Updates to Framework Mapping for controls I own

9f51ad30 · Steve Truong · ebd601b0 · 9f51ad30 · 9f51ad30 · 9f51ad30
Commit 9f51ad30 authored May 18, 2020 by Steve Truong 💬
9 changed files
--- a/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.01_risk_assessment.html.md
+++ b/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.01_risk_assessment.html.md
@@ -53,11 +53,8 @@ Examples of evidence an auditor might request to satisfy this control:
 ## Framework Mapping

 * SOC2 CC
+  * CC2.1
  * CC3.1
-  * CC3.2
  * CC3.3
  * CC3.4
  * CC5.1
-  * CC5.2
-* PCI
-  * 12.2
--- a/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.02_continuous_monitoring.html.md
+++ b/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.02_continuous_monitoring.html.md
@@ -50,15 +50,5 @@ Examples of evidence an auditor might request to satisfy this control:

 ## Framework Mapping

-* ISO
-  * A.12.7.1
-  * A.18.2.2
-  * A.18.2.3
 * SOC2 CC
-  * CC1.2
-  * CC3.2
-  * CC3.4
-  * CC4.1
-  * CC4.2
  * CC5.1
-  * CC5.2
--- a/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.04_service_risk_rating_assignment.html.md
+++ b/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.1.04_service_risk_rating_assignment.html.md
@@ -47,12 +47,4 @@ Examples of evidence an auditor might request to satisfy this control:
 ## Framework Mapping

 * SOC2 CC
-  * CC1.2
-  * CC3.2
-  * CC3.4
-  * CC4.1
-  * CC4.2
-  * CC5.1
-  * CC5.2
-* PCI
-  * 12.2
+  * CC2.1
--- a/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.3.01_remediation_tracking.html.md
+++ b/source/handbook/engineering/security/security-assurance/security-compliance/guidance/RM.3.01_remediation_tracking.html.md
@@ -48,6 +48,4 @@ Examples of evidence an auditor might request to satisfy this control:
 ## Framework Mapping

 * SOC2 CC
-  * CC4.2
-  * CC5.1
-  * CC5.2
+  * CC2.1
--- a/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SDM.1.01_system_documentation.html.md
+++ b/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SDM.1.01_system_documentation.html.md
@@ -37,38 +37,12 @@ The most common form of system documentation is network and data flow diagrams.
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [System Documentation control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/873).

 ### Policy Reference
-1.Design & architecture
+1.Design & architecture of GitLab
 * https://docs.gitlab.com/ee/development/architecture.html
-* https://docs.gitlab.com/ee/user/gitlab_com/architecture.html
-
-2.Monitoring/Performance
-*  https://docs.gitlab.com/ee/administration/monitoring/performance/index.html
-
-3.Engineering
-*  https://about.gitlab.com/handbook/#engineering
-*  https://about.gitlab.com/handbook/engineering/performance/
-
-4.Infrastructure
-* https://about.gitlab.com/handbook/engineering/infrastructure/
-* https://about.gitlab.com/handbook/engineering/infrastructure/production-architecture/
-
-5.Production/Test/Development
-* https://about.gitlab.com/handbook/engineering/development/
-* https://about.gitlab.com/handbook/engineering/quality/
-
-6.Back-up/recovery
-* https://about.gitlab.com/handbook/engineering/infrastructure/production/#backups
-* https://about.gitlab.com/handbook/engineering/infrastructure/database/#backup-and-recovery
-
-7.Security
-* https://about.gitlab.com/handbook/security/
-* https://about.gitlab.com/handbook/engineering/security/#information-security-policies
-
-8.Compliance
-* https://about.gitlab.com/handbook/legal/global-compliance/
-* https://about.gitlab.com/handbook/engineering/security/#compliance
+* https://about.gitlab.com/handbook/engineering/infrastructure/production/architecture/ 

 ## Framework Mapping

 * SOC2 CC
-  * CC2.3
+  * CC2.2
+  * CC7.1
--- a/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.1.01_policy_and_standard_review.html.md
+++ b/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.1.01_policy_and_standard_review.html.md
@@ -39,7 +39,7 @@ Process Owner:

 ## Guidance

-Create process to have policies and standards reviewed and updated on a recurring, annual basis.
+On an annual cadence, GitLab's Information Security Policies are reviewed and approved by the appropriate level of management. 

 ## Additional control information and project tracking

@@ -78,56 +78,8 @@ Non-public information relating to this security control as well as links to the

 ## Framework Mapping

-* ISO
-  * A.5.1.1
-  * A.5.1.2
-  * A.12.1.1
-  * A.12.5.1
-  * A.12.6.2
 * SOC2 CC
-  * CCC1.4
-  * CC2.1
-  * CC2.3
-  * CC3.1
-  * CC3.2
-  * CC5.1
  * CC5.2
  * CC5.3
 * PCI
-  * 1.5
-  * 2.5
-  * 3.5
-  * 3.5.1
-  * 3.5.2
-  * 3.5.3
-  * 3.5.4
-  * 3.6
-  * 3.6.1
-  * 3.6.2
-  * 3.6.3
-  * 3.6.4
-  * 3.6.5
-  * 3.6.6
-  * 3.6.7
-  * 3.6.8
-  * 4.3
-  * 5.4
-  * 6.7
-  * 7.3
-  * 8.1
-  * 8.1.1
-  * 8.1.2
-  * 8.1.3
-  * 8.1.4
-  * 8.1.5
-  * 8.1.6
-  * 8.1.7
-  * 8.1.8
-  * 8.4
-  * 8.8
-  * 9.10
-  * 9.10
-  * 10.9
-  * 11.6
-  * 12.1.1
-  * 12.4
+   * SAQ-A
--- a/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.2.01_information_security_program_content.html.md
+++ b/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.2.01_information_security_program_content.html.md
@@ -35,59 +35,7 @@ Non-public information relating to this security control as well as links to the

 ## Framework Mapping

-* ISO
-  * A.5.1.1
-  * A.6.1.1
-  * A.6.1.5
-  * A.6.2.1
-  * A.6.2.2
-  * A.9.1.1
-  * A.10.1.1
-  * A.11.2.9
-  * A.13.2.1
 * SOC2 CC
-  * CC1.1
-  * CC1.2
-  * CC1.3
-  * CC2.2
-  * CC2.3
-  * CC3.1
  * CC3.2
-  * CC5.1
-  * CC5.2
 * PCI
-  * 1.5
-  * 2.5
-  * 3.7
-  * 4.3
-  * 5.4
-  * 6.7
-  * 7.3
-  * 8.1
-  * 8.1.1
-  * 8.1.2
-  * 8.1.3
-  * 8.1.4
-  * 8.1.5
-  * 8.1.6
-  * 8.1.7
-  * 8.1.8
-  * 8.4
-  * 8.8
-  * 9.10
-  * 10.8
-  * 10.9
-  * 11.6
-  * 12.1
-  * 12.3
-  * 12.3.1
-  * 12.3.10
-  * 12.3.2
-  * 12.3.3
-  * 12.3.4
-  * 12.3.5
-  * 12.3.6
-  * 12.3.7
-  * 12.3.8
-  * 12.3.9
-  * 12.4
+  * SAQ-A
--- a/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.5.03_security_roles_and_responsibilities.html.md
+++ b/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SG.5.03_security_roles_and_responsibilities.html.md
@@ -54,21 +54,8 @@ Non-public information relating to this security control as well as links to the

 ## Framework Mapping

-* ISO
-  * A.6.1.1
 * SOC2 CC
-  * CC1.1
-  * CC1.4
+  * CC1.3
  * CC1.5
-  * CC2.2
-  * CC2.3
 * PCI
-  * 1.1.5
-  * 12.10.1
-  * 12.4
-  * 12.5
-  * 12.5.1
-  * 12.5.2
-  * 12.5.3
-  * 12.5.4
-  * 12.5.5
+  * SAQ-A
--- a/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.1.01_service_lifecycle_workflow.html.md
+++ b/source/handbook/engineering/security/security-assurance/security-compliance/guidance/SLC.1.01_service_lifecycle_workflow.html.md
@@ -105,10 +105,5 @@ Examples of evidence an auditor might request to satisfy this control:

 ## Framework Mapping

-* ISO
-  * A.14.1.1
-  * A.14.2.5
 * SOC2 CC
  * CC8.1
-* PCI
-  * 6.3