Navattic - Tech Stack - Add New System & System Onboarding

Tech Stack - Add New System & System Onboarding

Please do not merge before the Business Systems Analysts have reviewed and approved!

Questions? Ask in #tech-owners_tech-stack Slack channel.

Business/Technical System Owner or Delegate to Complete

General Tech Stack Entry Tasks

1. Rename this MR's title to [System Name] - Tech Stack - Add New System & System Onboarding
2. Requisition Link (if an externally-developed System):
3. Populate all data fields using the Web IDE. More instructions are here.
4. Is this New System replacing an existing System in the Tech Stack?
   • Yes - Delete the existing System's entry from the Tech Stack in this MR using the Web IDE. Next, create a Tech Stack Offboarding Issue. Offboarding Issue Link:
   • No

Access Tasks

1. Create an Issue to add the Provisioner(s) of the New System to the appropriate Google/Slack/GitLab groups. Note: If the Provisioner(s) of this System is already part of the Provisioner groups, skip this step. Please replace the link placeholder below with N/A - Already in Provisioner groups.
   • Issue Link:
2. Add the New System to one of two Offboarding templates below. More instructions are here.
   • Option 1 - Main Team Member Offboarding template
     • MR Link:
   • Option 2 - Department-level Offboarding template folder
     • MR Link:

System Onboarding Checklist

Each checklist item below should be addressed before this MR can be merged. Reach out to Security Risk in the #tech-owners_tech-stack Slack channel for help.

1. The New System is configured for Okta Single Sign On.
   • Yes - Okta SSO Issue link:
   • N/A
     • Rationale (Populate):
2. Encryption of data in-transit and data at-rest are enabled for the New System.
3. GitLab's implementation of the New System has audit logging enabled and documented.
4. All SOC 2 CUECs have been reviewed and implemented (as applicable). Note: Security Risk will address this item.
   • Yes - Link to Comment in TPRM Assessment Report Issue indicating confirmation from Business Team:
   • N/A
     • Rationale (Populate):
5. Please review the following items:
   • Security Compliance 'General Controls Checklist'. Read this Issue to gain an understanding of the types of controls that are required if this New System was to be "in-scope" for one of GitLab's external certifications (e.g. SOC, SOX, ISO).
   • Current list of systems "in-scope", for reference.
     • I confirm review of both items.

Privacy Team to Complete

If the New System contains Personal Data, has a Privacy Review been completed?:

• If System contains Orange (internal only) / RED Personal Data:
  • Yes - Link a completed Privacy Review Issue, Coupa approval, or Zip approval.
  • No - Complete Privacy Review Issue
• If System contains Yellow Personal Data (GitLab Team Member Names/Emails):
  • Yes - a Data Processing Agreement (DPA) was executed between GitLab and the Vendor.
  • No - a DPA is not in place. Privacy Team will be in contact about completing a DPA, which is required for this Tech Stack Addition.
• If System contains only Green Data or contains no Personal Data, a Privacy Review is not required.

Security Risk Team to Complete

1. Check this box to indicate approval of the New System's Critical System Tier.
2. Answer Question 4. in 'System Onboarding Checklist' section above.
3. Was a Technical Security Validation launched in response to the TPRM Assessment?
   • Yes - Link the TSV here and confirm all steps within the Observation Management section of the TSV have been completed, including acknowledgment of TSV findings by the Business Owner if findings were noted.
   • No - No further action needed.

Business Technology Team to Complete

• To-do before merging -- (@marc_disabatino) is to ensure all sections/action items are completed.

/cc @gitlab-com/internal-audit @disla