TPM.1.02_vendor_risk_management.html.md 1.97 KB
Newer Older
1
---
2
layout: handbook-page-toc
3 4 5 6
title: "TPM.1.02 - Vendor Risk Management Control Guidance"
---

## On this page
7
{:.no_toc .hidden-md .hidden-lg}
8 9

- TOC
10
{:toc .hidden-md .hidden-lg}
11 12 13 14 15

# TPM.1.02 - Vendor Risk Management

## Control Statement

Liz Coleman's avatar
Liz Coleman committed
16
GitLab performs a vendor security risk assessment to determine the data types that can be shared with a third party vendor.
17 18 19 20 21 22 23 24 25 26 27

## Context

The purpose of this control is for GitLab to be very intentional about the data shared with any third parties. Every time we share GitLab data (including customer data) with a third party we increase the attack surface of that data. Since we rely on a number of third party services, we will need to share certain data; performing the risk assessment referenced in this control ensures that we are following a formal process of evaluating the information security program of any third parties and only sharing appropriate data when there is a legitimate need.

## Scope

This control applies to all information shared with third parties that interact with the GitLab production environment.

## Ownership

Nik Sarosy's avatar
Nik Sarosy committed
28 29
Control Owner:

30
* `Security Compliance`
Nik Sarosy's avatar
Nik Sarosy committed
31 32 33 34

Process Owner:

* Security Compliance
35
* Legal
36

37
## Guidance
38

39
The GitLab Data Classification Policy defines the categories of data. This risk assessment process is most easily achieved by reviewing the SOC2 Type 2 audit report for any managed service providers if available, or through a privacy review at minimum. When a SOC2 Type 2 report is not available, a GitLab security questionnaire would serve as a good substitute.
40

41
## Additional control information and project tracking
42

Jeff Burrows's avatar
Jeff Burrows committed
43
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Vendor Risk Management control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/923).
44

Luka Trbojevic's avatar
Luka Trbojevic committed
45 46
### Policy Reference

47 48 49 50 51 52 53 54 55 56
## Framework Mapping

* SOC2 CC
  * CC9.2
* PCI
  * 12.8
  * 12.8.2
  * 12.8.3
  * 12.8.5
  * 2.6