Commit f1dda426 authored by Robert Mitchell's avatar Robert Mitchell 💬

Update Field Security Questionnaire process and qualification.

parent 9431a399
Pipeline #118090431 passed with stages
in 60 minutes and 25 seconds
......@@ -1298,6 +1298,17 @@ Some customers, to keep up with regulations that impact their business, need to
### Process
GitLab believes in Transparency so we publish the majority of our processes and policies online within our Handbook. One of the reasons that we do this so that customers can serve themselves to get access to the information they need to properly assess how we manage risk and align with security postures of our customers.
We recommend that customers and prospects review our [GitLab Security Compliance Controls](https://about.gitlab.com/handbook/engineering/security/sec-controls.html) handbook page and our [Security Trust Center](https://about.gitlab.com/security/) before submitting a questionnaire to Field Security, and that our Sales and Solutions Architects refer customers and prospects to these as an initial step.
Even with this, we frequently receive requests to fill out security questionnaires from customers and prospects. In order to be efficient and provide the highest level of service possible for our customers and prospects, we require that questionnaires that need a tailored response meet certain thresholds:
- ACV for opportunity is greater than $5000.00
- Has been prioritized through Sales leadership with clear justification
For customers where they do not meet the criteria above, we can provide them with a completed SIG and CAIQ Questionnaire, and refer them to the [GitLab Security Compliance Controls](https://about.gitlab.com/handbook/engineering/security/sec-controls.html) handbook page so that they can self-serve.
An overview of the process for responding to customer requests is:
```mermaid
......@@ -1308,13 +1319,13 @@ graph TD;
The detailed process for responding to customer requests is:
1. Refer a customer to our public statements on security [here](/security/)
1. Refer a customer to our public statements on security [here](/security/) and [here](https://about.gitlab.com/handbook/engineering/security/sec-controls.html)
1. If a customer still has questions that need to be discussed, you can [engage a Solutions Architect](/handbook/customer-success/solutions-architects/#engaging-a-solutions-architect) in that discussion.
1. If the customer still needs a specific questionnaire filled out or requests a copy of GitLab's penetration test report without a questionnaire, create a confidential issue on the appropriate [SA Triage board](https://gitlab.com/gitlab-com/customer-success/sa-triage-boards/) **using the Vendor Security Assessment template** with the label `Security Audit` and for the completion of that document
1. The SA team will take the first pass at the questionnaire using /security/ and [this folder](https://drive.google.com/drive/folders/0B6GNv2pwhtCxWVJWdEZCTUEwbXc) as a reference.
1. Once the SA team has completed what they can, the questionnaire will go to the security team for additional answers.
1. We always want to respond immediately to customer questions, but when everything is urgent then nothing is. In order to maintain the ability to respond to truly urgent requests the security team requests ten (10) business days to complete their review. In many cases we can turn these around more quickly so every effort will be made to meet requested deadline.
1. Once the questionnaire is complete, it will need to be approved by the [Director of Security](/job-families/engineering/security-management/) for release to the customer.
1. We always want to respond immediately to customer questions, but when everything is urgent then nothing is. In order to maintain the ability to respond to truly urgent requests the security team requests ten (10) business days to complete the review, from the time it is labelled for Field Security review. In many cases we can turn these around more quickly so every effort will be made to meet requested deadline.
1. Once the questionnaire is complete, it will be peer reviewed and approved for release to the customer.
1. File the completed questionnaire in the example folder for future reference.
## Vulnerability Management
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment