Commit 9a15a7cd authored by Jeff Burrows's avatar Jeff Burrows 👶

Reformatted handbook guidance for sec-controls

parent d307d51c
Pipeline #81887836 passed with stages
in 29 minutes and 56 seconds
......@@ -26,7 +26,6 @@ This control applies to all GitLab endpoint workstations as well as virtual asse
## Ownership
* IT Operations owns the workstation assets portion of this control
* Infrastructure owns the system and service portions of this control
## Guidance
......
......@@ -45,16 +45,6 @@ The GitLab business continuity plan will have team and departmental pieces that
* Vendor communication and service restoration plan of action steps.
* Run a DR test annually, to ensure that the plan is working efficiently.
#### Reference Links
* [Business Continuity Plan in Handbook](https://about.gitlab.com/security/#business-continuity-plan)
* [Handbook listing of DR for Databases](https://about.gitlab.com/handbook/engineering/infrastructure/database/disaster_recovery.html)
* [GitLab Development Guides](https://docs.gitlab.com/ee/development/README.html#databases)
* [GitLab High Availability](https://about.gitlab.com/solutions/high-availability/)
* [Infra Epic for Geo](https://gitlab.com/groups/gitlab-com/gl-infra/-/epics/1)
* [NIST Guidance on Business Continuity](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf)
* [PCI DSS v3.2.1 - Business Continuity Plan](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1551196697261#page=113)
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Continuity Plan issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/774) .
......
......@@ -39,17 +39,14 @@ All parts of the business continuity plan should be tested. All teams and servic
* Business Operations owns this control.
* Infrastructure will provide implementation support for .com
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/BC.1.03_continuity_testing.md).
* Tabletop exercises would be a reasonable way to test yearly
* But a full simulation should take place at least biennially for each team and service
## Reference Links
## Additional control information and project tracking
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/BC.1.03_continuity_testing.md).
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/BC.1.03_continuity_testing.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Continuity Testing control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/776).
## Framework Mapping
......
......@@ -33,17 +33,21 @@ This control is a subset of the Business Continuity control. Business Impact Ana
* Infrastructure group acts as process owners, implementing and providing support for this control.
* Security Compliance acts as a facilitator, to ensure this control is followed.
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/BC.1.04_business_impact_analysis.md).
* Meet with management
* Identify the scope of the BIA, and the subject matter experts who will be involved.
* Determine the operating parameters of the BIA.
* Gather all required data before conducting the BIA interviews (pre-work).
* Schedule & Conduct the BIA interviews.
* Aggregate the data and analyze it.
* Send participants the completed BIA.
* Create and Send the report to senior management.
* Work on recovery strategies.
## Reference Links
## Additional control information and project tracking
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/BC.1.04_business_impact_analysis.md).
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/BC.1.04_business_impact_analysis.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Impact Analysis control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/777).
## Framework Mapping
......
......@@ -33,17 +33,27 @@ Regular Backups help ensure secure and clean data to keep the business running i
* GitLab Infra team owns the backup configuration to 100%. They are responsible to run both app snapshots and database backups.
* The ultimate responsibility to ensure backups take place per cadence, falls on Senior management
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/BU.1.01_backup_configuration.md).
* Assess and apply a clear backup and restore standard for all GitLab systems
* Prioritize systems according to data sensitivity
* Define the backup and recovery standards per data prioritization
* Prevent loss of data in case of an accidental deletion or corruption of data, system failure, or disaster
* Permit timely restoration of information and business processes, should such events occur.
* Manage and secure backup and restoration processes and the media employed in the process
* Set retention periods of data, contained within system level backups designed for recoverability
* Provide a point-in-time snapshot of information as it was, during the time period defined by GitLab backup policies
* Backup retention periods and the data retention periods are defined by legal and/or business requirements.
## Reference Links
Backup configuration Documentation should include:
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/BU.1.01_backup_configuration.md).
* The configuration of redundant systems showing how a failover occurs
* The configuration of backup settings of each system
* If centrally managed, the runbook that controls backup configurations.
## Examples of evidence an auditor might request to satisfy this control
## Additional control information and project tracking
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/BU.1.01_backup_configuration.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -33,17 +33,13 @@ Process owner:
* Infrastructure Team
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/BU.1.02_resilience_testing.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/BU.1.02_resilience_testing.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/BU.1.02_resilience_testing.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -31,17 +31,13 @@ This control applies to all hosted systems (e.g. VM's and GCP compute services)
* IT Ops: `25%`
* Infrastructure: `25%`
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CFG.1.01_baseline_configuration_standard.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CFG.1.01_baseline_configuration_standard.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CFG.1.01_baseline_configuration_standard.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -29,17 +29,13 @@ This control applies to all systems within our production environment.
* Process owner(s):
* Infrastructure Team: `100%`
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CFG.1.03_configuration_checks.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CFG.1.03_configuration_checks.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CFG.1.03_configuration_checks.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -29,17 +29,13 @@ This control applies to all production systems.
* Process owner(s):
* IT Ops: `100%`
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CFG.1.04_configuration_check_reconciliation.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CFG.1.04_configuration_check_reconciliation.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CFG.1.04_configuration_check_reconciliation.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -27,17 +27,13 @@ This control applies to all hosted systems (e.g. VM's and GCP compute services)
TBD
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CFG.1.07_default_device_passwords.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CFG.1.07_default_device_passwords.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CFG.1.07_default_device_passwords.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -27,17 +27,13 @@ This control applies to the GitLab.com production environment.
TBD
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CM.1.01_change_management_workflow.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CM.1.01_change_management_workflow.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CM.1.01_change_management_workflow.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -40,17 +40,13 @@ Process owner(s):
* All engineering teams: 50%
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CM.1.02_change_approval.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CM.1.02_change_approval.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/CM.1.02_change_approval.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -27,17 +27,13 @@ This control applies to GitLab's ToS.
TBD
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/DM.2.01_terms_of_service.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/DM.2.01_terms_of_service.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/DM.2.01_terms_of_service.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -27,17 +27,13 @@ Encrypting data in transit over public networks applies to all red, orange, and
TBD
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/DM.4.01_encryption_of_data_in_transit.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/DM.4.01_encryption_of_data_in_transit.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/DM.4.01_encryption_of_data_in_transit.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -27,17 +27,13 @@ This control applies to red, orange, and yellow data.
TBD
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/DM.4.02_encryption_of_data_at_rest.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/DM.4.02_encryption_of_data_at_rest.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/DM.4.02_encryption_of_data_at_rest.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -29,19 +29,13 @@ This control applies to both electronic and physical (for example, paper printou
* Process owner(s):
* IT Ops: `100%`
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/DM.7.01_secure_disposal_of_media.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/DM.7.01_secure_disposal_of_media.md).
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/DM.7.01_secure_disposal_of_media.md).
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -27,17 +27,13 @@ This control applies to any system or service where user accounts can be provisi
TBD
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.01_logical_access_provisioning.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.01_logical_access_provisioning.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.01_logical_access_provisioning.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -33,17 +33,13 @@ This control applies to any system or service where user accounts can be provisi
* People Ops: `20%`
* Security: `20%`
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.02_logical_access_deprovisioning.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.02_logical_access_deprovisioning.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.02_logical_access_deprovisioning.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -27,17 +27,13 @@ This control applies to all individuals and groups with access to the GitLab pro
TBD
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.04_logical_access_review.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.04_logical_access_review.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.04_logical_access_review.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -27,17 +27,13 @@ TBD
TBD
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.06_shared_logical_accounts.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.06_shared_logical_accounts.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.06_shared_logical_accounts.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -31,17 +31,13 @@ TBD
* Business Ops: `25%`
* Security Compliance: `25%`
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.07_shared_account_restrictions.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.07_shared_account_restrictions.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.1.07_shared_account_restrictions.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -32,17 +32,13 @@ Process owner(s):
* Business Ops Team: 25%
* Compliance Team: 25%
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.2.01_unique_identifiers.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.2.01_unique_identifiers.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.2.01_unique_identifiers.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -28,17 +28,13 @@ This control applies to any system or service where password protection is appro
* Process owner(s):
* Security: `100%`
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.2.02_password_authentication.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.2.02_password_authentication.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.2.02_password_authentication.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -27,17 +27,13 @@ This control applies to any system or process where source code can be modified.
TBD
## Implementation Guidance
## Guidance
For detailed implementation guidance relevant to GitLab team-members, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.3.02_source_code_security.md).
## Reference Links
For all reference links relevant to this control, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.3.02_source_code_security.md).
## Additional control information and project tracking
## Examples of evidence an auditor might request to satisfy this control
For examples of evidence an auditor might request, refer to the [full guidance documentation](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/blob/master/controls/guidance/IAM.3.02_source_code_security.md).
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [ control issue]().
## Framework Mapping
......
......@@ -27,17 +27,13 @@ This control applies to all GitLab.com production environment systems and networ