Skip to content

Consolidate Compliance Frameworks & Compliance Controls

Matt Gonzales (ex-GitLab) requested to merge compliance-frameworks-controls-category-update into master

Category Updates for Manage:Compliance

Manage:Compliance has been constantly evaluating the current strategy and direction for FY21 and beyond. Through many customer conversations (internal and external) and work to plot the course for existing categories, it has become clear the Compliance Frameworks and Compliance Controls categories are too interwoven to provide meaningful value as separate categories.

Current Categories for Manage:Compliance

  • Audit Events
  • Audit Reports
  • Compliance Controls
  • Compliance Frameworks

Proposed Categories in this MR:

  • Audit Events
  • Audit Reports
  • Compliance Management

Why is this change being made?

Over the last several weeks, customer conversations and thinking on the problem space for Compliance highlighted the overlap between the Compliance Frameworks and Compliance Controls categories. This MR consolidates these categories for a more clear, unified vision for groupcompliance.

Compliance Frameworks was attempting to quantify how specific legal and regulatory frameworks (SOX, GDPR, SOC2, HIPAA, NIST, FedRAMP, GLBA, etc) could manifest within GitLab and provide a framework-specific launch point for groups and projects. The idea was that a GitLab customer could specify that their environment should comply with SOX, for example, and that would result in settings being modified, reporting, and applying certain policies to be compliant with SOX.

The execution of this category was, in essence, the concept behind the Compliance Controls category, which made for redundancy between the two categories.

Additionally, pages exist for the following:

These pages meet the spirit of the Compliance Frameworks category, which sought to connect or map GitLab features to specific compliance requirements. Because these pages already exist, it may make more sense to focus our attention on improving those and implementing features that perform the actual GitLab application mapping, which we can then report on.

Compliance Controls and Compliance Frameworks are renamed to Compliance Management in this proposed MR. I think this makes sense for now. Our intent is to support customers in managing their GitLab compliance by introducing settings and features that help translate their internal organizational policies (based on legal or regulatory frameworks) to the GitLab application.

Future Iteration

I believe Compliance Management makes sense for now and future categories could evolve from here. For example:

  • Compliance Management (today)
    • HIPAA Compliance Management
    • SOX Compliance Management
    • SOC2 Compliance Management

As is true with compliance frameworks in general, there are industry-specific variations. That likely remains true for GitLab as well. Healthcare organizations will have some unique compliance challenges within GitLab that may not exist for financial organizations. This category breakdown would also allow for a much clearer narrative and product experience unique to each organization's industry. Reporting, policies, controls, and the overall experience can be the primary focus of each of these potential future categories.

To Do

  • Reach consensus on the category name. Currently: Compliance Management
  • Rename and/or remove: folders, index.html.md files
  • Update epics within GitLab and the reference links within this category page

Approval

The impact of changes to stages and groups is felt across the company. Merge requests with changes to stages and groups and significant changes to categories need to be created, approved, and/or merged by each of the below:

The following people need to be on the merge request so they stay informed:

  • VP of Engineering (@edjdev)
  • Senior Director of Development (@clefelhocz1)
  • Director of Quality (@meks)
  • The Product Marketing Manager relevant to the stage group(s) (@cfoster3)
Edited by Sid Sijbrandij

Merge request reports