Commit 9e4afd07 authored by Luka Trbojevic's avatar Luka Trbojevic

Update GCF guidance

parent c47e8811
Pipeline #82825387 passed with stages
in 32 minutes and 9 seconds
......@@ -21,11 +21,14 @@ Changing the default password will strengthen the baseline configuration and red
## Scope
This control applies to all hosted systems (e.g. VM's and GCP compute services) as well as end user workstations (e.g. GitLab team-members' MacBooks) and all third-party applications utilized by GitLab.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
## Ownership
TBD
* Control Owner: `Infrastructure`
* Process owner(s):
* IT Ops
* Infrastructure
## Guidance
......@@ -35,6 +38,11 @@ Tip - add task to runbook(s) to implement password change and/or validate defaul
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Default Device Passwords control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/790).
Examples of evidence an auditor might request to satisfy this control:
* Sample or documentation of the new user account creation process for critical accounts and systems showing no default password can be used and users must set a strong and unique password
* Non-confidential samples of Terraform and Chef configs showing default passwords aren't used for GitLab.com infrastructure
## Framework Mapping
* PCI
......
......@@ -21,16 +21,24 @@ Having a structured workflow and guidance on change management helps reduce the
## Scope
This control applies to the GitLab.com production environment.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
## Ownership
TBD
* Control Owner: `Infrastructure`
* Process owner(s):
* Infrastructure
* System Owners
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Management Workflow control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/781).
Examples of evidence an auditor might request to satisfy this control:
* Copy of the GitLab change management workflow
* Sample of issues or other documentation showing the change management workflow is followed
## Framework Mapping
* ISO
......
......@@ -26,24 +26,24 @@ This control aims to ensure important information about the change, its impacts,
## Scope
This control applies to any application or infrastructure changes introduced into the GitLab production environment.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
## Ownership
Control Owner:
* Engineering Group
Process owner(s):
* Infrastructure Team: 50%
* All engineering teams: 50%
Control Owner: `Infrastructure`
* Process owner(s):
* Infrastructure
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Change Approval control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/782).
Examples of evidence an auditor might request to satisfy this control:
* A copy of the Change Approval process for software and infrastructure, along with specific templates and workflows
* Sample infrastructure Change Plans and related reviews/discussions
* Sample Merge Request reviews and approvals
## Framework Mapping
* ISO
......
......@@ -21,11 +21,13 @@ Encrypting data transmitted over public networks helps ensure the confidentialit
## Scope
Encrypting data in transit over public networks applies to all red, orange, and yellow data.
This control applies to red, orange, and yellow data in the production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com
## Ownership
TBD
* Control Owner: `Infrastructure`
* Process owner(s):
* Infrastructure
## Guidance
......@@ -35,6 +37,11 @@ TLS 1.2 or higher should be used to encrypt data in transit ([Deprecate support
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Encryption of Data in Transit control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/796).
Examples of evidence an auditor might request to satisfy this control:
* Architecture and design documentation showing the use and high-level implementation details of TLS for production
* Random sampling of connections to/from production
## Framework Mapping
* ISO
......
......@@ -21,16 +21,23 @@ Encrypting data at rest helps ensure the confidentiality and integrity of that d
## Scope
This control applies to red, orange, and yellow data.
This control applies to red, orange, and yellow data in the production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com
## Ownership
TBD
* Control Owner: `Infrastructure`
* Process owner(s):
* Infrastructure
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Encryption of Data at Rest control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/797).
Examples of evidence an auditor might request to satisfy this control:
* Reference to production architecture in the handbook
* Resource export from Google Cloud showing implementation of production architecture practices and state of encryption for SSDs, HDDs, and Postgres.
## Framework Mapping
* ISO
......
......@@ -21,7 +21,7 @@ Securely disposing of both electronic and physical media adds a layer of protect
## Scope
This control applies to both electronic and physical (for example, paper printouts) media.
This control applies to GitLab team member laptops.
## Ownership
......@@ -33,6 +33,13 @@ This control applies to both electronic and physical (for example, paper printou
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Secure Disposal of Media control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/802).
Examples of evidence an auditor might request to satisfy this control:
* Handbook entry of the disposal process
* A shareable copy of media disposal runbook(s)
* Certificate(s) or log(s) of disposal
* Records indicating media is disposed of when appropriate
## Framework Mapping
* ISO
......
......@@ -21,15 +21,12 @@ Use of shared or generic accounts limits the ability to ensure authenticity and
## Scope
TBD
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
## Ownership
* Control Owner: `Security`
* Control Owner: `IT Ops`
* Process owner(s):
* Security: `50%`
* Business Ops: `25%`
* Security Compliance: `25%`
* IT Ops
## Guidance
......@@ -39,6 +36,12 @@ Review and document required accounts for a given system and disable all unneces
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Shared Account Restrictions control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/811).
Examples of evidence an auditor might request to satisfy this control:
* Link to the handbook entry on shared accounts and their restrictions
* List of systems and services where shared accounts are restricted
* User export of those systems and services
## Framework Mapping
* PCI
......
......@@ -20,18 +20,24 @@ By ensuring passwords are implemented when and where appropriate, sensitive and
## Scope
This control applies to any system or service where password protection is appropriate.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
## Ownership
* Control Owner: `Security`
* Control Owner: `IT Ops`
* Process owner(s):
* Security: `100%`
* IT Ops
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Password Authentication control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/813).
Examples of evidence an auditor might request to satisfy this control:
* Copy of GitLab's password policy and the Okta/1Password handbook entries
* Samples of service minimum password requirements, especially for Okta, which manages identify for many SaaS services used by GitLab
* Samples of service password change requirements and/or logs demonstrating passwords are changed on a quarterly basis
## Framework Mapping
* ISO
......
......@@ -21,16 +21,24 @@ One of the fundamental and most important security considerations of encryption
## Scope
This control applies to any and all cryptographic keystores.
This control applies to all cryptographic keystores for the production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
## Ownership
TBD
Control Owner: `Infrastructure`
* Process owner(s):
* Infrastructure
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Key Repository Access control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/832).
Examples of evidence an auditor might request to satisfy this control:
* Sample of access requests for Google Cloud and specifically KMS; Chef Data Bags; any servers which store the Data Bags private key; and any servers which store the TLS private key
* Documentation or some form of record demonstrating access to a keystore or server containing the private key to a keystore is only provisioned to GitLabbers where there is a clear need for access
* A copy of Google Cloud users with access to production KMS, Data Bags, and servers storing private keys to either
## Framework Mapping
* ISO
......
......@@ -33,16 +33,24 @@ The purpose of this control is to ensure GitLab creates, implements, and maintai
## Scope
TBD
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
## Ownership
TBD
* Control Owner: `Infrastructure`
* Process owner(s):
* Security Operations`
* Infrastructure
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Incident Response Plan control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/839).
Examples of evidence an auditor might request to satisfy this control:
* Provide copies of the Incident Response pages, which are linked to and described below
* Provide sample reports and other outputs of the various functions listed below, such as Infrastructure and/or Security incident issues
## Framework Mapping
* ISO
......
......@@ -24,16 +24,25 @@ Having an easily accessible and public channel for external parties to contact G
## Scope
TBD
This control applies to GitLab.com
## Ownership
TBD
* Control Owner: `Corporate Compliance`
* Process owner(s):
* Security Operations
* Infrastructure
* Legal
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Incident Reporting Contact Information control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/843).
Examples of evidence an auditor might request to satisfy this control:
* Handbook pages that provide external parties a contact method
* Link to the `gitlab-foss` issue tracker and samples of relevant issues reporting incidents
## Framework Mapping
* ISO
......
......@@ -21,11 +21,14 @@ The purpose of this control is to formalize the documentation and approval of so
## Scope
This control applies to all major software releases to GitLab's SaaS offering.
This control applies to all major software releases to GitLab.com.
## Ownership
TBD
* Control Owner: `Delivery`
* Process owner(s):
* Delivery
* Infrastructure
## Guidance
......@@ -35,6 +38,12 @@ Most of this process is already captured in current GitLab workflow; the difficu
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Service Lifecycle Workflow control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/888).
Examples of evidence an auditor might request to satisfy this control:
* Documentation outlining our development and release workflows
* Sample releases and their respective reviews
* Sample pipeline artifacts and merge request reviews
## Framework Mapping
* ISO
......
......@@ -21,11 +21,13 @@ In order for alerts to be configured for availability, we first have to establis
## Scope
This control applies to all production systems related to the GitLab SaaS product.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
## Ownership
TBD
* Control Owner: `Infrastructure`
* Process owner(s):
* Infrastructure
## Guidance
......@@ -35,6 +37,12 @@ This control is not meant to dictate what criteria we use for our availability m
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Availability Monitoring Alert Criteria control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/920).
Examples of evidence an auditor might request to satisfy this control:
* Copies of the monitoring runbooks and other monitoring tool configuration documentation
* Examples of how alert criteria are applied against monitoring tools (e.g., monitoring tool configuration files)
* User export from PagerDuty and on-call Slack apps
## Framework Mapping
* ISO
......
......@@ -21,20 +21,28 @@ This control is related to GitLab control # SYS.3.01 (Availability Monitoring Al
## Scope
This control applies to all GitLab production systems.
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
## Ownership
TBD
* Control Owner: `Infrastructure`
* Process owner(s):
* Infrastructure
## Guidance
Tools like Splunk are perfect for automating these types of controls.
The particular tooling used isn't as important as the use of those tools being applied consistently across production and there being documented process of its use.
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [System Availability Monitoring control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/921).
Examples of evidence an auditor might request to satisfy this control:
* Documentation showing how GitLab.com is monitored, such as handbook entries and runbooks
* Documentation showing the alerting threshold for the GitLab.com monitoring
* Documentation describing how and to whom monitoring alerts are sent
## Framework Mapping
* ISO
......
......@@ -25,22 +25,23 @@ This control applies to all GitLab source code.
## Ownership
Control Owner:
Application Security
Process Owner:
Application Security
* Control Owner: `Secure`
* Process owner(s):
* Engineering Department
## Guidance
Priority should be given to services with the highest risk rating.
SAST and Depdendency Scanning are initiated by pipelines for production code. Pipelines are managed by all teams, not a single team.
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Code Security Check control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/944).
Examples of evidence an auditor might request to satisfy this control:
* Pipeline configurations showing security tool usage
* SAST and Dependency Scanning pipeline artifacts
## Framework Mapping
* ISO
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment