Skip to content

Update Tech Stack to include Abnormal Security

Eric Geving requested to merge EricGeving-master-patch-41831 into master

Tech Stack - New system

Requestor to complete

Please don't merge this update before the Business Systems Analysts have reviewed and approved. Please make sure to complete the privacy review issue as soon as possible as we won't be able to merge until that is completed.

Please answer the questions below:

  1. Is this system replacing an existing system in our tech stack?

  2. Please link in the comments, or to this MR, a completed and approved Vendor Contract Issue or Procurement Requistion.

  3. Has a Privacy Review been completed?:

  4. We deprovision access to all systems in our tech stack when a person leaves GitLab. Can you please indicate whether:

    • All GitLab team members need to be offboarded from this system
      • If this is the case, please create an MR to update the offboarding template and add the system under the correct department and person. Find instructions in the Tech Stack handbook page. Add the MR to the comments.
    • Only certain team members need to be offboarded from this system (if the team members are scattered across too many departments or the system you are responsible for contains red data, please go with option 1)
  5. Please create an issue to add the provisioners of the tool to the provisioners group. Link the issue to the comments of this MR.

  6. Does data from this system need to be integrated into the Enterprise Data Warehouse for reporting and analytics? Please answer with Yes or No. Add your answer here

    • If answer is yes: Create a 'New Data Source' issue in the Data Project. Keep in mind that new data sources are not free and the cost should be included in the total cost of the project. The cost of an automated data pipeline connector is arond usually 5-10k depending on complexity. If there is no budget OR no existing connector, the data will require custom development. For custom development, please create an issue and discuss possible options with the data team.

Examples for why you would need data integrated into the EDW:

  • the data will be used as part of a new Key Performance Indicator or Performance Indicator
  • the data needs to be part of lead-to-cash analysis
  • the data needs to be joined with Marketo, Salesforce, or NetSuite data for cross-system analysis

Personal Data Requests

If the Add to Personal Data Request template? box is marked as Yes on the Privacy Review issue, your tool will need to be added to our issue templates for Personal Data Requests.

  1. Data access requests: Add system to the list of applications in the Personal Data Access Request issue template by opening an MR. Once completed, please paste the link in the comments of this MR.
  2. Data Deletion: Add system to the list of applications in the Account Deletion Request issue template by opening an MR. Once completed, please paste the link in the comments of this MR.

Security Risk to complete

  • If this MR was triggered by a Security Risk Engineer as part of the TPRM process, assign yourself (the Security Risk Engineer who created this MR) and unassign @kylesmith2
  • Create New BIA & Tech Stack Add Issue and Link Here
  • Determine if a BIA has been completed for this system
    • No: Coordinate BIA completion with assigned technical system owner. After launching BIA update tag to BIASent
      • Validate data_classification and update critical_systems_tier attributes based on BIA response data

Business Technology to complete

To dos before merging (@marc_disabatino)

  • Ensure privacy review has been linked
  • Ensure all questions above have been answered and all action items have been completed

/cc @gitlab-com/internal-audit @disla @gitlab-com/gl-security/security-assurance/security-risk-team

Edited by Nirmal Devarajan

Merge request reports