Enable "Compliance Framework" selection at group level
Problem to solve
Compliance-minded organizations have internal policies that mandate all systems and resources follow certain rules. These company policies govern how the organization operates and are tied directly to compliance frameworks (internal and/or external). These organizations do not currently have the necessary controls within GitLab to meet or manage their compliance program requirements.
Intended users
- Delaney (Development Team Lead)
- Sam (Security Analyst)
- Dana (Data Analyst)
- All management stakeholders who adhere to any auditing process. For example in a finance institution (Security, Quality, Development department heads)
Further details
Organizations can be, and normally are, subject to multiple compliance frameworks. One of the biggest challenges in this type of feature is providing an experience where selecting one or multiple frameworks can translate to feasible, unified default settings or environment policies.
GitLab's internal security compliance team has already built out the GitLab Control Framework (GCF), which seeks to unify multiple compliance frameworks into a single source of truth.
The GCF may provide a solid foundation for building and setting compliance-aligned defaults, though organizations may still wish to apply specific frameworks to specific groups or projects.
Proposal
Allow customers to specify what compliance framework(s) they need to apply to their GitLab environment (e.g. SOC 2, PCI-DSS, GDPR, COBIT, FISMA, etc). The selection(s) should create default policies within the environment that govern project-level activity. These policies should provide flexibility through customization to meet each customers' nuanced needs.
Customers should be able to view a dashboard and generate reports about the compliance status of their environment based on these generated policies.
TODO: define what the first iteration/mvc looks like
Permissions and Security
This should be limited to administrators or group owners.