Matt Gonzales Handover (Exiting GitLab)

Summary

This issue is intended to communicate as much detail as possible about the Compliance group's roadmap, priorities, how we work, and any other topics to help @stkerr as the interim PM and the future PM who will be backfilling my role.

Categories

  • Compliance Management
    • Overview: This category focuses on the features and experiences that enable customers to define or enforce their compliance controls.
    • Example: "When I need to enforce merge request approval rules for my compliance program, I want to define them at the group-level, so that I don't have to configure them for each individual project to know those projects are compliant."
    • Strategy Epic: gitlab-org&720
  • Audit Events
    • Overview: An organization's compliance program relies heavily on the auditability and traceability of user actions - "non-repudiation" - and the Audit Events view should provide this visibility.
    • Example: "When I'm trying to determine who modified merge request approvals in a regulated project, I want to search through my namespace's audit events, so that I can easily collect evidence of an action."
    • Strategy Epic: gitlab-org&1985
  • Audit Reports
    • Overview: Cameron regularly collects and analyzes data about their GitLab namespace for auditing purposes. It should be easy to find this data and generate reports to hand over to a third-party auditor or internal compliance stakeholder.
    • Example: "When an auditor asks to see a report of my GitLab namespaces' compliance posture, I want to generate a report with all of the key compliance data, so that I can hand over everything the auditor needs to expedite the review process."
    • Strategy Epic: gitlab-org&2301 (closed)

Priorities as of February, 2021

These priorities are set to convey what I would have strived for in terms of completing or making meaningful progress across the major initiatives within groupcompliance.

priority1

priority2

priority3

Engineer areas of expertise

  • backend
    • @asubramanian1
      • CI compliance pipeline config/variables
      • JIRA issue linking
      • PAT and SSH
    • @mwoolf
      • Approval Gateway
      • Audit Events
      • Compliance Framework Labels
    • @tancnle
      • Audit Events
      • CSV exports
      • MR approval rules
  • frontend
    • @jiaan
      • Audit Events
      • Compliance Dashboard
      • Credentials Inventory
    • @rob.hunt
      • Compliance Framework Labels
      • MR approval rules
      • PAT and SSH

Relevant Customers

These customers have engaged with the Compliance group and provided positive feedback on our roadmap. Many are active and willing to engage further (all links are internal only)

Research and Insights

https://dovetailapp.com/projects/22783c6d-352d-4659-b243-fe5b90040e0b/readme

Edited by Tan Le