead of time tracking, you can add a weight to share how difficult it was to work on.
1. Very Easy/Tiny (<60 Minutes)
2. Not Hard (1-3 Hours)
3. Moderate (3-8 Hours)
4. Harder (6-20 Hours)
5. Very Hard (20+ Hours)
Any issue that an engineer adds a weight to will automatically show up on management and team status reports with the title and weight along with a time estimate if it was set. Any issue without a weight will show up on status reports with the count of issues worked on in a specific project. A best practice is that if it takes more than 30-60 minutes, you should consider adding a weight.
## Labels
### Priority
- `sec-priority::ar` - Business as usual access requests
- `sec-priority::ops` - Business as usual day-to-day requests (non-ARs)
- `sec-priority::p0` - Project Fire Drill
- `sec-priority::p1` - Project in next few weeks
- `sec-priority::p2` - Project this quarter
- `sec-priority::p3` - Project next quarter
- `sec-priority::p4` - Project on wishlist
### Status
- `sec-status::inbox` - This issue is new and has not been evaluated yet.
- `sec-status::backlog` - This issue is in our backlog (see priority).
- `sec-status::scheduled` - This issue has been scheduled to be worked on in an upcoming iteration milestone. A due date is added to the issue with the iteration end date.
- `sec-status::blocked` - This issue has started but is blocked for a technical reason. Blocked issues get attention of engineers.
- `sec-status::waiting` - This issue has started but is waiting for a business reason or review. Same as "on hold". Waiting issues get attention of managers.
- `sec-status::wip` - This issue is a work in progress. The engineer will assign this status when they pick it up.
- `sec-status::wip-review` - The work is mostly complete and is waiting on final review or cleanup work by CorpSec.
- `sec-status::done` - This work is done and is almost ready to close once comments are resolved by non-CorpSec team members.
- `sec-status::stale` - For any issues that become dormant and should be close but could be reviewed later to re-open.
### Team
These labels are subscribed to be respective team members to get notifications for issues instead of needing to carbon copy (CC) or mention team members in issues, and are also used for any issues to identify which team is working on it. These labels are included in many issue templates. These labels can be added to any epic or issue anywhere in `gitlab.com/gitlab-com`. We do not use scoped labels since multiple teams may need to work on the same issue.
These are used for broad teams and not specific systems. Please check if a system label is appropriate to directly notify the system owners.
- `corpsec-device`
- `corpsec-helpdesk`
- `corpsec-identity`
- `corpsec-infra`
- `corpsec-laptop`
- `corpsec-platform`
- `corpsec-saas`
### System
These labels are subscribed to be respective team members to get notifications for issues instead of needing to carbon copy (CC) or mention team members in issues, and are also used for any issues to identify which system the issue relates to. These labels can be added to any epic or issue anywhere in `gitlab.com/gitlab-com`. We do not use scoped labels since multiple systems may be worked on in the same issue.
For broader needs, see the [team](#team) labels.
- `corpsys-1password`
- `corpsys-accessctl`
- `corpsys-aws-billing`
- `corpsys-aws-services`
- `corpsys-aws-sandbox`
- `corpsys-aws-systems`
- `corpsys-aws-dedicated-dev`
- `corpsys-aws-dedicated-prd`
- `corpsys-aws-dedicated-pubsec`
- `corpsys-azure`
- `corpsys-domains`
- `corpsys-dns`
- `corpsys-drivestrike`
- `corpsys-gitlab-com` - gitlab.com
- `corpsys-gitlab-ops` - ops.gitlab.net
- `corpsys-gitlab-dev` - dev.gitlab.org
- `corpsys-gitlab-stg` - staging.gitlab.com
- `corpsys-gitlab-cfg` - cfg.gitlab.systems
- `corpsys-gcp-billing`
- `corpsys-gcp-com` - gitlab.com
- `corpsys-gcp-sandbox` - gitlabsandbox.cloud
- `corpsys-gcp-systems` - gitlab.systems
- `corpsys-gcp-cells-dev` - gitlab-cells.dev
- `corpsys-gcp-cells-prd` - gitlab-cells.com
- `corpsys-gcp-dedicated-dev` - gitlab-private.org
- `corpsys-gcp-dedicated-prd` - gitlab-dedicated.com
- `corpsys-google-app` - Google Apps
- `corpsys-google-cal` - Google Calendar
- `corpsys-google-drive` - Google Drive
- `corpsys-google-group` - Google Groups
- `corpsys-google-org` - Google Workspace Organization Configuration
- `corpsys-jamf`
- `corpsys-linux`
- `corpsys-macos`
- `corpsys-nira`
- `corpsys-okta-app`
- `corpsys-okta-group`
- `corpsys-okta-org`
- `corpsys-okta-user`
- `corpsys-okta-flow`
- `corpsys-sandbox-cloud`
- `corpsys-sentinelone`
- `corpsys-slack`
- `corpsys-yubikey`
- `corpsys-zoom`
### Metric
To help reporting with what issues are related to since we share the same issue tracker and epics, you can add labels for categorizing the type of work.
- Business as Usual
- `sec-metric::ar`
- `sec-metric::ops`
- Engineering
- `sec-metric::automation` - No-code or script automation work
- `sec-metric::change` - Standardized change management
- `sec-metric::config` - Non-standardized changes or engineering work during normal iteration windows
- `sec-metric::consult` - Consultative questions or support
- `sec-metric::discovery` - Research and discovery work (for assigned initiatives or side projects)
- Initiatives
- `sec-metric::crisis` - Unplanned initiatives that require urgent attention.
- `sec-metric::initiative` - Used for planned large or meta-level issues and epics. Child issues should use `build` or `config` or `testing`.
- `sec-metric::discovery` - Research and discovery work (for assigned initiatives or side projects)
- `sec-metric::build` - Implementation work for initiatives
- `sec-metric::testing` - Testing work for initiatives
### Approvals
- Business or Technical Owner
- `sec-sysowner-review::not-ready`
- `sec-sysowner-review::waiting`
- `sec-sysowner-review::approved`
- Engineer Peer Review
- `sec-peer-review::not-ready`
- `sec-peer-review::waiting`
- `sec-peer-review::approved`
- Post Implementation Review
- `sec-post-review::not-ready`
- `sec-post-review::waiting`
- `sec-post-review::approved`
- Management Approval
- `sec-mgmt-review::not-ready`
- `sec-mgmt-review::waiting`
- `sec-mgmt-review::approved`
---
title: CorpSec Program Management
---
This is a placeholder page. Please see the links below for any child pages that exist.
---
title: How We Work (Services and Support)
---
This is a placeholder page. Please see the links below for any child pages that exist.
---
title: CorpSec Services
---
This is a placeholder page. Please see the links below for any child pages that exist.
---
title: "Access Requests (AR) Services"
---
Access Requests are owned by the Corporate Security Helpdesk team. All onboarding, offboarding and role change (career mobility) requests are owned by the People Connect Team.
If you have any access requests related questions, please reach out to `#it_help` in Slack or the tool provisioner in Slack.
- [FAQs](/handbook/security/corporate/services/ar/faq)
- [Baseline Entitlements](https://internal.gitlab.com/handbook/it/end-user-services/access-request/baseline-entitlements/)
- [Temporary service providers access requests and onboarding](https://internal.gitlab.com/handbook/it/end-user-services/access-request/temporary-service-providers/)
## Issue Trackers
- **Team Members (use this by default):** [Access Request Issue Tracker](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues)
- **Temporary Service Providers:** [Lifecycle Issue Tracker](https://gitlab.com/gitlab-com/temporary-service-providers/lifecycle/-/issues)
- **Employment Onboarding:** [Employment Issue Tracker](https://gitlab.com/gitlab-com/team-member-epics/employment/-/issues/?sort=created_date&state=opened&label_name%5B%5D=onboarding&first_page_size=20)
- **Employment Career Mobility:** [Employment Issue Tracker](https://gitlab.com/gitlab-com/team-member-epics/employment/-/issues/?sort=created_date&state=opened&label_name%5B%5D=career-mobility&first_page_size=20)
- **Employment Offboarding:** [Employment Issue Tracker](https://gitlab.com/gitlab-com/team-member-epics/employment/-/issues/?sort=created_date&state=opened&label_name%5B%5D=offboarding&first_page_size=20)
### Team Member Issue Templates
- Specific Application Requests (use [Individual or Bulk Person Access Request](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/new?issuable_template=Individual_Bulk_Access_Request) if not listed)
- [Slack, Google Group, 1Password Groups or Vaults](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=slack_googlegroup_1Passwordgroupvault)
- [PagerDuty](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=PagerDuty_Access_Request)
- [Tableau](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=Tableau_Request)
- [ZenDesk Federal Customer Creation](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=Federal_Customer_Creation)
- Standard Access Requests
- **(Use this by default)** [Individual or Bulk Person Access Request](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/new?issuable_template=Individual_Bulk_Access_Request): One or multiple people requesting access to systems
- Create one issue for **one or multiple people** to get access to the **same** system
- Create one issue for **one person** to get access to **multiple systems** (checklist)
- Create **multiple issues** (one per system) to grant **multiple people** to the **each (same)** system
- When access is being requested for multiple people who report to different managers but are part of the same department or division, approval can be obtained by the manager at the highest level (ex. Director, Vice President, Division E-Group Leader). Comment approval by cross-functional managers is sufficient since only one manager can apply the approved label.
- [Access Change Request](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=Access_Change_Request): Remove or change the level of access to an application/system/distro (non-urgent change).
- [Access Reviews](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=Access_Review)
- Infrastructure
- [New AWS Account (Individual)](/handbook/infrastructure-standards/realms/sandbox/#individual-aws-account-or-gcp-project) - self service using Sandbox Cloud (powered by HackyStack)
- [New AWS Account (Group/Team/Service)](https://gitlab.com/gitlab-com/business-technology/engineering/infrastructure/issue-tracker/-/issues/new?issuable_template=aws_group_account_create_request)
- [Add IAM Users to AWS Account](https://gitlab.com/gitlab-com/business-technology/engineering/infrastructure/issue-tracker/-/issues/new?issuable_template=aws_group_account_iam_update_request)
- [New GCP Project (Individual)](/handbook/infrastructure-standards/realms/sandbox/#individual-aws-account-or-gcp-project) - self service using Sandbox Cloud (powered by HackyStack)
- [New GCP Project (Group/Team/Service)](https://gitlab.com/gitlab-com/business-technology/engineering/infrastructure/issue-tracker/-/issues/new?issuable_template=gcp_group_account_create_request)
- [Add IAM Users to GCP Project](https://gitlab.com/gitlab-com/business-technology/engineering/infrastructure/issue-tracker/-/issues/new?issuable_template=gcp_group_account_iam_update_request)
- Sysadmin (BLACK) Account Requests
- [Admin BLACK Account Creation](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/new?issuable_template=Admin_Black_Account_Creation)
- [Admin BLACK Account Role - 1Password](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/new?issuable_template=Admin_Black_Account_Role_1Password)
- [Admin BLACK Account Role - AWS](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/new?issuable_template=Admin_Black_Account_Role_AWS)
- [Admin BLACK Account Role - Google Workspace](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/new?issuable_template=Admin_Black_Account_Role_GoogleWorkspace)
- [Admin BLACK Account Role - Okta](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/new?issuable_template=Admin_Black_Account_Role_Okta)
- Special Use Case Access Requests
- [Name Change Request](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=Name_change_request)
- [Shared Account Access Request](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=Shared_account_access_request)
- [External access to Greenhouse through Okta](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=Okta_Access_Greenhouse_External)
- Demo Accounts and Licenses
- [Shared Omnibus Instance](https://about.gitlab.com/handbook/customer-success/demo-systems/#access-shared-omnibus-instances) - powered by Demo Systems
- [GitLab SaaS Ultimate License for User Account](https://docs.google.com/forms/d/e/1FAIpQLSddexI8VZTCiyxme1_7QtbQZ6WoIJRlHdaI2Gi6PD8Eti-DLQ/viewform)
- [GitLab SaaS Ultimate License for (Demo/Test) Group](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/new?issuable_template=GitlabCom_Licensed_Demo_Group_Request)
- [GitLab Self Managed License](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/new?issuable_template=GitLab_Team_Member_License_request)
- Service Accounts
- [GitLab.com SaaS Service Account Requests](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=GitLabCom_Service_Account_Request) - Admin only, not needed for group/project tokens
- [GCP or Google Workspace API/Service Account Requests](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=GCP_Google_Service_Account_Request)
- [Okta Admin Service Account Requests](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=Okta_Admin_Service_Account) for apps, groups, and users
- [Other Service Account (App to App)](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=New_Service_Account_Request)
- [Other API Token Request](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=API_Token_Request)
- Tech Stack
- [Okta new application setup](https://gitlab.com/gitlab-com/business-technology/change-management/-/issues/new?issuable_template=okta_new_app_request)
- [Add application to tech stack](https://about.gitlab.com/handbook/business-technology/tech-stack-applications/#add-new-system-to-the-tech-stack)
- [Update tech stack metadata](https://about.gitlab.com/handbook/business-technology/tech-stack-applications/#update-tech-stack-information)
- [Update tech stack provisioner](https://gitlab.com/gitlab-com/team-member-epics/access-requests/issues/new?issuable_template=Update_Tech_Stack_Provisioner)
- [Remove application from tech stack](https://gitlab.com/gitlab-com/business-technology/business-technology/-/issues/new?issuable_template=offboarding_tech_stack)
## Role Based Entitlements
- Role based entitlements are a pre-approved set of permissions that are granted to all people in a role. Make sure that whatever set of permissions you are adding to these templates should be granted to anyone with that role.
- Role based entitlements need to be approved only once, when the template is created, and they don't need to be approved again on a case-by-case basis.
- These templates cannot be edited to remove or add extra permissions once created, unless those changes are approved by a manager (or higher) of the team the role belongs to. Note that an approval is still required even if a change comes from a manager or higher on a baseline entitlement template to mitigate the risk of a permission change being pushed through by a single team member.
- We have decided to remove all SOX applications from the Role-Based Entitlements templates. Therefore, any access that is requested for our SOX-in-scope systems should follow the standard A/R process outlined here in our [handbook](https://about.gitlab.com/handbook/business-technology/team-member-enablement/onboarding-access-requests/access-requests/#how-do-i-choose-which-template-to-use). The impact to you is for any access going forward that was granted automatically via a role based entitlement will now need to be requested via a standard A/R so we can ensure approvals are properly captured.
- Please note when editing an existing template or creating a new one do not include access of any kind to a rolebased access template. Full listing of SOX applications can be found [here](https://gitlab.com/groups/gitlab-com/internal-audit/-/wikis/IT-General-Controls)
## Need help?
- Please mention `@gitlab-com/business-technology/end-user-services` in the issue, with no particular SLA.
- If your request is urgent, post a link to your access request in the `#it_help` channel in Slack with a note on why it is urgent.
## Working on Access Requests
### Department Access Request Boards
- If you need additional labels or have suggestions for improving the process until we can fully automate, please [open an issue](https://gitlab.com/gitlab-com/it/end-user-services/issues/it-help-issue-tracker/-/issues/new).
- ARs are auto-assigned and auto-labeled when possible by department. In some cases, there are multiple provisioners per tool. If a template cannot be auto-assigned, Business Technology will provide a board where the provisioners can review their department's issues by label (ie `dept::to do`. It is up to the department to manage the workflow on who works the issues to completion.
- **Moving an issue from one column to another will remove the first label (per the column header) and add the second label. Please use caution when moving issues between columns.**
- Departments can check their outstanding access request issues by viewing their board below.
{{% panel header="**AR boards: to-do:**" header-bg="success" %}}
1. [Data](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/boards/1319045)
1. [Finance](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/boards/1319048)
1. [Infra](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/boards/1262513)
1. [IT](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/boards/1262521)
1. [Legal](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/boards/1319051)
1. [PeopleOPs](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/boards/1318841)
1. [Prod+Eng](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/boards/1319057)
1. [Marketing](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/boards/1284066)
1. [Sales](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/boards/1262518)
1. [Security](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/boards/1319052)
1. [Support](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/boards/1319053)
{{% /panel %}}
## Tech Stack Changes
If you need to initiate an Access Request process for a new item in the tech stack:
1. Confirm the tool is added to the [tech stack](https://gitlab.com/gitlab-com/www-gitlab-com/-/blob/master/data/tech_stack.yml)
1. Confirm a team member is included as the `provisioner` `deprovisioner`
1. Document the requirement to submit an Access Request in any relevant handbook pages
---
title: Access Requests FAQ
---
This is a placeholder page. Please see the links below for any child pages that exist.
---
title: 2FA and Password Account Resets for Team Members
---
This is a placeholder page. Please see the links below for any child pages that exist.
---
title: CorpSec Change Management
---
This is a placeholder page. Please see the links below for any child pages that exist.
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment