Add Policy Reference section

source/handbook/engineering/security/guidance/AM.1.01_inventory_management.html.md

@@ -36,6 +36,8 @@ The scope of this control is broad by design. Asset inventories are the source o
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Inventory Management control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/761).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/BC.1.01_business_continuity_plan.html.md

@@ -54,6 +54,7 @@ Based on the above, GitLab business continuity plan will have team and departmen
 ## Additional control information and project tracking
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Continuity Plan issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/774) . 
  
+### Policy Reference
  
 ## Framework Mapping
 * ISO

source/handbook/engineering/security/guidance/BC.1.03_continuity_testing.html.md

@@ -48,6 +48,8 @@ All parts of the business continuity plan should be tested. All teams and servic
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Continuity Testing control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/776).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/BC.1.04_business_impact_analysis.html.md

@@ -41,6 +41,8 @@ This control is a subset of the Business Continuity control. Business Impact Ana
 ## Additional control information and project tracking
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Business Impact Analysis control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/777).
 
+### Policy Reference
+
 ## Framework Mapping
 * ISO
   * A.17.1.1

source/handbook/engineering/security/guidance/BU.1.01_backup_configuration.html.md

@@ -55,6 +55,8 @@ Backup configuration Documentation should include:
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Backup Configuration control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/778).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/BU.1.02_resilience_testing.html.md

@@ -51,6 +51,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * A copy of GitLab's backup, disaster recovery, and incident response processes
 * Documentation showing the testing of backup and disaster recovery procedure happens, at minimum, on a quarterly basis
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/CFG.1.01_baseline_configuration_standard.html.md

@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Configuration standards, guides, Chef cookbooks, and Terraform configs.
 * Documentations showing the configuration standards are consistently applied.
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/CFG.1.03_configuration_checks.html.md

@@ -43,6 +43,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Examples of issues where deviations from outside of Terraform are reported by team members as they're discovered
 * Examples of issues where application deployments fail or are found to deviate from baseline configurations
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/CFG.1.04_configuration_check_reconciliation.html.md

@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Handbook entry for the log reconciliation process
 * Sample of remediation issues or other documentation showing remediation of devices not forwarding security configurations
 
+### Policy Reference
+
 ## Framework Mapping
 
 * SOC2

source/handbook/engineering/security/guidance/CFG.1.07_default_device_passwords.html.md

@@ -43,6 +43,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Sample or documentation of the new user account creation process for critical accounts and systems showing no default password can be used and users must set a strong and unique password
 * Non-confidential samples of Terraform and Chef configs showing default passwords aren't used for GitLab.com infrastructure
 
+### Policy Reference
+
 ## Framework Mapping
 
 * PCI

source/handbook/engineering/security/guidance/CM.1.01_change_management_workflow.html.md

@@ -39,6 +39,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Copy of the GitLab change management workflow
 * Sample of issues or other documentation showing the change management workflow is followed
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/CM.1.02_change_approval.html.md

@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Sample infrastructure Change Plans and related reviews/discussions
 * Sample Merge Request reviews and approvals
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/CM.2.01_segregation_of_duties.html.md

@@ -41,6 +41,8 @@ Examples of evidence an auditor might request to satisfy this control:
 
 * Evidence that PostgreSQL database access above data reader is limited to [Database Reliability Engineers](/job-families/engineering/database-reliability-engineer/)
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/CM.3.01_third_party_change_management_workflow.html.md

@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Copy of the GitLab third-party change management workflow
 * Sample of issues or other documentation showing the third-party change management workflow is followed
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/DM.2.01_terms_of_service.html.md

@@ -31,6 +31,8 @@ TBD
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Terms of Service control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/793).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * SOC2 CC

source/handbook/engineering/security/guidance/DM.4.02_encryption_of_data_at_rest.html.md

@@ -38,6 +38,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Reference to production architecture in the handbook
 * Resource export from Google Cloud showing implementation of production architecture practices and state of encryption for SSDs, HDDs, and Postgres.
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/DM.7.01_secure_disposal_of_media.html.md

@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Certificate(s) or log(s) of disposal
 * Records indicating media is disposed of when appropriate
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/IAM.1.02_logical_access_deprovisioning.html.md

@@ -37,6 +37,8 @@ This control applies to any system or service where user accounts can be provisi
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Logical Access De-Provisioning control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/806).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/IAM.1.04_logical_access_review.html.md

@@ -44,6 +44,8 @@ Non-public information relating to this security control as well as links to the
 Examples of evidence an auditor might request to satisfy this control:
 * Quarterly Access Reviews
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/IAM.1.06_shared_logical_accounts.html.md

@@ -39,6 +39,8 @@ An exception to the policy to define the types of services approved for shared a
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Shared Logical Accounts control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/810).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * SOC2 CC

source/handbook/engineering/security/guidance/IAM.1.07_shared_account_restrictions.html.md

@@ -42,6 +42,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * List of systems and services where shared accounts are restricted
 * User export of those systems and services
 
+### Policy Reference
+
 ## Framework Mapping
 
 * PCI

source/handbook/engineering/security/guidance/IAM.2.01_unique_identifiers.html.md

@@ -38,6 +38,8 @@ An unique identifier (UID) is a numeric or alphanumeric string that is associate
 ## Additional control information and project tracking
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Unique Identifiers control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/812).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/IAM.2.02_password_authentication.html.md

@@ -38,6 +38,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Samples of service minimum password requirements, especially for Okta, which manages identify for many SaaS services used by GitLab
 * Samples of service password change requirements and/or logs demonstrating passwords are changed on a quarterly basis
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/IAM.3.02_source_code_security.html.md

@@ -40,6 +40,8 @@ As the GitLab system supports the ability to restrict modification without the `
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Source Code Security control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/823).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/IAM.4.01_remote_connections.html.md

@@ -40,6 +40,8 @@ Identity access management systems should enforce SSH or MFA for connections to
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Remote Connections control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/823).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/IAM.6.01_key_repository_access.html.md

@@ -39,6 +39,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Documentation or some form of record demonstrating access to a keystore or server containing the private key to a keystore is only provisioned to GitLabbers where there is a clear need for access
 * A copy of Google Cloud users with access to production KMS, Data Bags, and servers storing private keys to either
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/IR.1.01_incident_response_plan.html.md

@@ -51,6 +51,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Provide copies of the Incident Response pages, which are linked to and described below
 * Provide sample reports and other outputs of the various functions listed below, such as Infrastructure and/or Security incident issues
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/IR.1.03_incident_response.html.md

@@ -39,6 +39,8 @@ Security incidents should have a defined process and support the ability to be t
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Incident response control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/841).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/IR.2.01_external_communication_of_incidents.html.md

@@ -49,6 +49,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Provide samples showing the plan is followed for Infrastructure incidents
 * Provide samples showing the plan is followed for Security incidents
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/IR.2.02_incident_reporting_contact_information.html.md

@@ -43,6 +43,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Handbook pages that provide external parties a contact method
 * Link to the `gitlab-foss` issue tracker and samples of relevant issues reporting incidents
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/IR.2.03_incident_external_communication.html.md

@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Provide samples showing the plan is followed for Infrastructure incidents
 * Provide samples showing the plan is followed for Security incidents
 
+### Policy Reference
+
 ## Framework Mapping
 
 * PCI

source/handbook/engineering/security/guidance/NO.1.01_network_policy_enforcement_points.html.md

@@ -39,6 +39,8 @@ Control should be designed to ensure we don't default to "allow all" traffic and
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Network Policy Enforcement Points control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/847).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/NO.3.03_network_segmentation.html.md

@@ -39,6 +39,8 @@ Pre-production environments should be logically segregated from their production
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Network Segmentation control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/1013).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/PR.1.01_background_checks.html.md

@@ -43,6 +43,8 @@ The scope of the background check performed is at the discretion of the Company.
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Background Checks control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/860).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/PR.1.02_performance_management.html.md

@@ -39,6 +39,8 @@ A process to evaluate the performance of team-members.
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Performance Management control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/861).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * SOC2 CC

source/handbook/engineering/security/guidance/RM.1.01_risk_assessment.html.md

@@ -42,6 +42,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * A risk assessment log showing completed risk assessments, their dates, and planned risk assessments (e.g., the risk registry).
 * Sample risk assessment issues.
 
+### Policy Reference
+
 ## Framework Mapping
 
 * SOC2 CC

source/handbook/engineering/security/guidance/RM.1.02_continuous_monitoring.html.md

@@ -43,6 +43,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * An established cadence for such testing and the ability to show the cadence is followed
 * A document, report, or other such documentation showing the testing of the design and operating effectiveness of internal controls
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/RM.1.04_service_risk_rating_assignment.html.md

@@ -40,6 +40,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * A copy of the Data Privacy Impact Assessment (DPIA) process, which prescribes the determination of a service risk rating
 * Sample of completed service risk assessments
 
+### Policy Reference
+
 ## Framework Mapping
 
 * SOC2 CC

source/handbook/engineering/security/guidance/RM.2.01_internal_audits.html.md

@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Remediation issues related to audits
 * Meeting minutes from audit committee meetings
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/RM.3.01_remediation_tracking.html.md

@@ -41,6 +41,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Copy of the risk registry.
 * Sample risk remediation issues.
 
+### Policy Reference
+
 ## Framework Mapping
 
 * SOC2 CC

source/handbook/engineering/security/guidance/SDM.1.01_system_documentation.html.md

@@ -35,6 +35,8 @@ The most common form of system documentation is network and data flow diagrams.
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [System Documentation control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/873).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * SOC2 CC

source/handbook/engineering/security/guidance/SG.1.01_policy_and_standard_review.html.md

@@ -41,6 +41,8 @@ Create process to have policies and standards reviewed and updated on a recurrin
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Policy and Standard Review control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/875).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/SG.2.01_information_security_program_content.html.md

@@ -31,6 +31,8 @@ GitLab's Director of Security
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Information Security Program Content control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/877).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/SG.5.03_security_roles_and_responsibilities.html.md

@@ -45,6 +45,8 @@ The scope is to ensure GitLab security team understand their roles & responsibil
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Security Roles and Responsibilities control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/885).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/SLC.1.01_service_lifecycle_workflow.html.md

@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Sample releases and their respective reviews
 * Sample pipeline artifacts and merge request reviews
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/SO.1.01_secured_facility.html.md

@@ -27,6 +27,8 @@ This control is not applicable to GitLab since there are no facilities and no co
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Secured Facility control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/890).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/SO.2.01_provisioning_physical_access.html.md

@@ -35,6 +35,8 @@ This control is not applicable to GitLab's SaaS product since managed hosting is
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Provisioning Physical Access control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/892).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/SO.2.02_de-provisioning_physical_access.html.md

@@ -27,6 +27,8 @@ This control is not applicable since GitLab has no datacenters or facilities.
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [De-provisioning Physical Access control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/893).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/SO.2.03_periodic_review_of_physical_access.html.md

@@ -27,6 +27,8 @@ This control is not applicable since GitLab has no facilities.
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Periodic Review of Physical Access control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/894).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/SO.2.04_physical_access_role_permission_authorization.html.md

@@ -27,6 +27,8 @@ This control is not applicable since GitLab has no facilities.
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Physical Access Role Permission Authorization control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/895).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/SYS.1.01_audit_logging.html.md

@@ -53,6 +53,8 @@ Server configuration standards should have logging information enabled for each
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Audit Logging control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/904).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/SYS.1.02_Secure_Audit_Logging.html.md

@@ -51,6 +51,8 @@ Audit log repositories should be secure (hardening best practices) and include t
 
 Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Audit Logging control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/905).
 
+### Policy Reference
+
 ## Framework Mapping
 
 * PCI

source/handbook/engineering/security/guidance/SYS.1.06_log_reconciliation_cmdb.html.md

@@ -44,6 +44,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Handbook entry for the log reconciliation process
 * Sample of remediation issues or other documentation showing remediation of devices not forwarding logs
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/SYS.2.01_security_monitoring_alert_criteria.html.md

@@ -43,6 +43,8 @@ Examples of evidence an auditor might request to satisfy this control:
 * Documentation showing security alerts are made to authorized GitLabbers
 * A list of authorized GitLabbers/teams to receive the alerts
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO

source/handbook/engineering/security/guidance/SYS.2.07_system_security_monitoring.html.md

@@ -45,6 +45,8 @@ Examples of evidence an auditor might request to satisfy this control:
 *  Evidence that when alerts are trigged based on predefined security criteria, the alerts are sent to the Security team.
 *  Samples of issues tracking alerted security incidents through completion.
 
+### Policy Reference
+
 ## Framework Mapping
 
 * ISO