IAM.1.04_logical_access_review.html.md 2.4 KB
Newer Older
1
---
2
layout: handbook-page-toc
3 4 5 6
title: "IAM.1.04 - Logical Access Review Control Guidance"
---

## On this page
7
{:.no_toc .hidden-md .hidden-lg}
8 9

- TOC
10
{:toc .hidden-md .hidden-lg}
11 12 13 14 15

# IAM.1.04 - Logical Access Review

## Control Statement

16
GitLab performs account and access reviews quarterly; corrective action is taken where applicable. 
17 18 19 20 21 22 23

## Context

Access review is often viewed as a pain, but it's among the easiest ways to secure an environment. Many other security controls depend on the assumption that only authorized individuals have access to production systems. This control is meant to capture any deficiencies in our access provisioning and de-provisioning processes.

## Scope

24
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
25 26 27

## Ownership

28
* Control Owner: Security 
29
* Process owner(s):
30 31
    * System Owners
    * Business Operations
Nik Sarosy's avatar
Nik Sarosy committed
32
    * SIRT Team
33 34
    * Security Compliance

35

36
## Guidance
37

38
Quarterly access reviews should be established, and where possible, use automation to preserve the validity of the user access list. The bulk of these reviews can be automated and only the outliers will need to be manually reviewed. The process owner should use role-based authentication whenever possible to make this control easier.
39

40
## Additional control information and project tracking
41

Jeff Burrows's avatar
Jeff Burrows committed
42
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access Review control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/808).
43

44
Examples of evidence an auditor might request to satisfy this control:
45
* Quarterly Access Reviews
46

47 48
## Policy Reference

emilie's avatar
emilie committed
49
* [Access Review Policy and Procedures](/handbook/engineering/security/#access-reviews)
50

emilie's avatar
emilie committed
51
* [Timing of Quarterly Access Reviews](/handbook/engineering/security/#timing-of-quarterly-access-reviews)
52

Jeff Burrows's avatar
Jeff Burrows committed
53
* [User Access Listing Generation Procedures and Guidelines Runbook](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/blob/master/runbooks/Access_Review_Runbook.md)
54

Luka Trbojevic's avatar
Luka Trbojevic committed
55

56 57 58 59 60 61 62 63 64 65 66 67 68
## Framework Mapping

* ISO
  * A.9.2.3
  * A.9.4.1
  * A.9.2.5
  * A.18.1.3
* SOC2 CC
  * CC6.2
  * CC6.3
  * CC6.7
* PCI
  * 7.1