From 54b36b074f959e4854e690392dc667a14153145d Mon Sep 17 00:00:00 2001 From: jburrows Date: Tue, 22 Sep 2020 10:51:50 -0700 Subject: [PATCH] Update SecComp tags and links --- .../enterprise-applications/portal/index.html.md | 4 ++-- .../baseline-entitlements/index.html.md | 2 +- .../access-requests/index.html.md | 6 +++--- .../handbook/engineering/quality/index.html.md.erb | 2 +- .../security/change-management-guidance.html.md | 8 ++++---- .../security/controlled-document-procedure.html.md | 2 +- .../source/handbook/engineering/security/index.html.md | 6 +++--- .../engineering/security/red-team/red-team-roe.html.md | 2 +- .../security-compliance/compliance.html.md | 6 +++--- .../guidance/BC.1.01_business_continuity_plan.html.md | 2 +- ..._business_continuity_roles_responsibilities.html.md | 2 +- .../guidance/BC.1.03_continuity_testing.html.md | 10 +++++----- .../guidance/BC.1.04_business_impact_analysis.html.md | 8 ++++---- .../guidance/BU.1.01_backup_configuration.html.md | 2 +- .../guidance/BU.1.02_resilience_testing.html.md | 2 +- .../guidance/BU.1.03_alternate_storage.html.md | 2 +- .../CFG.1.01_baseline_configuration_standard.html.md | 2 +- .../guidance/CFG.1.03_configuration_checks.html.md | 2 +- .../CM.1.01_change_management_workflow.html.md | 2 +- .../guidance/CM.1.02_change_approval.html.md | 2 +- .../CM.1.03_change_management_issue_tracker.html.md | 2 +- .../guidance/CM.1.04_emergency_changes.html.md | 2 +- .../guidance/CM.2.01_segregation_of_duties.html.md | 2 +- .../DM.1.01_data_classification_criteria.html.md | 2 +- .../guidance/DM.2.01_terms_of_service.html.md | 2 +- .../DM.4.01_encryption_of_data_in_transit.html.md | 2 +- .../DM.4.02_encryption_of_data_at_rest.html.md | 2 +- .../DM.7.03_data_retention_and_disposal_policy.html.md | 2 +- .../IAM.1.01_logical_access_provisioning.html.md | 2 +- .../IAM.1.02_logical_access_deprovisioning.html.md | 2 +- .../guidance/IAM.1.04_logical_access_review.html.md | 4 ++-- .../IAM.1.05_role_change_access_deprovisioning.html.md | 2 +- .../guidance/IAM.1.06_shared_logical_accounts.html.md | 2 +- .../IAM.1.07_shared_account_restrictions.html.md | 2 +- .../guidance/IAM.1.08_new_access_provisioning.html.md | 2 +- .../guidance/IAM.1.09_access_modification.html.md | 2 +- .../guidance/IAM.2.01_unique_identifiers.html.md | 2 +- .../guidance/IAM.2.02_password_authentication.html.md | 2 +- .../IAM.2.03_multifactor_authentication.html.md | 2 +- ....2.04_authentication_credential_maintenance.html.md | 2 +- .../guidance/IAM.2.08_account_lockout.html.md | 2 +- .../guidance/IAM.3.02_source_code_security.html.md | 2 +- .../IAM.3.03_service_account_restriction.html.md | 2 +- .../IAM.3.05_administrator_access_production.html.md | 2 +- .../guidance/IAM.4.01_remote_connections.html.md | 2 +- ..._remote_maintenance_authentication_sessions.html.md | 2 +- .../guidance/IAM.6.01_key_repository_access.html.md | 2 +- .../guidance/IR.1.01_incident_response_plan.html.md | 2 +- .../guidance/IR.1.03_incident_response.html.md | 2 +- .../guidance/IR.1.04_insurance_policy.html.md | 2 +- ...IR.2.01_external_communication_of_incidents.html.md | 2 +- ...2.02_incident_reporting_contact_information.html.md | 2 +- .../IR.2.03_incident_external_communication.html.md | 2 +- .../NO.1.01_network_policy_enforcement_points.html.md | 2 +- .../guidance/NO.2.01_network_segmentation.html.md | 2 +- .../guidance/PR.1.01_background_checks.html.md | 2 +- .../guidance/PR.1.02_performance_management.html.md | 2 +- .../guidance/PR.1.03_policy_procedure_review.html.md | 2 +- .../guidance/PR.1.04_hiring_review_management.html.md | 2 +- .../guidance/RM.1.01_risk_assessment.html.md | 2 +- .../guidance/RM.1.02_continuous_monitoring.html.md | 2 +- .../RM.1.04_service_risk_rating_assignment.html.md | 2 +- .../guidance/RM.1.05_risk_management.html.md | 2 +- .../guidance/RM.3.01_remediation_tracking.html.md | 2 +- .../guidance/SDM.1.01_system_documentation.html.md | 2 +- .../SG.1.01_policy_and_standard_review.html.md | 2 +- ...G.2.01_information_security_program_content.html.md | 2 +- ...SG.5.03_security_roles_and_responsibilities.html.md | 2 +- .../guidance/SG.5.06_bod_bylaws.html.md | 2 +- .../SG.5.07_bod_security_program_content.html.md | 2 +- .../SLC.1.01_service_lifecycle_workflow.html.md | 2 +- .../guidance/SLC.1.03_release_notes.html.md | 2 +- .../guidance/SLC.2.01_source_code_management.html.md | 2 +- .../guidance/SYS.1.01_audit_logging.html.md | 2 +- .../guidance/SYS.1.02_secure_audit_logging.html.md | 2 +- .../SYS.1.07_audit_log_capacity_retention.html.md | 2 +- ...SYS.2.01_security_monitoring_alert_criteria.html.md | 2 +- .../SYS.2.07_system_security_monitoring.html.md | 2 +- .../TPM.1.01_third_party_assurance_review.html.md | 2 +- .../guidance/TPM.1.02_vendor_risk_management.html.md | 2 +- .../TPM.1.04_vendor_compliance_monitoring.html.md | 6 +++--- .../TPM.2.02_vendor_non-disclosure_agreements.html.md | 2 +- ..._commitments_responsibilities_documentation.html.md | 2 +- .../TPM.3.01_approved_service_provider_listing.html.md | 2 +- ...RN.1.01_general_security_awareness_training.html.md | 2 +- .../guidance/TRN.1.02_code_of_conduct_training.html.md | 2 +- .../TRN.2.01_developer_security_training.html.md | 2 +- .../guidance/VUL.1.01_vulnerability_scans.html.md | 2 +- .../guidance/VUL.1.03_approved_scanning_vendor.html.md | 2 +- ...tion_and_infrastructure_penetration_testing.html.md | 2 +- .../VUL.3.01_infrastructure_patch_management.html.md | 2 +- .../guidance/VUL.3.02_end_life_software.html.md | 2 +- .../guidance/VUL.4.01_enterprise_protection.html.md | 2 +- .../guidance/VUL.5.01_code_security_check.html.md | 2 +- ....01_external_information_security_inquiries.html.md | 2 +- .../guidance/am.1.01-inventory-management.html.md | 2 +- .../security-compliance/sec-controls.html.md | 4 ++-- .../security-compliance/soc2.html.md | 2 +- .../third-party-vendor-security-review.html.md | 2 +- .../security-incident-communication-plan.html.md | 4 ++-- .../vulnerability_management/encryption-policy.html.md | 2 +- .../sox-internal-controls/procure-to-pay/index.html.md | 4 ++-- .../people-group/acceptable-use-policy/index.html.md | 2 +- .../source/handbook/security/approved_os.html.md | 2 +- sites/handbook/source/handbook/security/index.html.md | 8 ++++---- .../source/company/okrs/fy20-q1/index.html.md | 4 ++-- .../source/company/okrs/fy20-q2/index.html.md | 2 +- 107 files changed, 134 insertions(+), 134 deletions(-) diff --git a/sites/handbook/source/handbook/business-ops/enterprise-applications/portal/index.html.md b/sites/handbook/source/handbook/business-ops/enterprise-applications/portal/index.html.md index 17eb237fb14..83039af09d3 100644 --- a/sites/handbook/source/handbook/business-ops/enterprise-applications/portal/index.html.md +++ b/sites/handbook/source/handbook/business-ops/enterprise-applications/portal/index.html.md @@ -148,12 +148,12 @@ tier one applications of lead to fulfillment - [WIP: view only Lucidchart diagram lead to fullfillment system flow](https://app.lucidchart.com/documents/view/fe61ff48-c0e3-4f40-b2de-4023d48101d9/0_0) - [video of custom setup](https://drive.google.com/drive/folders/1kfCEQM6XYGWYxq3Ke4TNvtmDR-46erVD) -- [Security's Compliance Diagram](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/PCI/customers.gitlab.com_data_flow_diagram_-_New_Business.pdf) +- [Security's Compliance Diagram](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/blob/master/PCI/customers.gitlab.com_data_flow_diagram_-_New_Business.pdf) - [Growth Team's Portal Diagram](https://app.mural.co/t/gitlab2474/m/gitlab2474/1569500330861/8f9fd73826c42ad809d51be886db27494da91353) - [Trade Compliance](/handbook/business-ops/trade-compliance/) - [Sales flow](https://drive.google.com/file/d/1nkJrsXewy1G9llV9-8k2EhineU2hyoDJ/view?usp=sharing) - [entry points, integration users google sheet](https://docs.google.com/spreadsheets/d/1j3xE6pQLfsKMri14LDcrnxbWbTwqz4Tpv9kI8UIHYCE/edit#gid=0) -- [PCI In-Scope Systems diagram](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/blob/master/PCI/PCI_In_Scope_Systems.md) +- [PCI In-Scope Systems diagram](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/blob/master/PCI/PCI_In_Scope_Systems.md) - [entry points and conversion by marketing](https://www.figma.com/file/JMFCXAftW30wjul6TTIPFa/lead%2Fsign-up-flow?node-id=0%3A1) - [customer facing documentation on managing subscriptions](https://docs.gitlab.com/ee/subscriptions/) - [UX flows for trials](https://app.mural.co/t/gitlab2474/m/gitlab2474/1580984258623/a815e52decef6141307b634da65fbcd5242a48e8) diff --git a/sites/handbook/source/handbook/business-ops/team-member-enablement/onboarding-access-requests/access-requests/baseline-entitlements/index.html.md b/sites/handbook/source/handbook/business-ops/team-member-enablement/onboarding-access-requests/access-requests/baseline-entitlements/index.html.md index d2d6b7a714f..3d6ad989035 100644 --- a/sites/handbook/source/handbook/business-ops/team-member-enablement/onboarding-access-requests/access-requests/baseline-entitlements/index.html.md +++ b/sites/handbook/source/handbook/business-ops/team-member-enablement/onboarding-access-requests/access-requests/baseline-entitlements/index.html.md @@ -88,7 +88,7 @@ The following people need to review and approve the template before it can be me 1. The template needs to be approved by a manager and/or director from the department the role belongs to. 1. The level of permission you are requesting access to needs to be approved by the technical owner of the system. You can find a list of the technical owners of each system in our [tech stack](https://docs.google.com/spreadsheets/d/1mTNZHsK3TWzQdeFqkITKA0pHADjuurv37XMuHv12hDU/edit#gid=0). -1. If the role you are requesting access to is Admin of a system, security compliance (@gitlab-com/gl-security/compliance) also needs to approve the request. Non-admin access doesn't need to be reviewed by Security. +1. If the role you are requesting access to is Admin of a system, security compliance (@gitlab-com/gl-security/security-assurance/sec-compliance) also needs to approve the request. Non-admin access doesn't need to be reviewed by Security. 1. Once the MR has been approved by all the relevant parties, you can assign the MR to @lisvinueza for a format review and merge. #### Note diff --git a/sites/handbook/source/handbook/business-ops/team-member-enablement/onboarding-access-requests/access-requests/index.html.md b/sites/handbook/source/handbook/business-ops/team-member-enablement/onboarding-access-requests/access-requests/index.html.md index a580f85b7d0..3b5739a053b 100644 --- a/sites/handbook/source/handbook/business-ops/team-member-enablement/onboarding-access-requests/access-requests/index.html.md +++ b/sites/handbook/source/handbook/business-ops/team-member-enablement/onboarding-access-requests/access-requests/index.html.md @@ -96,7 +96,7 @@ If after review you feel that a shared account is still needed, complete the for **Note that systems with PCI data is not allowed shared accounts.** Please note that shared account request(s) will need to be reviewed and approved by IT Ops and the listed Tech Stack Owner. -An [Exception Request](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/new?issuable_template=Exception%20Request) will need to be logged for each user you are requesting to be added. +An [Exception Request](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/new?issuable_template=Exception%20Request) will need to be logged for each user you are requesting to be added. Note that with an Exception Requet the maximum exception length is 90 days. After the Exception Length, you will be required to submit another Exception Request for review and approval. **If the exception request is not logged, reviewed, and approved for an extension, note that the Shared Account will be disabled.** @@ -176,7 +176,7 @@ While this application automation will take place in Okta, "true" system provisi Every review should include a [least privilege review](/handbook/engineering/security/Access-Management-Policy.html#principle-of-least-privilege) 1. Add your approval by adding the label `AR-Approval::Manager Approved` and `ready for provisioning`. 1. If you do not approve, add a comment and close the issue. -1. If you are unsure whether the requestor needs the permissions outlined to fulfill their duties, mention `@gitlab-com/gl-security/compliance` in a comment for assistance +1. If you are unsure whether the requestor needs the permissions outlined to fulfill their duties, mention `@gitlab-com/gl-security/security-assurance/sec-compliance` in a comment for assistance ##### Instructions and Guidance for Provisioners @@ -190,7 +190,7 @@ While this application automation will take place in Okta, "true" system provisi ##### Instructions and Guidance for IT -1. Review the Shared Account Access Request and ensure that there is an [Exception Request](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Exception%20Request) for each user that is being added to the shared account. +1. Review the Shared Account Access Request and ensure that there is an [Exception Request](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Exception%20Request) for each user that is being added to the shared account. 1. Review the Exception Request and document in the Access Request issue the Exception Length. 1. Ensure that the Exception Request has been reviewed and approved by Security prior to adding your approval or setting up the shared account. 1. If the shared account will be managed in Okta - Set a review/reminder date in Okta to review shared account access dependent on exception timeline and close issue. diff --git a/sites/handbook/source/handbook/engineering/quality/index.html.md.erb b/sites/handbook/source/handbook/engineering/quality/index.html.md.erb index 0b54faf6899..197ab684f8b 100644 --- a/sites/handbook/source/handbook/engineering/quality/index.html.md.erb +++ b/sites/handbook/source/handbook/engineering/quality/index.html.md.erb @@ -283,7 +283,7 @@ The Quality department collaborates with the [Security department's compliance t The compliance team maintains the current state of answers to these questions, please follow the process to [request completion of assessment questionnaire](/handbook/engineering/security/security-assurance/field-security/customer-security-assessment-process.html#how-to-request-a-questionnaire-be-completed). -If additional input is needed from the Quality team, the DRI for this is the Director of Quality. Tracking of supplimental requests will be via a confidential issue in the [compliance issue tracker](https://gitlab.com/gitlab-com/gl-security/compliance/compliance). Once the additional inputs have been supplied, this is stored in the Compliance team's domain for efficiency. +If additional input is needed from the Quality team, the DRI for this is the Director of Quality. Tracking of supplimental requests will be via a confidential issue in the [compliance issue tracker](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance). Once the additional inputs have been supplied, this is stored in the Compliance team's domain for efficiency. ## Department recurring event DRIs diff --git a/sites/handbook/source/handbook/engineering/security/change-management-guidance.html.md b/sites/handbook/source/handbook/engineering/security/change-management-guidance.html.md index 961269eadde..38617716b72 100644 --- a/sites/handbook/source/handbook/engineering/security/change-management-guidance.html.md +++ b/sites/handbook/source/handbook/engineering/security/change-management-guidance.html.md @@ -43,12 +43,12 @@ There may be some cases where it does not make sense for a change to be tested p Open Change Issue Create change issue to track change - [CM.1.01 - Change Management Workflow](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/781) + [CM.1.01 - Change Management Workflow](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/781) Change requirements documented Document:
- Change Description
- Impact of Change
- Test Results
- Backout Procedures (in-scope SOX systems)
- [CM.1.02 - Change Approval](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/782) + [CM.1.02 - Change Approval](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/782) Change is Tested @@ -57,12 +57,12 @@ There may be some cases where it does not make sense for a change to be tested p Emergency Change Approval obtained retroactively depending on the urgency of the change - [CM.1.04 - Emergency Changes](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1692) + [CM.1.04 - Emergency Changes](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1692) Approval for Change Approval is provided by someone
other than change requestor - [CM.2.01 - Segregation of Duties](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/783) + [CM.2.01 - Segregation of Duties](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/783) Change is Deployed to Production diff --git a/sites/handbook/source/handbook/engineering/security/controlled-document-procedure.html.md b/sites/handbook/source/handbook/engineering/security/controlled-document-procedure.html.md index 90a5b5fdc91..9a870c99d29 100644 --- a/sites/handbook/source/handbook/engineering/security/controlled-document-procedure.html.md +++ b/sites/handbook/source/handbook/engineering/security/controlled-document-procedure.html.md @@ -69,4 +69,4 @@ Exceptions to this procedure will be tracked as per the [Information Security Po - Parent Policy: [Information Security Policy](/handbook/engineering/security/) - GCF Control: [SG.1.01 - Policy and Standard Review](/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.1.01_policy_and_standard_review.html) - [Data Classifiation Standard](/handbook/engineering/security/data-classification-standard.html) -- Current listing of controlled documents: https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1934 +- Current listing of controlled documents: https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1934 diff --git a/sites/handbook/source/handbook/engineering/security/index.html.md b/sites/handbook/source/handbook/engineering/security/index.html.md index 3277671190e..533ec3dd5ae 100644 --- a/sites/handbook/source/handbook/engineering/security/index.html.md +++ b/sites/handbook/source/handbook/engineering/security/index.html.md @@ -355,7 +355,7 @@ Information Security Policies are reviewed annually. Policy changes are approved Information security considerations such as regulatory, compliance, confidentiality, integrity and availability requirements are most easily met when companies employ centrally supported or recommended industry standards. Whereas GitLab operates under [the principle of least privilege](/handbook/engineering/security/Access-Management-Policy.html#principle-of-least-privilege), we understand that centrally supported or recommended industry technologies are not always feasible for a specific job function or company need. Deviations from the aforementioned standard or recommended technologies is discouraged. However, it may be considered provided that there is a reasonable, justifiable business and/or research case for an information security policy exception; resources are sufficient to properly implement and maintain the alternative technology; the process outlined in this and other related documents is followed and other policies and standards are upheld. -In the event a team member requires a deviation from the standard course of business or otherwise allowed by policy, the Requestor must submit a [Policy Exception Request](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/new?issue%5Bassignee_id%5D=&issue%5Bmilestone_id%5D=) to IT Security, which contains, at a minimum, the following elements: +In the event a team member requires a deviation from the standard course of business or otherwise allowed by policy, the Requestor must submit a [Policy Exception Request](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/new?issue%5Bassignee_id%5D=&issue%5Bmilestone_id%5D=) to IT Security, which contains, at a minimum, the following elements: - Team member Name and contact - Time period for the exception (deviations should not exceed 90 days unless the exception is related to a device exception, like using a Windows device) @@ -364,7 +364,7 @@ In the event a team member requires a deviation from the standard course of busi - The business justification for the proposed deviation - Compensating controls which will be implemented to ensure proper oversight. -The [Policy Exception Request](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/new?issuable_template=Exception_Request) should be used to request exceptions to information security policies, such as the password policy, or when requesting the use of a non-standard device (laptop). +The [Policy Exception Request](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/new?issuable_template=Exception_Request) should be used to request exceptions to information security policies, such as the password policy, or when requesting the use of a non-standard device (laptop). Exception request approval requirements are documented within the issue template. The requester should tag the appropriate individuals who are required to provide an approval per the approval matrix. @@ -386,7 +386,7 @@ primary project used for issue tracking underneath `team-name` or similiar. For - [public (!) Security Department Meta](https://gitlab.com/gitlab-com/gl-security/security-department-meta/) for Security Department initiatives, `~meta` and backend tasks, and catch all for anything not covered by other projects. For non-Security department team members, use this if unsure which team to contact. For Security Team members, use of this project as a catch-all is _deprecated_. - [Security Assurance Sub-department (@gitlab-com/gl-security/security-assurance)](https://gitlab.com/gitlab-com/gl-security/security-assurance) Security Assurance Sub-department - - [@gitlab-com/gl-security/compliance](https://gitlab.com/gitlab-com/gl-security/compliance) is the primary group for @'mentioning the Security Compliance team. + - [@gitlab-com/gl-security/security-assurance/sec-compliance](https://gitlab.com/gitlab-com/gl-security/compliance) is the primary group for @'mentioning the Security Compliance team. - [@gitlab-com/gl-security/field-security](https://gitlab.com/gitlab-com/gl-security/security-assurance/field-security-team) is the primary group for @'mentioning the Field Security team. - [Engineering and Research Sub-department (@gitlab-com/gl-security/engineering-and-research)](https://gitlab.com/gitlab-com/gl-security/engineering-and-research/engineering-and-research-meta) - [gitlab-com/gl-security/engineering-and-research-meta](https://gitlab.com/gitlab-com/gl-security/engineering-and-research-meta) For sub-department wide management and planning issues. diff --git a/sites/handbook/source/handbook/engineering/security/red-team/red-team-roe.html.md b/sites/handbook/source/handbook/engineering/security/red-team/red-team-roe.html.md index d715562e98d..d884263e944 100644 --- a/sites/handbook/source/handbook/engineering/security/red-team/red-team-roe.html.md +++ b/sites/handbook/source/handbook/engineering/security/red-team/red-team-roe.html.md @@ -22,7 +22,7 @@ In general, a scope definition for an engagement should be *exclusive* vs. inclu 1. Describe any systems that should be *excluded* from the engagement such as IP addresses, applications, and personnel. 1. Testing time period expressed in either [UTC or PT](/handbook/communication/). 1. Define techniques that should be excluded from the engagement such as social engineering, Denial of Service attacks, etc. -1. Define the controls that prevent infinite escalation in the event of a successful engagement if applicable. In other words, not every vulnerability exploited as part of a Red Team engagement should end up classified with an overall risk of [very high](https://gitlab.com/gitlab-com/gl-security/compliance/risk-assessments/blob/master/Risk%20Scoring%20Matrix.md#overall-impact) and engage an [incident response](./sec-incident-response.html). +1. Define the controls that prevent infinite escalation in the event of a successful engagement if applicable. In other words, not every vulnerability exploited as part of a Red Team engagement should end up classified with an overall risk of [very high](https://gitlab.com/gitlab-com/gl-security/security-assurance/field-security-team/risk-assessments/blob/master/Risk%20Scoring%20Matrix.md#overall-impact) and engage an [incident response](./sec-incident-response.html). ### Ethics diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/compliance.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/compliance.html.md index 39bb6b3a3eb..871eb2fff61 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/compliance.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/compliance.html.md @@ -52,7 +52,7 @@ A member of the [Security Assurance](https://about.gitlab.com/handbook/engineeri * The Security Compliance team is engaged as subject matter experts to support specific security compliance customer requests. * The Security Compliance team triages findings produced by external scanning services when responses are required according to the GitLab Risk and Field Security team. 1. Ad-hoc work streams - * If you have a request for the GitLab Security Compliance team please [open an ad-hoc issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/new?issuable_template=ad_hoc_work.md) and we will review and prioritize that work weekly. + * If you have a request for the GitLab Security Compliance team please [open an ad-hoc issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/new?issuable_template=ad_hoc_work.md) and we will review and prioritize that work weekly. ## Security Compliance Work Outputs 1. Governance documentation @@ -93,10 +93,10 @@ The Security Compliance team uses an application-based ownership model for contr * Email * `security-compliance@gitlab.com` * Tag us in GitLab - * `@gitlab-com/gl-security/compliance` + * `@gitlab-com/gl-security/security-assurance/sec-compliance` * Slack * Feel free to tag is with `@sec-compliance-team` * The #sec-assurance slack channel is the best place for questions relating to our team (please add the above tag) -* [GitLab compliance project](https://gitlab.com/gitlab-com/gl-security/compliance/compliance) +* [GitLab compliance project](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance) **Note: If you have an urgent request and you're not getting a response from the above team tags, the security compliance manager (@jburrows001) has their cell phone number in their slack profile. ** diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.01_business_continuity_plan.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.01_business_continuity_plan.html.md index 319bb081efc..5c0e694d063 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.01_business_continuity_plan.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.01_business_continuity_plan.html.md @@ -52,7 +52,7 @@ Based on the above, GitLab business continuity plan will have team and departmen * DR test to be run annually, to ensure that the plan is working efficiently. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Continuity Plan issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/774) . +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Continuity Plan issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/774) . ### Policy Reference * [GitLab Business Continuity Plan in Handbook](/handbook/business-ops/gitlab-business-continuity-plan.html) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.02_business_continuity_roles_responsibilities.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.02_business_continuity_roles_responsibilities.html.md index 53d4a9ab575..ff4b52f29ba 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.02_business_continuity_roles_responsibilities.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.02_business_continuity_roles_responsibilities.html.md @@ -56,7 +56,7 @@ In a much detailed level, the BC plan - roles & responsibilities should include: ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Continuity Plan: Roles and Responsibilities issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/775). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Continuity Plan: Roles and Responsibilities issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/775). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.03_continuity_testing.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.03_continuity_testing.html.md index 545622c2ba9..8b0ca93074d 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.03_continuity_testing.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.03_continuity_testing.html.md @@ -41,15 +41,15 @@ All parts of the business continuity plan should be tested. All teams and servic - To support best practice methodology and satisfy regulatory control requirements. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Continuity Testing control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/776). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Continuity Testing control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/776). ### Policy Reference - [Business Continuity Test handbook link](/handbook/business-ops/gitlab-business-continuity-plan.html#business-continuity-testing) -- [Project Plan for GitLab's Business Continuity Test - Q1 2020](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1721) -- [Business Continuity Test Plan - Apr 30, 2020](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1818 -- [Business Continuity Exercise Runbook Template](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/new?issuable_template=Business_Continuity_Exercise_Runbook) +- [Project Plan for GitLab's Business Continuity Test - Q1 2020](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1721) +- [Business Continuity Test Plan - Apr 30, 2020](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1818 +- [Business Continuity Exercise Runbook Template](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/new?issuable_template=Business_Continuity_Exercise_Runbook) - [Business Continuity Plan for Malicious Software Attack(s)](https://gitlab.com/gitlab-com/business-ops/Business-Operations/-/issues/264) -- [Business Continuity Test - April 30th, 2020 - Retrospective](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1838) +- [Business Continuity Test - April 30th, 2020 - Retrospective](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1838) ## Framework Mapping * SOC2 CC diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.04_business_impact_analysis.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.04_business_impact_analysis.html.md index ad43469e81c..7d805a94568 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.04_business_impact_analysis.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BC.1.04_business_impact_analysis.html.md @@ -50,7 +50,7 @@ This control is a subset of the Business Continuity control. Business Impact Ana ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Impact Analysis control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/777). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Impact Analysis control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/777). ### Policy Reference @@ -60,6 +60,6 @@ Non-public information relating to this security control as well as links to the * [Data Protection Office and the Privacy Office](https://about.gitlab.com/privacy/#data-protection) * [NIST BCP with reference to BIA](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf) * [Handbook listing for DR](/handbook/engineering/infrastructure/design/disaster-recovery/) -* [Project Plan related to the BC test tabletop exercise](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1721) -* [Business Continuity Testing Procedure](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1818) -* [Retrospective of the exercise documented](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1838) +* [Project Plan related to the BC test tabletop exercise](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1721) +* [Business Continuity Testing Procedure](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1818) +* [Retrospective of the exercise documented](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1838) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BU.1.01_backup_configuration.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BU.1.01_backup_configuration.html.md index 60ccb2d865e..3a6ef7ff78d 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BU.1.01_backup_configuration.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BU.1.01_backup_configuration.html.md @@ -47,7 +47,7 @@ The Backup configuration Documentation should include: * If centrally managed, the runbook that controls backup configurations ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Backup Configuration control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/778). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Backup Configuration control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/778). ### Policy Reference * [PCI DSS v3.2.1 - 12.10.1 - Backup Configuration](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1550838512120#page=113) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BU.1.02_resilience_testing.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BU.1.02_resilience_testing.html.md index 67a5ae4a198..0b7849a4690 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BU.1.02_resilience_testing.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BU.1.02_resilience_testing.html.md @@ -43,7 +43,7 @@ This guidance is a two-parter, provide evidence demonstrating: ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Resilience Testing control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/779). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Resilience Testing control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/779). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BU.1.03_alternate_storage.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BU.1.03_alternate_storage.html.md index 09c872a5dc3..726dc4e7578 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BU.1.03_alternate_storage.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/BU.1.03_alternate_storage.html.md @@ -55,7 +55,7 @@ Backup copies of GitLab information, software and system images need to be store ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Backup Management: Alternate Storage issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/780) . +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Backup Management: Alternate Storage issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/780) . ### Policy Reference * [GitLab Geo](https://docs.gitlab.com/ee/administration/geo/) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CFG.1.01_baseline_configuration_standard.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CFG.1.01_baseline_configuration_standard.html.md index abf436d9609..7e4a0ca3fc7 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CFG.1.01_baseline_configuration_standard.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CFG.1.01_baseline_configuration_standard.html.md @@ -40,7 +40,7 @@ This control applies to all systems within our production environment. The produ ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Baseline Configuration Standard control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/784). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Baseline Configuration Standard control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/784). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CFG.1.03_configuration_checks.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CFG.1.03_configuration_checks.html.md index 5729e0d79a5..1f4f518258c 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CFG.1.03_configuration_checks.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CFG.1.03_configuration_checks.html.md @@ -28,7 +28,7 @@ This control applies to all systems within our production environment. The produ The ideal state is for both production configuration management and application deployments to be automated and for any deviations from desired configurations to be either self-corrected or identified and manually corrected as efficiently as possible. Currently, we use a combination of Chef, Terraform, and GitLab (on the Ops instance) to deploy and configure the production GitLab environment. With that automation we're able to assure proper configuration and quickly identify and resolve any deviations. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/786). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/786). Examples of evidence an auditor might request to satisfy this control: * Examples of Chef alerts initiated when Chef fails to run over a period of time diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.01_change_management_workflow.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.01_change_management_workflow.html.md index e9a7580bdfa..500f7e4ab8f 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.01_change_management_workflow.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.01_change_management_workflow.html.md @@ -43,7 +43,7 @@ Additionally, any changes to the GitLab [handbook](about.gitlab.com) utilizes [g ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Management Workflow control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/781). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Management Workflow control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/781). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.02_change_approval.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.02_change_approval.html.md index 4cc6c611524..69c9f073db5 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.02_change_approval.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.02_change_approval.html.md @@ -35,7 +35,7 @@ This control applies to all systems within our production environment. The produ ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Approval control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/782). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Approval control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/782). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.03_change_management_issue_tracker.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.03_change_management_issue_tracker.html.md index e364de2274e..6d370c3ea68 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.03_change_management_issue_tracker.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.03_change_management_issue_tracker.html.md @@ -35,7 +35,7 @@ This control applies to all changes that support the business of GitLab.com. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Management Issue Tracker issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/1691). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Management Issue Tracker issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/1691). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.04_emergency_changes.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.04_emergency_changes.html.md index 6d9d34c1d94..d5019e482e3 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.04_emergency_changes.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.1.04_emergency_changes.html.md @@ -30,7 +30,7 @@ This control applies to all systems within our production environment. The produ ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Emergency Changes control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1692). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Emergency Changes control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1692). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.2.01_segregation_of_duties.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.2.01_segregation_of_duties.html.md index da4ae51cc81..420be9446d0 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.2.01_segregation_of_duties.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/CM.2.01_segregation_of_duties.html.md @@ -36,7 +36,7 @@ This control applies to all systems within our production environment. The produ ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Segregation of Duties control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/783). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Segregation of Duties control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/783). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.1.01_data_classification_criteria.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.1.01_data_classification_criteria.html.md index 54355b34f85..5209c636f5d 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.1.01_data_classification_criteria.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.1.01_data_classification_criteria.html.md @@ -35,7 +35,7 @@ The policy outlines proper handling and storage requirements for various data cl ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in this [control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1693). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in this [control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1693). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.2.01_terms_of_service.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.2.01_terms_of_service.html.md index 97c06e31236..528cf613bb3 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.2.01_terms_of_service.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.2.01_terms_of_service.html.md @@ -29,7 +29,7 @@ Legal ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Terms of Service control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/793). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Terms of Service control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/793). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.4.01_encryption_of_data_in_transit.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.4.01_encryption_of_data_in_transit.html.md index 6e13d3d4367..0c2e9cd9035 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.4.01_encryption_of_data_in_transit.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.4.01_encryption_of_data_in_transit.html.md @@ -30,7 +30,7 @@ This control applies to red, orange, and yellow data in the production environme * Such scans are sufficient for testing this control as the results show whether infrastructure transmitting red, organge, and yellow data over public networks uses TLS. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Encryption of Data in Transit control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/796). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Encryption of Data in Transit control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/796). Examples of evidence an auditor might request to satisfy this control: * Architecture and design documentation showing the use and high-level implementation details of TLS for production diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.4.02_encryption_of_data_at_rest.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.4.02_encryption_of_data_at_rest.html.md index 1c9f5d8b39e..9b3eb829818 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.4.02_encryption_of_data_at_rest.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.4.02_encryption_of_data_at_rest.html.md @@ -31,7 +31,7 @@ This control is applicable to the production environment and any end user device ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Encryption of Data at Rest control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/797). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Encryption of Data at Rest control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/797). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.7.03_data_retention_and_disposal_policy.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.7.03_data_retention_and_disposal_policy.html.md index 7d04f745ae8..3c24b20f30d 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.7.03_data_retention_and_disposal_policy.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/DM.7.03_data_retention_and_disposal_policy.html.md @@ -35,7 +35,7 @@ Certificates or logs of erasure should be maintained in accordance with the [Rec ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Data Retention and Disposal Policy issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1696). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Data Retention and Disposal Policy issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1696). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.01_logical_access_provisioning.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.01_logical_access_provisioning.html.md index c0daf9dd759..6bb6d9911cb 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.01_logical_access_provisioning.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.01_logical_access_provisioning.html.md @@ -33,7 +33,7 @@ Process ownership: Provisioning should be based on predetermined roles with business justification and management approval. The process owner should use role-based authentication whenever possible to make this control easier and to segregate out this function from that of other system functions. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/805). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/805). ## Policy Reference - [Access Control Policy](/handbook/engineering/security/Access-Management-Policy.html) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.02_logical_access_deprovisioning.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.02_logical_access_deprovisioning.html.md index 72cb4a38068..287de62e876 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.02_logical_access_deprovisioning.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.02_logical_access_deprovisioning.html.md @@ -32,7 +32,7 @@ This control applies to any system or service where user accounts can be provisi ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access De-Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/806). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access De-Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/806). ## Guidance * The offboarding task checklist should be used to track the deprovisioning of access for a terminated employee diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.04_logical_access_review.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.04_logical_access_review.html.md index 2e3b14a8a91..fdf4653e735 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.04_logical_access_review.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.04_logical_access_review.html.md @@ -39,7 +39,7 @@ Quarterly access reviews should be established, and where possible, use automati ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access Review control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/808). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access Review control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/808). Examples of evidence an auditor might request to satisfy this control: * Quarterly Access Reviews @@ -50,7 +50,7 @@ Examples of evidence an auditor might request to satisfy this control: * [Timing of Quarterly Access Reviews](/handbook/engineering/security/#timing-of-quarterly-access-reviews) -* [User Access Listing Generation Procedures and Guidelines Runbook](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/runbooks/Access_Review_Runbook.md) +* [User Access Listing Generation Procedures and Guidelines Runbook](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/blob/master/runbooks/Access_Review_Runbook.md) ## Framework Mapping diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.05_role_change_access_deprovisioning.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.05_role_change_access_deprovisioning.html.md index 63d71749c0f..6ae9ac8d68b 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.05_role_change_access_deprovisioning.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.05_role_change_access_deprovisioning.html.md @@ -28,7 +28,7 @@ This control applies to any system or service where user accounts can be provisi * IT Operations ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Role Change: Access De-Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/809). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Role Change: Access De-Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/809). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.06_shared_logical_accounts.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.06_shared_logical_accounts.html.md index ff7a8b3ac6f..4d1b93e80a5 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.06_shared_logical_accounts.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.06_shared_logical_accounts.html.md @@ -29,7 +29,7 @@ This control applies to all systems within our production environment. The produ * When Okta is not able to be used, a `policy exception` is required to track this shared access. A process for the lifecycle of the access and a mechanism to alert the appropriate teams when authentication credentials must be reset (e.g., email alerts, an issue, calendar event, etc) should be established. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Shared Logical Accounts control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/810). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Shared Logical Accounts control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/810). ### Policy Reference * [Handbook section `Security Process and Procedures for Team Members` - Accounts and Passwords](/handbook/security/#security-process-and-procedures-for-team-members) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.07_shared_account_restrictions.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.07_shared_account_restrictions.html.md index 8ce3e3658d0..1b754333ed2 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.07_shared_account_restrictions.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.07_shared_account_restrictions.html.md @@ -52,7 +52,7 @@ end Review and document required accounts for a given system and disable all unnecessary accounts. Use of shared accounts should not used. If unavoidable, compensating controls should be utilized to add accountability. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Shared Account Restrictions control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/811). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Shared Account Restrictions control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/811). Examples of evidence an auditor might request to satisfy this control: * Link to the handbook entry on shared accounts and their restrictions diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.08_new_access_provisioning.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.08_new_access_provisioning.html.md index 0392c573fce..36e5d1c209b 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.08_new_access_provisioning.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.08_new_access_provisioning.html.md @@ -39,7 +39,7 @@ Process ownership: ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [New Access Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1700). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [New Access Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1700). ## Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.09_access_modification.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.09_access_modification.html.md index 697db47ace8..bba9e864bd7 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.09_access_modification.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.1.09_access_modification.html.md @@ -32,7 +32,7 @@ This control applies to any system or service where user accounts can be provisi * System Owners ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Role Change: Access Modification Control Issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1703). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Role Change: Access Modification Control Issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1703). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.01_unique_identifiers.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.01_unique_identifiers.html.md index 1ad4812d13b..bf87288e698 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.01_unique_identifiers.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.01_unique_identifiers.html.md @@ -35,7 +35,7 @@ An unique identifier (UID) is a numeric and/or alphanumeric string that is assoc * Applications should have business logic to ensure the unique identifier(s) aren't re-used or duplicated. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Unique Identifiers control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/812). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Unique Identifiers control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/812). ### Policy Reference * [Unique Account Identifiers](/handbook/engineering/security/#unique-account-identifiers) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.02_password_authentication.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.02_password_authentication.html.md index 1cc27a29f20..2eebaf088d6 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.02_password_authentication.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.02_password_authentication.html.md @@ -30,7 +30,7 @@ This control applies to all systems within our production environment. The produ ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Password Authentication control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/813). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Password Authentication control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/813). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.03_multifactor_authentication.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.03_multifactor_authentication.html.md index d4d777c8fc4..b6077e969c1 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.03_multifactor_authentication.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.03_multifactor_authentication.html.md @@ -37,7 +37,7 @@ If MFA cannot be configured, an exception request will be maintained until it ca ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Multifactor Authentication control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/814). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Multifactor Authentication control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/814). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.04_authentication_credential_maintenance.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.04_authentication_credential_maintenance.html.md index 65cbd7f7ebf..c4da00d2d66 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.04_authentication_credential_maintenance.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.04_authentication_credential_maintenance.html.md @@ -38,7 +38,7 @@ For the remediation of this control these are the steps that should be followed: ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Authentication Credential Maintenance issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/815) +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Authentication Credential Maintenance issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/815) ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.08_account_lockout.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.08_account_lockout.html.md index ed414a42816..d65da7d5fa4 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.08_account_lockout.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.2.08_account_lockout.html.md @@ -40,7 +40,7 @@ TBD ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Account Lockout control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/819). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Account Lockout control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/819). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.3.02_source_code_security.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.3.02_source_code_security.html.md index 527975c3e1b..7e9415ecee3 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.3.02_source_code_security.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.3.02_source_code_security.html.md @@ -44,7 +44,7 @@ Possible evidence an auditor would request: ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Source Code Security control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/823). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Source Code Security control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/823). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.3.03_service_account_restriction.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.3.03_service_account_restriction.html.md index 0027b663c82..35babe8996a 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.3.03_service_account_restriction.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.3.03_service_account_restriction.html.md @@ -33,7 +33,7 @@ Process owner: All service accounts should be set by default to `do not allow interactive login` ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [GCF Security Control IAM.3.03 - Service Account Restrictions](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/824). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [GCF Security Control IAM.3.03 - Service Account Restrictions](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/824). ### Policy Reference - [Access Management process documented in teh handbook including service account template](/handbook/engineering/security/Access-Management-Policy.html#access-management) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.3.05_administrator_access_production.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.3.05_administrator_access_production.html.md index b3aa8a09519..0acb71854ef 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.3.05_administrator_access_production.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.3.05_administrator_access_production.html.md @@ -44,7 +44,7 @@ Process owner: * Example - Merge requests or templates showing authorized access and appropriate approval. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Source Code Security control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/1731). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Source Code Security control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/1731). ### Policy Reference * [Production Architecture](/handbook/engineering/infrastructure/production/architecture/) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.4.01_remote_connections.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.4.01_remote_connections.html.md index c5328dc2bf6..98763622765 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.4.01_remote_connections.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.4.01_remote_connections.html.md @@ -43,7 +43,7 @@ Evidence an auditor may request: ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Remote Connections control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/826). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Remote Connections control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/826). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.4.03_remote_maintenance_authentication_sessions.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.4.03_remote_maintenance_authentication_sessions.html.md index ac144b3bb68..161b360f041 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.4.03_remote_maintenance_authentication_sessions.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.4.03_remote_maintenance_authentication_sessions.html.md @@ -32,7 +32,7 @@ TBD TBD ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Remote Maintenance: Authentication Sessions issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/828) . +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Remote Maintenance: Authentication Sessions issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/828) . ### Policy Reference TBD diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.6.01_key_repository_access.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.6.01_key_repository_access.html.md index cb57105485d..dae880d927a 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.6.01_key_repository_access.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IAM.6.01_key_repository_access.html.md @@ -31,7 +31,7 @@ This control applies to all cryptographic keystores for the production environme ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Key Repository Access control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/832). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Key Repository Access control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/832). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.1.01_incident_response_plan.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.1.01_incident_response_plan.html.md index 274421bbedc..492a8ec3b72 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.1.01_incident_response_plan.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.1.01_incident_response_plan.html.md @@ -28,7 +28,7 @@ This control applies to all systems within our production environment. The produ * `Infrastructure` ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Incident Response Plan control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/839). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Incident Response Plan control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/839). Examples of evidence an auditor might request to satisfy this control: * Provide copies of the Incident Response pages, which are linked to and described below diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.1.03_incident_response.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.1.03_incident_response.html.md index bd22afd4d73..a7a4cc0b899 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.1.03_incident_response.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.1.03_incident_response.html.md @@ -37,7 +37,7 @@ Security incidents should have a defined process and support the ability to be t ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Incident response control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/841). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Incident response control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/841). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.1.04_insurance_policy.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.1.04_insurance_policy.html.md index cfb5fbfc4d0..527019fd16a 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.1.04_insurance_policy.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.1.04_insurance_policy.html.md @@ -35,7 +35,7 @@ The insurance policy documents coverage and applicable monetary limits. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in this [control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1704). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in this [control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1704). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.2.01_external_communication_of_incidents.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.2.01_external_communication_of_incidents.html.md index 7f7d1db14c7..662f558b6ab 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.2.01_external_communication_of_incidents.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.2.01_external_communication_of_incidents.html.md @@ -43,7 +43,7 @@ This control ensures GitLab's incident response communications plan has and main ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [External Communication of Incidents control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/842). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [External Communication of Incidents control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/842). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.2.02_incident_reporting_contact_information.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.2.02_incident_reporting_contact_information.html.md index eb151f7e3ab..8f8e5a6d841 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.2.02_incident_reporting_contact_information.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.2.02_incident_reporting_contact_information.html.md @@ -29,7 +29,7 @@ This control applies to all systems within our production environment. The produ * Legal ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Incident Reporting Contact Information control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/843). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Incident Reporting Contact Information control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/843). Examples of evidence an auditor might request to satisfy this control: * Handbook pages that provide external parties a contact method diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.2.03_incident_external_communication.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.2.03_incident_external_communication.html.md index 29362370b44..efd5db4a8f9 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.2.03_incident_external_communication.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/IR.2.03_incident_external_communication.html.md @@ -36,7 +36,7 @@ The spirit of this control is to ensure that external communication of security ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/844). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/844). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/NO.1.01_network_policy_enforcement_points.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/NO.1.01_network_policy_enforcement_points.html.md index 298f0d934e0..22283fd8710 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/NO.1.01_network_policy_enforcement_points.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/NO.1.01_network_policy_enforcement_points.html.md @@ -40,7 +40,7 @@ Control should be designed to ensure we don't default to "allow all" traffic and Infrastructure manages the configuration for GCP using chef and terraform which includes firewall rules. Configurations are version controlled and require approval prior to changing. The Infrastructure team engages with Security Operations to review new firewall rules that fall outside of the baseline. Security manages the monitoring for the service and can validate the correct rules are still in tact. -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Network Policy Enforcement Points control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/847). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Network Policy Enforcement Points control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/847). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/NO.2.01_network_segmentation.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/NO.2.01_network_segmentation.html.md index 52c8664f668..3901b663728 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/NO.2.01_network_segmentation.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/NO.2.01_network_segmentation.html.md @@ -37,7 +37,7 @@ Pre-production environments should be logically segregated from their production ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Network Segmentation control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/854). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Network Segmentation control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/854). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.01_background_checks.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.01_background_checks.html.md index 53974bb6fd2..548b21cfe45 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.01_background_checks.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.01_background_checks.html.md @@ -41,7 +41,7 @@ The scope of the background check performed is at the discretion of the Company. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Background Checks control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/860). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Background Checks control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/860). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.02_performance_management.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.02_performance_management.html.md index d303e555903..98227bf343b 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.02_performance_management.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.02_performance_management.html.md @@ -38,7 +38,7 @@ A process to evaluate the performance of team-members. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Performance Management control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/861). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Performance Management control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/861). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.03_policy_procedure_review.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.03_policy_procedure_review.html.md index 7b1e3a15f10..8076e879474 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.03_policy_procedure_review.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.03_policy_procedure_review.html.md @@ -29,7 +29,7 @@ This applies to all GitLab, Inc. employees In order to ensure policies and procedures are reviewed including the Employee Handbook, Information Security Policy and Code of Conduct, every new employee at GitLab must acknowledge their review during the onboarding process. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Policy and Procedure Review control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1706). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Policy and Procedure Review control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1706). ### Policy Reference * [Onboarding at GitLab](/handbook/people-group/general-onboarding/) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.04_hiring_review_management.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.04_hiring_review_management.html.md index aefd549e660..e11af93cb59 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.04_hiring_review_management.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/PR.1.04_hiring_review_management.html.md @@ -29,7 +29,7 @@ This applies to all GitLab, Inc. employees In order to ensure candidates are reviewed, there should be a process for internal feedback as a step before finalizing hiring decisions. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Policy and Procedure Review control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1707). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Policy and Procedure Review control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1707). ### Policy Reference * [Recruiting Hiring Manager Process](/handbook/hiring/recruiting-framework/hiring-manager/) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.01_risk_assessment.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.01_risk_assessment.html.md index c743903899f..800a5a6827d 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.01_risk_assessment.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.01_risk_assessment.html.md @@ -34,7 +34,7 @@ The annual security operational risk assessment is performed in accordance with ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Risk Assessment control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/866). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Risk Assessment control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/866). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.02_continuous_monitoring.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.02_continuous_monitoring.html.md index eefa270f04f..68730ca565c 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.02_continuous_monitoring.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.02_continuous_monitoring.html.md @@ -39,7 +39,7 @@ The intent is for the results of GCF control tests to be relied upon by the Inte ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Continuous Monitoring control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/867). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Continuous Monitoring control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/867). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.04_service_risk_rating_assignment.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.04_service_risk_rating_assignment.html.md index abaa672db03..08132793e95 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.04_service_risk_rating_assignment.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.04_service_risk_rating_assignment.html.md @@ -30,7 +30,7 @@ This control applies to all security risks identified in GitLab's environment as ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Service Risk Rating Assignment control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/869). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Service Risk Rating Assignment control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/869). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.05_risk_management.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.05_risk_management.html.md index b147406dda0..a200b6054d2 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.05_risk_management.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.05_risk_management.html.md @@ -36,7 +36,7 @@ All GitLab employees are subject to the risk management policies. Security Compl ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Risk Management Policy control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1709). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Risk Management Policy control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1709). ### Policy Reference * [Risk Management Policy](handbook/engineering/security/risk-management.html#risk-management-policy) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.3.01_remediation_tracking.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.3.01_remediation_tracking.html.md index 5d6f5d6d783..2359034a4ca 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.3.01_remediation_tracking.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.3.01_remediation_tracking.html.md @@ -33,7 +33,7 @@ This control applies to all risk assessments and their respective risk findings. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Remediation Tracking control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/871). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Remediation Tracking control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/871). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SDM.1.01_system_documentation.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SDM.1.01_system_documentation.html.md index a144b34d9b7..427d0f92b2a 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SDM.1.01_system_documentation.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SDM.1.01_system_documentation.html.md @@ -34,7 +34,7 @@ The most common form of system documentation is network and data flow diagrams. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [System Documentation control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/873). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [System Documentation control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/873). ### Policy Reference 1.Design & architecture of GitLab diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.1.01_policy_and_standard_review.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.1.01_policy_and_standard_review.html.md index c1378f965db..aadeb9ec59f 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.1.01_policy_and_standard_review.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.1.01_policy_and_standard_review.html.md @@ -43,7 +43,7 @@ On an annual cadence, GitLab's Information Security Policies are reviewed and ap ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Policy and Standard Review control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/875). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Policy and Standard Review control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/875). ### Policy Reference - [Engineering Department](/handbook/engineering/) Policies and Standards diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.2.01_information_security_program_content.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.2.01_information_security_program_content.html.md index 939d432932f..4df1da08403 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.2.01_information_security_program_content.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.2.01_information_security_program_content.html.md @@ -29,7 +29,7 @@ GitLab's Director of Security ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Information Security Program Content control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/877). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Information Security Program Content control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/877). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.5.03_security_roles_and_responsibilities.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.5.03_security_roles_and_responsibilities.html.md index 93b3780a6d0..d2eeacdf276 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.5.03_security_roles_and_responsibilities.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.5.03_security_roles_and_responsibilities.html.md @@ -44,7 +44,7 @@ The scope is to ensure GitLab security team understand their roles & responsibil ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Security Roles and Responsibilities control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/885). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Security Roles and Responsibilities control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/885). ### Policy Reference * [Security department teams & projects](/handbook/engineering/security/#security-department) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.5.06_bod_bylaws.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.5.06_bod_bylaws.html.md index a94297fb435..12c01b62416 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.5.06_bod_bylaws.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.5.06_bod_bylaws.html.md @@ -34,7 +34,7 @@ The bylaws governing the Board of Directors is available publicly via the [Gover ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Board of Director Bylaws control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1710). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Board of Director Bylaws control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1710). ### Policy Reference * [Governance Documents](/handbook/board-meetings/bylaws.html) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.5.07_bod_security_program_content.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.5.07_bod_security_program_content.html.md index 928145aeec7..fe8bff7e9b7 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.5.07_bod_security_program_content.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.5.07_bod_security_program_content.html.md @@ -34,7 +34,7 @@ The Audit Committee is responsible for staying up to date and providing oversigh ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Board of Directors security program content control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1711). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Board of Directors security program content control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1711). ### Policy Reference * [Audit Committee Agenda Planner](/handbook/board-meetings/#audit-committee-agenda-planner) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.1.01_service_lifecycle_workflow.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.1.01_service_lifecycle_workflow.html.md index 0749af07480..6932b9c9012 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.1.01_service_lifecycle_workflow.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.1.01_service_lifecycle_workflow.html.md @@ -48,7 +48,7 @@ This control is inherently performed as of the planning and rollout of new featu ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Service Lifecycle Workflow control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/888). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Service Lifecycle Workflow control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/888). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.1.03_release_notes.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.1.03_release_notes.html.md index d528f794e08..b733204d85d 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.1.03_release_notes.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.1.03_release_notes.html.md @@ -36,7 +36,7 @@ All release posts should follow the [GitLab Release Posts](/handbook/marketing/b ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Release notes control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1712). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Release notes control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1712). ### Policy Reference * [GitLab Release Posts](/handbook/marketing/blog/release-posts/) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.2.01_source_code_management.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.2.01_source_code_management.html.md index cdfcf8851a5..63523745dd6 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.2.01_source_code_management.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.2.01_source_code_management.html.md @@ -36,7 +36,7 @@ The auto-deploy job logic responsible for applying a date and timestamp to an au Changes to this logic are subject to GitLab's change flow, where a merge request is opened suggesting a chagne to the file. Changes are subject to review and approval and cannot be merged by the merge request author. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Source Code Management control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/889). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Source Code Management control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/889). ## Framework Mapping * SOC2 CC diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.1.01_audit_logging.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.1.01_audit_logging.html.md index af2bb491dff..1e22a5b6737 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.1.01_audit_logging.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.1.01_audit_logging.html.md @@ -212,7 +212,7 @@ _Audit Logging Matrix is a modified version of_ [NIST 800-92 - Guide to Computer ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Audit Logging control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/904). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Audit Logging control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/904). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.1.02_secure_audit_logging.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.1.02_secure_audit_logging.html.md index 625b664821c..c173b5a0bc7 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.1.02_secure_audit_logging.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.1.02_secure_audit_logging.html.md @@ -49,7 +49,7 @@ Audit log repositories should be secure (hardening best practices) and include t ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Audit Logging control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/905). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Audit Logging control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/905). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.1.07_audit_log_capacity_retention.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.1.07_audit_log_capacity_retention.html.md index 57435d1b1f1..e8d77b8413e 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.1.07_audit_log_capacity_retention.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.1.07_audit_log_capacity_retention.html.md @@ -37,7 +37,7 @@ This control applies to SOX and PCI in-scope financial systems. ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/910). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/910). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.2.01_security_monitoring_alert_criteria.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.2.01_security_monitoring_alert_criteria.html.md index 2208458c424..5d3d76df84c 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.2.01_security_monitoring_alert_criteria.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.2.01_security_monitoring_alert_criteria.html.md @@ -32,7 +32,7 @@ This control applies to all systems within our production environment. The produ ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Security Monitoring Alert Criteria control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/912). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Security Monitoring Alert Criteria control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/912). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.2.07_system_security_monitoring.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.2.07_system_security_monitoring.html.md index 74979042091..da5be1900b6 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.2.07_system_security_monitoring.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SYS.2.07_system_security_monitoring.html.md @@ -36,7 +36,7 @@ It is up to us as a company to define what criteria we use for this monitoring a ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [System Security Monitoring control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/918). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [System Security Monitoring control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/918). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.1.01_third_party_assurance_review.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.1.01_third_party_assurance_review.html.md index e965d347b32..5e72110711b 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.1.01_third_party_assurance_review.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.1.01_third_party_assurance_review.html.md @@ -42,7 +42,7 @@ Process Owner: ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Third Party Assurance Review control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/922). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Third Party Assurance Review control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/922). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.1.02_vendor_risk_management.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.1.02_vendor_risk_management.html.md index 8072da7c31d..6d54a692a9c 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.1.02_vendor_risk_management.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.1.02_vendor_risk_management.html.md @@ -40,7 +40,7 @@ The GitLab Data Classification Policy defines the categories of data. This risk ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Vendor Risk Management control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/923). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Vendor Risk Management control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/923). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.1.04_vendor_compliance_monitoring.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.1.04_vendor_compliance_monitoring.html.md index 7d4786ab692..dec7c7e2c1d 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.1.04_vendor_compliance_monitoring.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.1.04_vendor_compliance_monitoring.html.md @@ -31,11 +31,11 @@ Control Owner: `Security Compliance` Process Owner: Security Compliance ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Vendor Compliance Monitoring control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/925). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Vendor Compliance Monitoring control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/925). ### Policy Reference -* [Vendor compliance monitoring process in the Compliance repo runbook](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/runbooks/Vendor_Security_Report_Review.md) -* [PCI-DSS SAQ-A 12.8.4 - Monitor Service Providers' PCI DSS Compliance Status](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/100) +* [Vendor compliance monitoring process in the Compliance repo runbook](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/blob/master/runbooks/Vendor_Security_Report_Review.md) +* [PCI-DSS SAQ-A 12.8.4 - Monitor Service Providers' PCI DSS Compliance Status](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/100) * [Procure to Pay section of the handbook](/handbook/finance/procure-to-pay/#step-3-authorizations) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.2.02_vendor_non-disclosure_agreements.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.2.02_vendor_non-disclosure_agreements.html.md index 3c63909fa6f..8e109725627 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.2.02_vendor_non-disclosure_agreements.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.2.02_vendor_non-disclosure_agreements.html.md @@ -39,7 +39,7 @@ Maintain current copies of non-disclosure agreements between GitLab and vendors ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Vendor Non-Disclosure Agreement control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/927). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Vendor Non-Disclosure Agreement control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/927). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.2.05_customer_vendor_commitments_responsibilities_documentation.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.2.05_customer_vendor_commitments_responsibilities_documentation.html.md index 626231a7bf7..1d4af5f635a 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.2.05_customer_vendor_commitments_responsibilities_documentation.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.2.05_customer_vendor_commitments_responsibilities_documentation.html.md @@ -35,7 +35,7 @@ Process Owner: ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Vendor Non-Disclosure Agreement control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/927). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Vendor Non-Disclosure Agreement control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/927). ### Policy Reference * [Legal Handbook page](/handbook/legal/) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.3.01_approved_service_provider_listing.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.3.01_approved_service_provider_listing.html.md index c1d72f0d9c0..4c901c41cb0 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.3.01_approved_service_provider_listing.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TPM.3.01_approved_service_provider_listing.html.md @@ -44,7 +44,7 @@ From the beginning of the relationship with the service provider, clearly docume ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Approved Service Provider Listing control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/930). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Approved Service Provider Listing control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/930). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TRN.1.01_general_security_awareness_training.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TRN.1.01_general_security_awareness_training.html.md index 254971470aa..e2f9ccb8c35 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TRN.1.01_general_security_awareness_training.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TRN.1.01_general_security_awareness_training.html.md @@ -42,7 +42,7 @@ Currently the security training is delivered through a recorded video and team m For audit evidence of compliance, we need to be able to demonstrate 100% completion of training by all team members. -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [General Security Awareness Training control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/931). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [General Security Awareness Training control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/931). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TRN.1.02_code_of_conduct_training.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TRN.1.02_code_of_conduct_training.html.md index 493084a73ee..6a22f996879 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TRN.1.02_code_of_conduct_training.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TRN.1.02_code_of_conduct_training.html.md @@ -41,7 +41,7 @@ Team members are required to review the GitLab Business Ethics and Code of Condu For audit evidence of compliance, we need to be able to demonstrate that all team members have signed the Business Ethics and Code of Conduct acknowledgement. -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Code of Conduct Training control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/932). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Code of Conduct Training control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/932). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TRN.2.01_developer_security_training.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TRN.2.01_developer_security_training.html.md index 09afeded528..311b17c8104 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TRN.2.01_developer_security_training.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/TRN.2.01_developer_security_training.html.md @@ -42,7 +42,7 @@ The security training is available in the handbook as optional. Security Complia For audit evidence of compliance, we need to be able to demonstrate 100% completion of training by all in-scope team members. -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Secure Developer Training control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/933). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Secure Developer Training control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/933). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.1.01_vulnerability_scans.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.1.01_vulnerability_scans.html.md index 640d9df15c4..a1cbd720653 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.1.01_vulnerability_scans.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.1.01_vulnerability_scans.html.md @@ -37,7 +37,7 @@ Depending on whether we use an agent-based scanner or an agentless scanner, the ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Vulnerability Scans control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/936). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Vulnerability Scans control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/936). ### Policy Reference * [Vulnerability Management Overview](/handbook/engineering/security/vulnerability_management/#vulnerability-management-overview) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.1.03_approved_scanning_vendor.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.1.03_approved_scanning_vendor.html.md index baef027b17e..330e20e4865 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.1.03_approved_scanning_vendor.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.1.03_approved_scanning_vendor.html.md @@ -42,7 +42,7 @@ graph TB ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Approved Scanning Vendor control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/938). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Approved Scanning Vendor control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/938). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.2.01_application_and_infrastructure_penetration_testing.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.2.01_application_and_infrastructure_penetration_testing.html.md index 146b53a56ab..94dcf87cccf 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.2.01_application_and_infrastructure_penetration_testing.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.2.01_application_and_infrastructure_penetration_testing.html.md @@ -41,7 +41,7 @@ We will need to share our methodology for determining which systems to pen test ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Application & Infrastructure Penetration Testing control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/939). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Application & Infrastructure Penetration Testing control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/939). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.3.01_infrastructure_patch_management.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.3.01_infrastructure_patch_management.html.md index 121ed1ec9bb..bb2a595c4f1 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.3.01_infrastructure_patch_management.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.3.01_infrastructure_patch_management.html.md @@ -44,7 +44,7 @@ Process Owner: ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Infrastructure Patch Management control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/941). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Infrastructure Patch Management control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/941). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.3.02_end_life_software.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.3.02_end_life_software.html.md index 1cd6b1c7d87..42fe06bf379 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.3.02_end_life_software.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.3.02_end_life_software.html.md @@ -36,7 +36,7 @@ This control applies to all software utilized within our production environment ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [End of Life Software control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1718). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [End of Life Software control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1718). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.4.01_enterprise_protection.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.4.01_enterprise_protection.html.md index 53defdf66f2..2110e2210a0 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.4.01_enterprise_protection.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.4.01_enterprise_protection.html.md @@ -44,7 +44,7 @@ Apple Macbook Pro Laptops ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Enterprise Protection control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/942). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Enterprise Protection control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/942). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.5.01_code_security_check.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.5.01_code_security_check.html.md index e9bedab4d02..8826cf9795f 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.5.01_code_security_check.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.5.01_code_security_check.html.md @@ -36,7 +36,7 @@ SAST and Dependency Scanning are initiated by pipelines for production code. Pip ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Code Security Check control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/944). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Code Security Check control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/944). Examples of evidence an auditor might request to satisfy this control: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.6.01_external_information_security_inquiries.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.6.01_external_information_security_inquiries.html.md index 99a0c1256f9..43f12a5f70b 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.6.01_external_information_security_inquiries.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/VUL.6.01_external_information_security_inquiries.html.md @@ -39,7 +39,7 @@ This is an area where our own values will hold us to a higher standard than the ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [External Information Security Inquiries control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/946). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [External Information Security Inquiries control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/946). ### Policy Reference diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/am.1.01-inventory-management.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/am.1.01-inventory-management.html.md index 4e3fffd9a07..e4f8c76fddf 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/am.1.01-inventory-management.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/guidance/am.1.01-inventory-management.html.md @@ -49,7 +49,7 @@ The scope of this control is broad by design. Asset inventories are the source o ## Additional control information and project tracking -Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Inventory Management control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/761). +Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Inventory Management control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/761). ### Policy Reference * [Fleet Intelligence (Fleetsmith)](/handbook/business-ops/team-member-enablement/onboarding-access-requests/#fleet-intelligence--remote-lockwipe) diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/sec-controls.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/sec-controls.html.md index 402984201d4..0b9d373a82a 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/sec-controls.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/sec-controls.html.md @@ -94,11 +94,11 @@ The GitLab production environment includes all endpoints and cloud assets used i ## Security Controls Feedback -If you have any feedback on any of the security controls or related documentation, please add it as a comment in [this issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/218). +If you have any feedback on any of the security controls or related documentation, please add it as a comment in [this issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/218). ## Security Control Changes -The GitLab compliance team is responsible for ensuring the consistency of the documentation of the security controls listed below. While normally we welcome any GitLab team-member to make edits to handbook pages, please be aware that even small changes to the wording of any of these controls impacts how they satisfy the requirements for the security frameworks they map to. Because of this, we ask any changes that need to be made to this page and the underlying guidance pages to start with a comment in [this issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/219). The compliance team will then engage with you and make any appropriate changes to these handbook pages. +The GitLab compliance team is responsible for ensuring the consistency of the documentation of the security controls listed below. While normally we welcome any GitLab team-member to make edits to handbook pages, please be aware that even small changes to the wording of any of these controls impacts how they satisfy the requirements for the security frameworks they map to. Because of this, we ask any changes that need to be made to this page and the underlying guidance pages to start with a comment in [this issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/219). The compliance team will then engage with you and make any appropriate changes to these handbook pages. # List of controls by family: diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/soc2.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/soc2.html.md index f64e5ccd625..3e1c778f40d 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/soc2.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/soc2.html.md @@ -126,6 +126,6 @@ TL;DR: There's just no way to establish a security program that is external-audi ## Where can I submit feedback for this SOC2 project? -Please add a comment to [this feedback issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/1097). +Please add a comment to [this feedback issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/1097). You can also [contact the security compliance team](/handbook/engineering/security/security-assurance/security-compliance/compliance.html#contact-the-compliance-team) if there's any way we can help. diff --git a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/third-party-vendor-security-review.html.md b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/third-party-vendor-security-review.html.md index 6b58b26077c..bb5e573de50 100644 --- a/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/third-party-vendor-security-review.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-assurance/security-compliance/third-party-vendor-security-review.html.md @@ -110,7 +110,7 @@ Since the Vendor Security Review process is reliant on the procurement process, ### Vendor Risk Assessment -* Reports and questionnaires returned by the vendor are [reviewed for noted observations](/gitlab-com/gl-security/compliance/compliance/blob/master/runbooks/Vendor_Security_Report_Review.md). +* Reports and questionnaires returned by the vendor are [reviewed for noted observations](/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/blob/master/runbooks/Vendor_Security_Report_Review.md). * Exceptions are recorded according to the instructions within the template and shared in the original procurement issue. * The DRI then selects the appropriate `Security Approval` in Step 5 of the procurement issue. If management approval is needed, the additional steps are followed to tag for review otherwise completes the review by updating the label. * Observations that pose a potential risk to GitLab and that do not have a mitigation plan are tracked as part of ongoing vendor and risk management processes using the [VRM label](https://gitlab.com/gitlab-com/gl-security/compliance/third-party-vendor-security-management/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=VRM_for_tracking) for follow up and annual review. diff --git a/sites/handbook/source/handbook/engineering/security/security-incident-communication-plan.html.md b/sites/handbook/source/handbook/engineering/security/security-incident-communication-plan.html.md index f5b89c366b5..f6903660599 100644 --- a/sites/handbook/source/handbook/engineering/security/security-incident-communication-plan.html.md +++ b/sites/handbook/source/handbook/engineering/security/security-incident-communication-plan.html.md @@ -11,7 +11,7 @@ title: "Security incident communications plan" GitLab takes the security of our clients’ information extremely seriously, regardless of whether it’s on GitLab.com or in a self-managed instance. In keeping with GitLab’s [value of transparency](/handbook/values/#transparency) we believe in communicating about security incidents clearly and promptly. -This communication response plan aims to map out the who, what, when, and how of GitLab in notifying and engaging with internal stakeholders and external customers on security incidents. This plan of action covers the strategy and approach for security events which have a ‘high’ or greater impact as outlined in [GitLab’s risk scoring matrix](https://gitlab.com/gitlab-com/gl-security/compliance/risk-assessments/blob/master/Risk%20Scoring%20Matrix.md#overall-impact). +This communication response plan aims to map out the who, what, when, and how of GitLab in notifying and engaging with internal stakeholders and external customers on security incidents. This plan of action covers the strategy and approach for security events which have a ‘high’ or greater impact as outlined in [GitLab’s risk scoring matrix](https://gitlab.com/gitlab-com/gl-security/security-assurance/field-security-team/risk-assessments/blob/master/Risk%20Scoring%20Matrix.md#overall-impact). Security incident communications runbooks are located [here](https://gitlab.com/gitlab-com/gl-security/runbooks/-/tree/master/communications) (internal only). @@ -19,7 +19,7 @@ Security incident communications runbooks are located [here](https://gitlab.com/ The GitLab Security team identifies security incidents as any violation, or threat of violation, of GitLab security, acceptable use or other relevant policies. You can learn more about how we identify incidents in the [GitLab security incident response guide](/handbook/engineering/security/sec-incident-response.html#incident-identification). ### Defining the scope/severity of an incident -The Security Engineer On-Call will determine the scope, severity and [potential impact](https://gitlab.com/gitlab-com/gl-security/compliance/risk-assessments/blob/master/Risk%20Scoring%20Matrix.md#overall-impact) of the security incident. Once the potential impact has been determined, implementation of the appropriate internal and external communications strategy should begin. +The Security Engineer On-Call will determine the scope, severity and [potential impact](https://gitlab.com/gitlab-com/gl-security/security-assurance/field-security-team/risk-assessments/blob/master/Risk%20Scoring%20Matrix.md#overall-impact) of the security incident. Once the potential impact has been determined, implementation of the appropriate internal and external communications strategy should begin. ## Security incident roles and responsibilities diff --git a/sites/handbook/source/handbook/engineering/security/vulnerability_management/encryption-policy.html.md b/sites/handbook/source/handbook/engineering/security/vulnerability_management/encryption-policy.html.md index 806043b00af..9c1a1c2c942 100644 --- a/sites/handbook/source/handbook/engineering/security/vulnerability_management/encryption-policy.html.md +++ b/sites/handbook/source/handbook/engineering/security/vulnerability_management/encryption-policy.html.md @@ -45,5 +45,5 @@ Please don’t roll your own crypto. If you really think you have a situation wh ## Exceptions -Exceptions to this policy require filling out an [exception request](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/blob/master/.gitlab/issue_templates/Exception%20Request.md). +Exceptions to this policy require filling out an [exception request](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/blob/master/.gitlab/issue_templates/Exception%20Request.md). diff --git a/sites/handbook/source/handbook/finance/sox-internal-controls/procure-to-pay/index.html.md b/sites/handbook/source/handbook/finance/sox-internal-controls/procure-to-pay/index.html.md index 8db0d78a882..67fc5e9ad60 100644 --- a/sites/handbook/source/handbook/finance/sox-internal-controls/procure-to-pay/index.html.md +++ b/sites/handbook/source/handbook/finance/sox-internal-controls/procure-to-pay/index.html.md @@ -75,7 +75,7 @@ There are 3 contract templates to be used, depending on the type purchase. - Any additional documents are linked and the box is checked (RFPs, use cases). - The [Data Protection Impact Assessment Policy](/handbook/engineering/security/dpia-policy/). is consulted to understand whether the contract will need security review. Any contracts that will share RED or ORANGE data will need security approval prior to signing. Additionally, an annual reassessment of vendor's security posture is performed as part of the contract renewal. If any non-public GitLab data will be processed, transmitted, or stored by the vendor, a review of the vendor's information security program is required in order to obtain security approval. The Security Compliance team needs 3 business days to complete this review from the time they receive all necessary documentation from the vendor. - - Complete a DPIA (Data protection impact assessment) for the item [here](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/new?issuable_template=Data%20Protection%20Impact%20Assessment). This is done in partnership with GitLab's Data Protection Officer and reviewed by Security Compliance during the Security Review. For more info refer [here](/handbook/engineering/security/dpia-policy/). + - Complete a DPIA (Data protection impact assessment) for the item [here](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/new?issuable_template=Data%20Protection%20Impact%20Assessment). This is done in partnership with GitLab's Data Protection Officer and reviewed by Security Compliance during the Security Review. For more info refer [here](/handbook/engineering/security/dpia-policy/). - After the DPIA is completed, the box is checked. If this is a renewal, the prior period DPIA is checked.
@@ -252,7 +252,7 @@ There are 3 contract templates to be used, depending on the type purchase. * Enter the [name](https://drive.google.com/open?id=1X5445UgR4RBnIoPu9kyrkORlPmIFChkn) of the vendor at the top, and enter the URL of the vendor below this. * A high-level description of the vendor is given next (to understand why this vendor may need to be contracted). * The [Data Protection Impact Assessment Policy](/handbook/engineering/security/dpia-policy/) is consulted to understand whether the contract will need security review. Any contracts that will share RED or ORANGE data will need security approval prior to signing. Additionally, an annual reassessment of the vendor's security posture is performed as part of the contract renewal. If any non-public GitLab data will be processed, transmitted, or stored by the vendor, a review of the vendor's information security program is required in order to obtain security approval. The Security Compliance team needs 3 business days to complete this review from the time they receive all necessary documentation from the vendor. - * Complete a [DPIA (Data protection impact assessment)](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/new?issuable_template=Data%20Protection%20Impact%20Assessment) for the item. This is done in partnership with GitLab's Data Protection Officer and reviewed by Security Compliance during the Security Review. For more info check [here.](/handbook/engineering/security/dpia-policy/) + * Complete a [DPIA (Data protection impact assessment)](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/new?issuable_template=Data%20Protection%20Impact%20Assessment) for the item. This is done in partnership with GitLab's Data Protection Officer and reviewed by Security Compliance during the Security Review. For more info check [here.](/handbook/engineering/security/dpia-policy/) * After the DPIA is completed, the box is checked. If this is a renewal, the prior period DPIA is checked.
diff --git a/sites/handbook/source/handbook/people-group/acceptable-use-policy/index.html.md b/sites/handbook/source/handbook/people-group/acceptable-use-policy/index.html.md index 979dc53fcfc..6766bd4a376 100644 --- a/sites/handbook/source/handbook/people-group/acceptable-use-policy/index.html.md +++ b/sites/handbook/source/handbook/people-group/acceptable-use-policy/index.html.md @@ -108,7 +108,7 @@ Exceptions to this policy must be approved by Security, Legal and PeopleOps Depa ### Consultations -To consult with the Security Team, use the appropriate contact: `security@gitlab.com`, or create an issue in the [Security Compliance tracker](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues). +To consult with the Security Team, use the appropriate contact: `security@gitlab.com`, or create an issue in the [Security Compliance tracker](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues). ### Related Documents and Handbook Entries diff --git a/sites/handbook/source/handbook/security/approved_os.html.md b/sites/handbook/source/handbook/security/approved_os.html.md index a65c6123532..59f6f935b48 100644 --- a/sites/handbook/source/handbook/security/approved_os.html.md +++ b/sites/handbook/source/handbook/security/approved_os.html.md @@ -53,6 +53,6 @@ Users of Android 7.1.1 or older will be notified and required to upgrade to a su ## Exception Process -Exception requests may be submitted to the [Security Compliance Team](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues) using the [Exception template](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/.gitlab/issue_templates/Exception%20Request.md). Security Compliance and Security Operations will review requests as they come in. +Exception requests may be submitted to the [Security Compliance Team](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues) using the [Exception template](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/blob/master/.gitlab/issue_templates/Exception%20Request.md). Security Compliance and Security Operations will review requests as they come in. Further information about the Exception Management process is available in the [GitLab Handbook](/handbook/engineering/security/#information-security-policy-exception-management-process) diff --git a/sites/handbook/source/handbook/security/index.html.md b/sites/handbook/source/handbook/security/index.html.md index be26a48ec07..4548bda0382 100644 --- a/sites/handbook/source/handbook/security/index.html.md +++ b/sites/handbook/source/handbook/security/index.html.md @@ -9,7 +9,7 @@ title: Security Practices - TOC {:toc .hidden-md .hidden-lg} -Information security encompasses a variety of different working groups. These security best practices support the functions of business operations, infrastructure, and product development, to name a few. Everybody is responsible for maintaining a level of security to [support compliance (available internal-only)](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/), while raising the bar of our security posture. +Information security encompasses a variety of different working groups. These security best practices support the functions of business operations, infrastructure, and product development, to name a few. Everybody is responsible for maintaining a level of security to [support compliance (available internal-only)](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/), while raising the bar of our security posture. ## Zero Trust @@ -128,7 +128,7 @@ What should you do if you receive a potential phishing email or text from GitLab _(Ref: [6 Ways Attackers Are Still Bypassing SMS 2-Factor Authentication](https://www.securityweek.com/6-ways-attackers-are-still-bypassing-sms-2-factor-authentication) / [2 minute Youtube social engineering attack with a phone call and crying baby](https://www.youtube.com/watch?v=lc7scxvKQOo))_ 1. A Universal 2nd Factor or [U2F](https://en.wikipedia.org/wiki/Universal_2nd_Factor) hardware token can be used as a secure and convenient 2-factor authentication method for Okta, G Suite, GitLab instances, and many other sites. If you do not have one, you may consider [purchasing one](/handbook/spending-company-money/). Popular choices include Yubico's YubiKey and Solokeys' Solo Security Key. For more information on U2F and choices, visit the [Tools and Tips page](/handbook/tools-and-tips/#u2f). 1. When signing up for a new service on behalf of GitLab: - - Request a [Security Review](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/new?issuable_template=SOC%20Report%20Review) by opening an issue in the Compliance project. + - Request a [Security Review](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/new?issuable_template=SOC%20Report%20Review) by opening an issue in the Compliance project. - If shared access is required by multiple team members to a single account, for example, a social media account, an [Access Request](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/new) should be opened. The credentials will be stored and shared via Okta. @@ -274,7 +274,7 @@ For a better understanding of how 2FA fits into GitLab, refer to the [Accounts a ### Exceptions to Password Policy -Any application that can not meet MFA and or Password requirements needs to [submit an exception](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/new?issuable_template=Exception%20Request) for the Compliance team to review. A duration of an exception is valid for 90 days followed by a proper remediation plan. After 90 days the exception will be reevaluated. +Any application that can not meet MFA and or Password requirements needs to [submit an exception](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/new?issuable_template=Exception%20Request) for the Compliance team to review. A duration of an exception is valid for 90 days followed by a proper remediation plan. After 90 days the exception will be reevaluated. ## 1Password Guide @@ -689,7 +689,7 @@ The 2020 Security Training is delivered through the KnowBe4 platform that includ You are strongly encouraged to engage the team behind the training and provide feedback, or ask any questions related to the content of the training. You can do that through: 1. Monthly office hours held by the SecOps team on third Friday of each month. There are two sessions for both EMEA and APAC-friendly timeslots. Please see the **GitLab Team Meetings** calendar for current times. 1. A quarterly-reviewed GitLab issue for New Hire training - [FY21-Q1](https://gitlab.com/gitlab-com/gl-security/secops/operations/-/issues/736). -1. Annual security awareness training feedback issue: [2020 GitLab Security Awareness Training](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1924) +1. Annual security awareness training feedback issue: [2020 GitLab Security Awareness Training](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/-/issues/1924) 1. Email by sending an email to security-training@gitlab.com. ### Phishing Tests diff --git a/sites/marketing/source/company/okrs/fy20-q1/index.html.md b/sites/marketing/source/company/okrs/fy20-q1/index.html.md index 306adfdf119..20d657a0a05 100644 --- a/sites/marketing/source/company/okrs/fy20-q1/index.html.md +++ b/sites/marketing/source/company/okrs/fy20-q1/index.html.md @@ -100,8 +100,8 @@ Note: This is the first quarter where we [shift our fiscal year](https://about.g 1. Security: Secure the Product. Conduct one Red Team exercise with H1. 1. AppSec: Security release: complete at least 4 cycles of security release process/checklist X% 1. AppSec: App sec reviews: conduct at least 4 appsec reviews X% - 1. Compliance: SOC2 Examination Preparation and Gap Assessment: Complete SOC2 Control Statements, supporting documentation, and self-assessment questionnaire, including its distribution 100% [GitLab Security Control Statements and Supporting Guidance](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/280) - 1. Compliance: PCI Compliance: PCI requirements review and self-assessment 100% [PCI Runbook](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/tree/master/PCI) + 1. Compliance: SOC2 Examination Preparation and Gap Assessment: Complete SOC2 Control Statements, supporting documentation, and self-assessment questionnaire, including its distribution 100% [GitLab Security Control Statements and Supporting Guidance](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/280) + 1. Compliance: PCI Compliance: PCI requirements review and self-assessment 100% [PCI Runbook](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/tree/master/PCI) 1. Security: Secure the company. 1. Strategic Sec: Evaluate at least 2 enterprise centralized SSO solutions and make selection. X% 1. SecOps: Evaluate at least 2 security monitoring capabilities and deploy in GitLab.com as part of Zero Trust initiative. X% diff --git a/sites/marketing/source/company/okrs/fy20-q2/index.html.md b/sites/marketing/source/company/okrs/fy20-q2/index.html.md index 0b5c39b037b..d1a6296b6b1 100644 --- a/sites/marketing/source/company/okrs/fy20-q2/index.html.md +++ b/sites/marketing/source/company/okrs/fy20-q2/index.html.md @@ -99,7 +99,7 @@ This fiscal quarter will run from May 1, 2019 to July 31, 2019. 1. Application Security: HackerOne program spend on plan. 1. Application Security: Roll out external secure coding training for all developers. 1. Compliance: Develop and publish Information Security Compliance Roadmap. 100% [Security - Trust Center](https://about.gitlab.com/security/) - 1. Compliance: Complete information security controls gap analysis. 100% [GitLab Control Framework Gap Analysis Results 2019-07-31](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/584) + 1. Compliance: Complete information security controls gap analysis. 100% [GitLab Control Framework Gap Analysis Results 2019-07-31](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/584) 1. Red Team: Conduct and document at least 5 threat modeling exercises. 1. Red Team: Identify 5 risks to customer data in GitLab.com and/or GitLab CE. 1. Security Operations: Reduce GitLab.com cloud spend through Abuse activity mitigations. -- GitLab