Commit e879e09e authored by Luka Trbojevic's avatar Luka Trbojevic

Add Policy Reference section

parent 1ef91df6
Pipeline #85577576 passed with stages
in 32 minutes and 51 seconds
......@@ -36,6 +36,8 @@ The scope of this control is broad by design. Asset inventories are the source o
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Inventory Management control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/761).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -54,6 +54,7 @@ Based on the above, GitLab business continuity plan will have team and departmen
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Continuity Plan issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/774) .
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -48,6 +48,8 @@ All parts of the business continuity plan should be tested. All teams and servic
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Continuity Testing control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/776).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -41,6 +41,8 @@ This control is a subset of the Business Continuity control. Business Impact Ana
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Impact Analysis control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/777).
### Policy Reference
## Framework Mapping
* ISO
* A.17.1.1
......
......@@ -55,6 +55,8 @@ Backup configuration Documentation should include:
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Backup Configuration control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/778).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -51,6 +51,8 @@ Examples of evidence an auditor might request to satisfy this control:
* A copy of GitLab's backup, disaster recovery, and incident response processes
* Documentation showing the testing of backup and disaster recovery procedure happens, at minimum, on a quarterly basis
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Configuration standards, guides, Chef cookbooks, and Terraform configs.
* Documentations showing the configuration standards are consistently applied.
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -43,6 +43,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Examples of issues where deviations from outside of Terraform are reported by team members as they're discovered
* Examples of issues where application deployments fail or are found to deviate from baseline configurations
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Handbook entry for the log reconciliation process
* Sample of remediation issues or other documentation showing remediation of devices not forwarding security configurations
### Policy Reference
## Framework Mapping
* SOC2
......
......@@ -43,6 +43,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Sample or documentation of the new user account creation process for critical accounts and systems showing no default password can be used and users must set a strong and unique password
* Non-confidential samples of Terraform and Chef configs showing default passwords aren't used for GitLab.com infrastructure
### Policy Reference
## Framework Mapping
* PCI
......
......@@ -39,6 +39,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Copy of the GitLab change management workflow
* Sample of issues or other documentation showing the change management workflow is followed
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Sample infrastructure Change Plans and related reviews/discussions
* Sample Merge Request reviews and approvals
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -41,6 +41,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Evidence that PostgreSQL database access above data reader is limited to [Database Reliability Engineers](/job-families/engineering/database-reliability-engineer/)
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Copy of the GitLab third-party change management workflow
* Sample of issues or other documentation showing the third-party change management workflow is followed
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -31,6 +31,8 @@ TBD
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Terms of Service control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/793).
### Policy Reference
## Framework Mapping
* SOC2 CC
......
......@@ -38,6 +38,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Reference to production architecture in the handbook
* Resource export from Google Cloud showing implementation of production architecture practices and state of encryption for SSDs, HDDs, and Postgres.
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Certificate(s) or log(s) of disposal
* Records indicating media is disposed of when appropriate
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -37,6 +37,8 @@ This control applies to any system or service where user accounts can be provisi
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access De-Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/806).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -44,6 +44,8 @@ Non-public information relating to this security control as well as links to the
Examples of evidence an auditor might request to satisfy this control:
* Quarterly Access Reviews
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -39,6 +39,8 @@ An exception to the policy to define the types of services approved for shared a
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Shared Logical Accounts control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/810).
### Policy Reference
## Framework Mapping
* SOC2 CC
......
......@@ -42,6 +42,8 @@ Examples of evidence an auditor might request to satisfy this control:
* List of systems and services where shared accounts are restricted
* User export of those systems and services
### Policy Reference
## Framework Mapping
* PCI
......
......@@ -38,6 +38,8 @@ An unique identifier (UID) is a numeric or alphanumeric string that is associate
## Additional control information and project tracking
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Unique Identifiers control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/812).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -38,6 +38,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Samples of service minimum password requirements, especially for Okta, which manages identify for many SaaS services used by GitLab
* Samples of service password change requirements and/or logs demonstrating passwords are changed on a quarterly basis
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -40,6 +40,8 @@ As the GitLab system supports the ability to restrict modification without the `
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Source Code Security control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/823).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -40,6 +40,8 @@ Identity access management systems should enforce SSH or MFA for connections to
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Remote Connections control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/823).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -39,6 +39,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Documentation or some form of record demonstrating access to a keystore or server containing the private key to a keystore is only provisioned to GitLabbers where there is a clear need for access
* A copy of Google Cloud users with access to production KMS, Data Bags, and servers storing private keys to either
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -51,6 +51,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Provide copies of the Incident Response pages, which are linked to and described below
* Provide sample reports and other outputs of the various functions listed below, such as Infrastructure and/or Security incident issues
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -39,6 +39,8 @@ Security incidents should have a defined process and support the ability to be t
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Incident response control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/841).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -49,6 +49,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Provide samples showing the plan is followed for Infrastructure incidents
* Provide samples showing the plan is followed for Security incidents
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -43,6 +43,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Handbook pages that provide external parties a contact method
* Link to the `gitlab-foss` issue tracker and samples of relevant issues reporting incidents
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Provide samples showing the plan is followed for Infrastructure incidents
* Provide samples showing the plan is followed for Security incidents
### Policy Reference
## Framework Mapping
* PCI
......
......@@ -39,6 +39,8 @@ Control should be designed to ensure we don't default to "allow all" traffic and
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Network Policy Enforcement Points control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/847).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -39,6 +39,8 @@ Pre-production environments should be logically segregated from their production
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Network Segmentation control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/1013).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -43,6 +43,8 @@ The scope of the background check performed is at the discretion of the Company.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Background Checks control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/860).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -39,6 +39,8 @@ A process to evaluate the performance of team-members.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Performance Management control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/861).
### Policy Reference
## Framework Mapping
* SOC2 CC
......
......@@ -42,6 +42,8 @@ Examples of evidence an auditor might request to satisfy this control:
* A risk assessment log showing completed risk assessments, their dates, and planned risk assessments (e.g., the risk registry).
* Sample risk assessment issues.
### Policy Reference
## Framework Mapping
* SOC2 CC
......
......@@ -43,6 +43,8 @@ Examples of evidence an auditor might request to satisfy this control:
* An established cadence for such testing and the ability to show the cadence is followed
* A document, report, or other such documentation showing the testing of the design and operating effectiveness of internal controls
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -40,6 +40,8 @@ Examples of evidence an auditor might request to satisfy this control:
* A copy of the Data Privacy Impact Assessment (DPIA) process, which prescribes the determination of a service risk rating
* Sample of completed service risk assessments
### Policy Reference
## Framework Mapping
* SOC2 CC
......
......@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Remediation issues related to audits
* Meeting minutes from audit committee meetings
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -41,6 +41,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Copy of the risk registry.
* Sample risk remediation issues.
### Policy Reference
## Framework Mapping
* SOC2 CC
......
......@@ -35,6 +35,8 @@ The most common form of system documentation is network and data flow diagrams.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [System Documentation control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/873).
### Policy Reference
## Framework Mapping
* SOC2 CC
......
......@@ -41,6 +41,8 @@ Create process to have policies and standards reviewed and updated on a recurrin
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Policy and Standard Review control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/875).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -31,6 +31,8 @@ GitLab's Director of Security
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Information Security Program Content control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/877).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -45,6 +45,8 @@ The scope is to ensure GitLab security team understand their roles & responsibil
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Security Roles and Responsibilities control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/885).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Sample releases and their respective reviews
* Sample pipeline artifacts and merge request reviews
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -27,6 +27,8 @@ This control is not applicable to GitLab since there are no facilities and no co
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Secured Facility control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/890).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -35,6 +35,8 @@ This control is not applicable to GitLab's SaaS product since managed hosting is
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Provisioning Physical Access control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/892).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -27,6 +27,8 @@ This control is not applicable since GitLab has no datacenters or facilities.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [De-provisioning Physical Access control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/893).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -27,6 +27,8 @@ This control is not applicable since GitLab has no facilities.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Periodic Review of Physical Access control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/894).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -27,6 +27,8 @@ This control is not applicable since GitLab has no facilities.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Physical Access Role Permission Authorization control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/895).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -53,6 +53,8 @@ Server configuration standards should have logging information enabled for each
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Audit Logging control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/904).
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -51,6 +51,8 @@ Audit log repositories should be secure (hardening best practices) and include t
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Audit Logging control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/905).
### Policy Reference
## Framework Mapping
* PCI
......
......@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Handbook entry for the log reconciliation process
* Sample of remediation issues or other documentation showing remediation of devices not forwarding logs
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -43,6 +43,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Documentation showing security alerts are made to authorized GitLabbers
* A list of authorized GitLabbers/teams to receive the alerts
### Policy Reference
## Framework Mapping
* ISO
......
......@@ -45,6 +45,8 @@ Examples of evidence an auditor might request to satisfy this control:
* Evidence that when alerts are trigged based on predefined security criteria, the alerts are sent to the Security team.
* Samples of issues tracking alerted security incidents through completion.
### Policy Reference
## Framework Mapping
* ISO
......