am.1.01-inventory-management.html.md 2.82 KB
Newer Older
1
---
2
layout: handbook-page-toc
3 4 5 6
title: "AM.1.01 - Inventory Management Control Guidance"
---

## On this page
7
{:.no_toc .hidden-md .hidden-lg}
8 9

- TOC
10
{:toc .hidden-md .hidden-lg}
11

12 13 14 15 16 17 18
## Control Statement

GitLab maintains an inventory of system devices, which is reconciled quarterly.

## Context
The purpose of this control is to ensure we are monitoring the systems in use by GitLab. We can't prove we are protecting all GitLab systems if we don't have an up-to-date inventory of those systems.

19
### Current status of this control
20 21 22 23 24 25 26 27 28
1. GitLab team-member endpoints:
* Team-member workstations are not currently tracked, but once Fleetsmith is rolled out, this will be accomplished
* A google form sent to all on-boarding team-members records the ownership and serial number of laptops

2. Production systems:
* Backend system inventories are not maintained, but strong naming conventions exist
* For GCP, that constitutes most of GitLab's production architecture; we can evaluate the GCP systems/services, discover new systems, and assign ownership


29
## Scope
30
This control applies to all GitLab endpoint workstations as well as virtual assets within our hosting providers. 
31 32 33


## Ownership
34 35
* IT Operations owns the workstation assets portion of this control
* Infrastructure owns the system and service portions of this control
36

37
## Guidance
38
The scope of this control is broad by design. Asset inventories are the source of truth for what team-member workstations, systems, and services constitute GitLab as a company. If we want to verify if we are collecting logs on 100% of the systems we are required to collect logs for, this inventory allows us to cross reference the logs we have with all the systems for which these logs should exist.
39

40 41 42 43 44 45 46 47 48 49
1. Team-member workstations
* Confirm the information that will be tracked via Fleetsmith
* Create and document a process to regularly review team-members assets and validate that all new workstations are being tracked
* Backfill information for workstations that were issued before this process existed

2. Backend Systems
* Export all GCP systems/services into a markdown table
* Work with the infrastructure team to assign ownership to each asset
* Create and document a process to regularly review these assets and validate that the inventory is accurate

50

51
## Additional control information and project tracking
Jeff Burrows's avatar
Jeff Burrows committed
52
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Inventory Management control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/761).
53

Luka Trbojevic's avatar
Luka Trbojevic committed
54
### Policy Reference
Lis Vinueza's avatar
Lis Vinueza committed
55
*  [Fleet Intelligence (Fleetsmith)](/handbook/business-ops/team-member-enablement/onboarding-access-requests/#fleet-intelligence--remote-lockwipe)
Luka Trbojevic's avatar
Luka Trbojevic committed
56

57 58 59 60 61 62 63
## Framework Mapping
* ISO
  * A.8.1.1
* PCI
  * 9.6.1
  * 9.7
  * 9.7.1