Skip to content

DRAFT: Remove critical system tier requirement to scope GCF control requirements

Liz Coleman requested to merge lcoleman_remove_critical_system_tier into master

Why is this change being made?

The scope for system audits on the Security Compliance audit schedule has historically been based on the critical system tier of the system. The critical system tier had a baseline set of identified controls that are then tested for each system. However, not all systems require the same subset of controls to be tested each quarter. Systems that have existed on the audit schedule through at a minimum of two quarters often have controls that are not applicable to that system yet are required to be "tested" as part of the tiering structure.

This change would remove the system tiering requirement and subsequent required set of GCF controls.

The following adjustments would be made:

  1. If the system is net new (ie. new to GitLab, has never been tested on the Security Compliance audit schedule) and high risk: The critical system tier would be reviewed and a baseline set of controls for that tier would be evaluated
  2. If the system has had previous testing performed within that fiscal year and high risk: The set of GCF controls tested would be limited to high risk controls and/or controls that had findings (observations) identified
    • controls that were determined to be not applicable, or low risk would move to an annual cadence
  3. If the system is net new (ie. new to GitLab, has never been tested on the Security Compliance audit schedule) and low risk: The critical system tier would be reviewed and a baseline set of controls for that tier would be evaluated by the system/business owner through a self assessment (process to be determined)
  4. If the system has had previous testing performed within that fiscal year and low risk: The GCF controls tested would be based on critical system tier and reviewed on a 2 year cadence

Author Checklist

  • Provided a concise title for this Merge Request (MR)
  • Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
  • Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
    • The when to get approval handbook section explains the workflow in more detail
  • If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR
    • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.

Merge request reports