Commit 54b36b07 authored by Jeff Burrows's avatar Jeff Burrows 👶

Update SecComp tags and links

parent 43af940b
......@@ -148,12 +148,12 @@ tier one applications of lead to fulfillment
- [WIP: view only Lucidchart diagram lead to fullfillment system flow](https://app.lucidchart.com/documents/view/fe61ff48-c0e3-4f40-b2de-4023d48101d9/0_0)
- [video of custom setup](https://drive.google.com/drive/folders/1kfCEQM6XYGWYxq3Ke4TNvtmDR-46erVD)
- [Security's Compliance Diagram](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/PCI/customers.gitlab.com_data_flow_diagram_-_New_Business.pdf)
- [Security's Compliance Diagram](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/blob/master/PCI/customers.gitlab.com_data_flow_diagram_-_New_Business.pdf)
- [Growth Team's Portal Diagram](https://app.mural.co/t/gitlab2474/m/gitlab2474/1569500330861/8f9fd73826c42ad809d51be886db27494da91353)
- [Trade Compliance](/handbook/business-ops/trade-compliance/)
- [Sales flow](https://drive.google.com/file/d/1nkJrsXewy1G9llV9-8k2EhineU2hyoDJ/view?usp=sharing)
- [entry points, integration users google sheet](https://docs.google.com/spreadsheets/d/1j3xE6pQLfsKMri14LDcrnxbWbTwqz4Tpv9kI8UIHYCE/edit#gid=0)
- [PCI In-Scope Systems diagram](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/blob/master/PCI/PCI_In_Scope_Systems.md)
- [PCI In-Scope Systems diagram](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/blob/master/PCI/PCI_In_Scope_Systems.md)
- [entry points and conversion by marketing](https://www.figma.com/file/JMFCXAftW30wjul6TTIPFa/lead%2Fsign-up-flow?node-id=0%3A1)
- [customer facing documentation on managing subscriptions](https://docs.gitlab.com/ee/subscriptions/)
- [UX flows for trials](https://app.mural.co/t/gitlab2474/m/gitlab2474/1580984258623/a815e52decef6141307b634da65fbcd5242a48e8)
......
......@@ -88,7 +88,7 @@ The following people need to review and approve the template before it can be me
1. The template needs to be approved by a manager and/or director from the department the role belongs to.
1. The level of permission you are requesting access to needs to be approved by the technical owner of the system. You can find a list of the technical owners of each system in our [tech stack](https://docs.google.com/spreadsheets/d/1mTNZHsK3TWzQdeFqkITKA0pHADjuurv37XMuHv12hDU/edit#gid=0).
1. If the role you are requesting access to is Admin of a system, security compliance (@gitlab-com/gl-security/compliance) also needs to approve the request. Non-admin access doesn't need to be reviewed by Security.
1. If the role you are requesting access to is Admin of a system, security compliance (@gitlab-com/gl-security/security-assurance/sec-compliance) also needs to approve the request. Non-admin access doesn't need to be reviewed by Security.
1. Once the MR has been approved by all the relevant parties, you can assign the MR to @lisvinueza for a format review and merge.
#### Note
......
......@@ -96,7 +96,7 @@ If after review you feel that a shared account is still needed, complete the for
**Note that systems with PCI data is not allowed shared accounts.**
Please note that shared account request(s) will need to be reviewed and approved by IT Ops and the listed Tech Stack Owner.
An [Exception Request](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/new?issuable_template=Exception%20Request) will need to be logged for each user you are requesting to be added.
An [Exception Request](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/new?issuable_template=Exception%20Request) will need to be logged for each user you are requesting to be added.
Note that with an Exception Requet the maximum exception length is 90 days.
After the Exception Length, you will be required to submit another Exception Request for review and approval.
**If the exception request is not logged, reviewed, and approved for an extension, note that the Shared Account will be disabled.**
......@@ -176,7 +176,7 @@ While this application automation will take place in Okta, "true" system provisi
Every review should include a [least privilege review](/handbook/engineering/security/Access-Management-Policy.html#principle-of-least-privilege)
1. Add your approval by adding the label `AR-Approval::Manager Approved` and `ready for provisioning`.
1. If you do not approve, add a comment and close the issue.
1. If you are unsure whether the requestor needs the permissions outlined to fulfill their duties, mention `@gitlab-com/gl-security/compliance` in a comment for assistance
1. If you are unsure whether the requestor needs the permissions outlined to fulfill their duties, mention `@gitlab-com/gl-security/security-assurance/sec-compliance` in a comment for assistance
##### Instructions and Guidance for Provisioners
......@@ -190,7 +190,7 @@ While this application automation will take place in Okta, "true" system provisi
##### Instructions and Guidance for IT
1. Review the Shared Account Access Request and ensure that there is an [Exception Request](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Exception%20Request) for each user that is being added to the shared account.
1. Review the Shared Account Access Request and ensure that there is an [Exception Request](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Exception%20Request) for each user that is being added to the shared account.
1. Review the Exception Request and document in the Access Request issue the Exception Length.
1. Ensure that the Exception Request has been reviewed and approved by Security prior to adding your approval or setting up the shared account.
1. If the shared account will be managed in Okta - Set a review/reminder date in Okta to review shared account access dependent on exception timeline and close issue.
......
......@@ -283,7 +283,7 @@ The Quality department collaborates with the [Security department's compliance t
The compliance team maintains the current state of answers to these questions, please follow the process to [request completion of assessment questionnaire](/handbook/engineering/security/security-assurance/field-security/customer-security-assessment-process.html#how-to-request-a-questionnaire-be-completed).
If additional input is needed from the Quality team, the DRI for this is the Director of Quality. Tracking of supplimental requests will be via a confidential issue in the [compliance issue tracker](https://gitlab.com/gitlab-com/gl-security/compliance/compliance). Once the additional inputs have been supplied, this is stored in the Compliance team's domain for efficiency.
If additional input is needed from the Quality team, the DRI for this is the Director of Quality. Tracking of supplimental requests will be via a confidential issue in the [compliance issue tracker](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance). Once the additional inputs have been supplied, this is stored in the Compliance team's domain for efficiency.
## Department recurring event DRIs
......
......@@ -43,12 +43,12 @@ There may be some cases where it does not make sense for a change to be tested p
<td>Open Change Issue</td>
<td>Create change issue to track change</td>
<td></td>
<td rowspan="8">[CM.1.01 - Change Management Workflow](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/781)</td>
<td rowspan="8">[CM.1.01 - Change Management Workflow](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/781)</td>
</tr>
<tr>
<td>Change requirements documented</td>
<td>Document:<br>- Change Description<br>- Impact of Change<br>- Test Results<br>- Backout Procedures (in-scope SOX systems)<br></td>
<td rowspan="2">[CM.1.02 - Change Approval](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/782)</td>
<td rowspan="2">[CM.1.02 - Change Approval](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/782)</td>
</tr>
<tr>
<td>Change is Tested</td>
......@@ -57,12 +57,12 @@ There may be some cases where it does not make sense for a change to be tested p
<tr>
<td>Emergency Change</td>
<td>Approval obtained retroactively depending on the urgency of the change</td>
<td>[CM.1.04 - Emergency Changes](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1692)</td>
<td>[CM.1.04 - Emergency Changes](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1692)</td>
</tr>
<tr>
<td>Approval for Change</td>
<td>Approval is provided by someone<br>other than change requestor</td>
<td rowspan="2">[CM.2.01 - Segregation of Duties](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/783)</td>
<td rowspan="2">[CM.2.01 - Segregation of Duties](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/783)</td>
</tr>
<tr>
<td>Change is Deployed to Production</td>
......
......@@ -69,4 +69,4 @@ Exceptions to this procedure will be tracked as per the [Information Security Po
- Parent Policy: [Information Security Policy](/handbook/engineering/security/)
- GCF Control: [SG.1.01 - Policy and Standard Review](/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.1.01_policy_and_standard_review.html)
- [Data Classifiation Standard](/handbook/engineering/security/data-classification-standard.html)
- Current listing of controlled documents: https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1934
- Current listing of controlled documents: https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1934
......@@ -355,7 +355,7 @@ Information Security Policies are reviewed annually. Policy changes are approved
Information security considerations such as regulatory, compliance, confidentiality, integrity and availability requirements are most easily met when companies employ centrally supported or recommended industry standards. Whereas GitLab operates under [the principle of least privilege](/handbook/engineering/security/Access-Management-Policy.html#principle-of-least-privilege), we understand that centrally supported or recommended industry technologies are not always feasible for a specific job function or company need. Deviations from the aforementioned standard or recommended technologies is discouraged. However, it may be considered provided that there is a reasonable, justifiable business and/or research case for an information security policy exception; resources are sufficient to properly implement and maintain the alternative technology; the process outlined in this and other related documents is followed and other policies and standards are upheld.
In the event a team member requires a deviation from the standard course of business or otherwise allowed by policy, the Requestor must submit a [Policy Exception Request](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/new?issue%5Bassignee_id%5D=&issue%5Bmilestone_id%5D=) to IT Security, which contains, at a minimum, the following elements:
In the event a team member requires a deviation from the standard course of business or otherwise allowed by policy, the Requestor must submit a [Policy Exception Request](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/new?issue%5Bassignee_id%5D=&issue%5Bmilestone_id%5D=) to IT Security, which contains, at a minimum, the following elements:
- Team member Name and contact
- Time period for the exception (deviations should not exceed 90 days unless the exception is related to a device exception, like using a Windows device)
......@@ -364,7 +364,7 @@ In the event a team member requires a deviation from the standard course of busi
- The business justification for the proposed deviation
- Compensating controls which will be implemented to ensure proper oversight.
The [Policy Exception Request](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/new?issuable_template=Exception_Request) should be used to request exceptions to information security policies, such as the password policy, or when requesting the use of a non-standard device (laptop).
The [Policy Exception Request](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/new?issuable_template=Exception_Request) should be used to request exceptions to information security policies, such as the password policy, or when requesting the use of a non-standard device (laptop).
Exception request approval requirements are documented within the issue template. The requester should tag the appropriate individuals who are required to provide an approval per the approval matrix.
......@@ -386,7 +386,7 @@ primary project used for issue tracking underneath `team-name` or similiar. For
- [public (!) Security Department Meta](https://gitlab.com/gitlab-com/gl-security/security-department-meta/) for Security Department initiatives, `~meta` and backend tasks, and catch all for anything not covered by other projects. For non-Security department team members, use this if unsure which team to contact. For Security Team members, use of this
project as a catch-all is _deprecated_.
- [Security Assurance Sub-department (@gitlab-com/gl-security/security-assurance)](https://gitlab.com/gitlab-com/gl-security/security-assurance) Security Assurance Sub-department
- [@gitlab-com/gl-security/compliance](https://gitlab.com/gitlab-com/gl-security/compliance) is the primary group for @'mentioning the Security Compliance team.
- [@gitlab-com/gl-security/security-assurance/sec-compliance](https://gitlab.com/gitlab-com/gl-security/compliance) is the primary group for @'mentioning the Security Compliance team.
- [@gitlab-com/gl-security/field-security](https://gitlab.com/gitlab-com/gl-security/security-assurance/field-security-team) is the primary group for @'mentioning the Field Security team.
- [Engineering and Research Sub-department (@gitlab-com/gl-security/engineering-and-research)](https://gitlab.com/gitlab-com/gl-security/engineering-and-research/engineering-and-research-meta)
- [gitlab-com/gl-security/engineering-and-research-meta](https://gitlab.com/gitlab-com/gl-security/engineering-and-research-meta) For sub-department wide management and planning issues.
......
......@@ -22,7 +22,7 @@ In general, a scope definition for an engagement should be *exclusive* vs. inclu
1. Describe any systems that should be *excluded* from the engagement such as IP addresses, applications, and personnel.
1. Testing time period expressed in either [UTC or PT](/handbook/communication/).
1. Define techniques that should be excluded from the engagement such as social engineering, Denial of Service attacks, etc.
1. Define the controls that prevent infinite escalation in the event of a successful engagement if applicable. In other words, not every vulnerability exploited as part of a Red Team engagement should end up classified with an overall risk of [very high](https://gitlab.com/gitlab-com/gl-security/compliance/risk-assessments/blob/master/Risk%20Scoring%20Matrix.md#overall-impact) and engage an [incident response](./sec-incident-response.html).
1. Define the controls that prevent infinite escalation in the event of a successful engagement if applicable. In other words, not every vulnerability exploited as part of a Red Team engagement should end up classified with an overall risk of [very high](https://gitlab.com/gitlab-com/gl-security/security-assurance/field-security-team/risk-assessments/blob/master/Risk%20Scoring%20Matrix.md#overall-impact) and engage an [incident response](./sec-incident-response.html).
### Ethics
......
......@@ -52,7 +52,7 @@ A member of the [Security Assurance](https://about.gitlab.com/handbook/engineeri
* The Security Compliance team is engaged as subject matter experts to support specific security compliance customer requests.
* The Security Compliance team triages findings produced by external scanning services when responses are required according to the GitLab Risk and Field Security team.
1. Ad-hoc work streams
* If you have a request for the GitLab Security Compliance team please [open an ad-hoc issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/new?issuable_template=ad_hoc_work.md) and we will review and prioritize that work weekly.
* If you have a request for the GitLab Security Compliance team please [open an ad-hoc issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/new?issuable_template=ad_hoc_work.md) and we will review and prioritize that work weekly.
## Security Compliance Work Outputs
1. Governance documentation
......@@ -93,10 +93,10 @@ The Security Compliance team uses an application-based ownership model for contr
* Email
* `[email protected]`
* Tag us in GitLab
* `@gitlab-com/gl-security/compliance`
* `@gitlab-com/gl-security/security-assurance/sec-compliance`
* Slack
* Feel free to tag is with `@sec-compliance-team`
* The #sec-assurance slack channel is the best place for questions relating to our team (please add the above tag)
* [GitLab compliance project](https://gitlab.com/gitlab-com/gl-security/compliance/compliance)
* [GitLab compliance project](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance)
**Note: If you have an urgent request and you're not getting a response from the above team tags, the security compliance manager (@jburrows001) has their cell phone number in their slack profile. **
......@@ -52,7 +52,7 @@ Based on the above, GitLab business continuity plan will have team and departmen
* DR test to be run annually, to ensure that the plan is working efficiently.
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Continuity Plan issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/774) .
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Continuity Plan issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/774) .
### Policy Reference
* [GitLab Business Continuity Plan in Handbook](/handbook/business-ops/gitlab-business-continuity-plan.html)
......
......@@ -56,7 +56,7 @@ In a much detailed level, the BC plan - roles & responsibilities should include:
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Continuity Plan: Roles and Responsibilities issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/775).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Continuity Plan: Roles and Responsibilities issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/775).
### Policy Reference
......
......@@ -41,15 +41,15 @@ All parts of the business continuity plan should be tested. All teams and servic
- To support best practice methodology and satisfy regulatory control requirements.
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Continuity Testing control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/776).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Continuity Testing control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/776).
### Policy Reference
- [Business Continuity Test handbook link](/handbook/business-ops/gitlab-business-continuity-plan.html#business-continuity-testing)
- [Project Plan for GitLab's Business Continuity Test - Q1 2020](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1721)
- [Business Continuity Test Plan - Apr 30, 2020](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1818
- [Business Continuity Exercise Runbook Template](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/new?issuable_template=Business_Continuity_Exercise_Runbook)
- [Project Plan for GitLab's Business Continuity Test - Q1 2020](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1721)
- [Business Continuity Test Plan - Apr 30, 2020](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1818
- [Business Continuity Exercise Runbook Template](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/new?issuable_template=Business_Continuity_Exercise_Runbook)
- [Business Continuity Plan for Malicious Software Attack(s)](https://gitlab.com/gitlab-com/business-ops/Business-Operations/-/issues/264)
- [Business Continuity Test - April 30th, 2020 - Retrospective](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1838)
- [Business Continuity Test - April 30th, 2020 - Retrospective](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1838)
## Framework Mapping
* SOC2 CC
......
......@@ -50,7 +50,7 @@ This control is a subset of the Business Continuity control. Business Impact Ana
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Impact Analysis control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/777).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Impact Analysis control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/777).
### Policy Reference
......@@ -60,6 +60,6 @@ Non-public information relating to this security control as well as links to the
* [Data Protection Office and the Privacy Office](https://about.gitlab.com/privacy/#data-protection)
* [NIST BCP with reference to BIA](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf)
* [Handbook listing for DR](/handbook/engineering/infrastructure/design/disaster-recovery/)
* [Project Plan related to the BC test tabletop exercise](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1721)
* [Business Continuity Testing Procedure](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1818)
* [Retrospective of the exercise documented](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1838)
* [Project Plan related to the BC test tabletop exercise](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1721)
* [Business Continuity Testing Procedure](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1818)
* [Retrospective of the exercise documented](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1838)
......@@ -47,7 +47,7 @@ The Backup configuration Documentation should include:
* If centrally managed, the runbook that controls backup configurations
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Backup Configuration control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/778).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Backup Configuration control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/778).
### Policy Reference
* [PCI DSS v3.2.1 - 12.10.1 - Backup Configuration](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1550838512120#page=113)
......
......@@ -43,7 +43,7 @@ This guidance is a two-parter, provide evidence demonstrating:
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Resilience Testing control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/779).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Resilience Testing control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/779).
Examples of evidence an auditor might request to satisfy this control:
......
......@@ -55,7 +55,7 @@ Backup copies of GitLab information, software and system images need to be store
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Backup Management: Alternate Storage issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/780) .
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Backup Management: Alternate Storage issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/780) .
### Policy Reference
* [GitLab Geo](https://docs.gitlab.com/ee/administration/geo/)
......
......@@ -40,7 +40,7 @@ This control applies to all systems within our production environment. The produ
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Baseline Configuration Standard control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/784).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Baseline Configuration Standard control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/784).
Examples of evidence an auditor might request to satisfy this control:
......
......@@ -28,7 +28,7 @@ This control applies to all systems within our production environment. The produ
The ideal state is for both production configuration management and application deployments to be automated and for any deviations from desired configurations to be either self-corrected or identified and manually corrected as efficiently as possible. Currently, we use a combination of Chef, Terraform, and GitLab (on the Ops instance) to deploy and configure the production GitLab environment. With that automation we're able to assure proper configuration and quickly identify and resolve any deviations.
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/786).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/786).
Examples of evidence an auditor might request to satisfy this control:
* Examples of Chef alerts initiated when Chef fails to run over a period of time
......
......@@ -43,7 +43,7 @@ Additionally, any changes to the GitLab [handbook](about.gitlab.com) utilizes [g
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Management Workflow control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/781).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Management Workflow control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/781).
Examples of evidence an auditor might request to satisfy this control:
......
......@@ -35,7 +35,7 @@ This control applies to all systems within our production environment. The produ
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Approval control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/782).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Approval control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/782).
Examples of evidence an auditor might request to satisfy this control:
......
......@@ -35,7 +35,7 @@ This control applies to all changes that support the business of GitLab.com.
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Management Issue Tracker issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/1691).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Management Issue Tracker issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/1691).
Examples of evidence an auditor might request to satisfy this control:
......
......@@ -30,7 +30,7 @@ This control applies to all systems within our production environment. The produ
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Emergency Changes control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1692).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Emergency Changes control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1692).
Examples of evidence an auditor might request to satisfy this control:
......
......@@ -36,7 +36,7 @@ This control applies to all systems within our production environment. The produ
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Segregation of Duties control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/783).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Segregation of Duties control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/783).
Examples of evidence an auditor might request to satisfy this control:
......
......@@ -35,7 +35,7 @@ The policy outlines proper handling and storage requirements for various data cl
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in this [control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1693).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in this [control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1693).
Examples of evidence an auditor might request to satisfy this control:
......
......@@ -29,7 +29,7 @@ Legal
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Terms of Service control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/793).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Terms of Service control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/793).
### Policy Reference
......
......@@ -30,7 +30,7 @@ This control applies to red, orange, and yellow data in the production environme
* Such scans are sufficient for testing this control as the results show whether infrastructure transmitting red, organge, and yellow data over public networks uses TLS.
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Encryption of Data in Transit control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/796).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Encryption of Data in Transit control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/796).
Examples of evidence an auditor might request to satisfy this control:
* Architecture and design documentation showing the use and high-level implementation details of TLS for production
......
......@@ -31,7 +31,7 @@ This control is applicable to the production environment and any end user device
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Encryption of Data at Rest control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/797).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Encryption of Data at Rest control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/797).
Examples of evidence an auditor might request to satisfy this control:
......
......@@ -35,7 +35,7 @@ Certificates or logs of erasure should be maintained in accordance with the [Rec
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Data Retention and Disposal Policy issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1696).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Data Retention and Disposal Policy issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1696).
Examples of evidence an auditor might request to satisfy this control:
......
......@@ -33,7 +33,7 @@ Process ownership:
Provisioning should be based on predetermined roles with business justification and management approval. The process owner should use role-based authentication whenever possible to make this control easier and to segregate out this function from that of other system functions.
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/805).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/805).
## Policy Reference
- [Access Control Policy](/handbook/engineering/security/Access-Management-Policy.html)
......
......@@ -32,7 +32,7 @@ This control applies to any system or service where user accounts can be provisi
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access De-Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/806).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access De-Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/806).
## Guidance
* The offboarding task checklist should be used to track the deprovisioning of access for a terminated employee
......
......@@ -39,7 +39,7 @@ Quarterly access reviews should be established, and where possible, use automati
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access Review control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/808).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access Review control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/808).
Examples of evidence an auditor might request to satisfy this control:
* Quarterly Access Reviews
......@@ -50,7 +50,7 @@ Examples of evidence an auditor might request to satisfy this control:
* [Timing of Quarterly Access Reviews](/handbook/engineering/security/#timing-of-quarterly-access-reviews)
* [User Access Listing Generation Procedures and Guidelines Runbook](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/runbooks/Access_Review_Runbook.md)
* [User Access Listing Generation Procedures and Guidelines Runbook](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/blob/master/runbooks/Access_Review_Runbook.md)
## Framework Mapping
......
......@@ -28,7 +28,7 @@ This control applies to any system or service where user accounts can be provisi
* IT Operations
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Role Change: Access De-Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/809).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Role Change: Access De-Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/809).
### Policy Reference
......
......@@ -29,7 +29,7 @@ This control applies to all systems within our production environment. The produ
* When Okta is not able to be used, a `policy exception` is required to track this shared access. A process for the lifecycle of the access and a mechanism to alert the appropriate teams when authentication credentials must be reset (e.g., email alerts, an issue, calendar event, etc) should be established.
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Shared Logical Accounts control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/810).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Shared Logical Accounts control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/810).
### Policy Reference
* [Handbook section `Security Process and Procedures for Team Members` - Accounts and Passwords](/handbook/security/#security-process-and-procedures-for-team-members)
......
......@@ -52,7 +52,7 @@ end
Review and document required accounts for a given system and disable all unnecessary accounts. Use of shared accounts should not used. If unavoidable, compensating controls should be utilized to add accountability.
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Shared Account Restrictions control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/811).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Shared Account Restrictions control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/811).
Examples of evidence an auditor might request to satisfy this control:
* Link to the handbook entry on shared accounts and their restrictions
......
......@@ -39,7 +39,7 @@ Process ownership:
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [New Access Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1700).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [New Access Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1700).
## Policy Reference
......
......@@ -32,7 +32,7 @@ This control applies to any system or service where user accounts can be provisi
* System Owners
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Role Change: Access Modification Control Issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1703).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Role Change: Access Modification Control Issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1703).
### Policy Reference
......
......@@ -35,7 +35,7 @@ An unique identifier (UID) is a numeric and/or alphanumeric string that is assoc
* Applications should have business logic to ensure the unique identifier(s) aren't re-used or duplicated.
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Unique Identifiers control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/812).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Unique Identifiers control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/812).
### Policy Reference
* [Unique Account Identifiers](/handbook/engineering/security/#unique-account-identifiers)
......
......@@ -30,7 +30,7 @@ This control applies to all systems within our production environment. The produ
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Password Authentication control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/813).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Password Authentication control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/813).
Examples of evidence an auditor might request to satisfy this control:
......