Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Compliance Group - Meetings / 14 May 2020
GitLab / Compliance Group - Meetings / 14 May 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Compliance Vision

Description

A rough cut to work from.

A

Oh you hi everyone, I'm Matt, Gonzalez I'm, the senior p.m. here at give lab for the compliance group. I wanted to talk today about the vision I have for the compliance group, because many of our customers, especially our enterprise customers, rely on gitlab to make their lives easier beyond just DevOps the non developers who use or interact with gitlab, specifically, the auditor compliance professionals, need to know that galeb has all of the necessary features and functionality to support their compliance programs. The way we approach compliance is by recognizing what it means for our customers.

A

So where does it start organizations operate within regulated industries? Those regulations usually aim to protect someone or something like people or their personal information. These regulations define the rules. An organization must follow, so an organization will create policies and procedures to govern their operations in line with those regulations. These policies and procedures will dictate anything from office visitor sign-in protocol to how software changes are made to a production environment.

A

Our vision for the compliance group is to help customers achieve three things: translate their internal company policies to the gitlab application, and this workflows monitor the compliance status with our gitlab groups and projects easily and make audit reporting and evidence collection painless. In short, we want to take compliance as a historically complex and unfriendly thing and make it simple and friendly in the gitlab way. The compliance group consists of three categories right now to address these areas.

A

Compliance management focuses on building the features that enable it compliance professional to quickly find the information they need about any given group or project to measure against their internal compliance program. For example, does a regulated project have appropriate segregation of duties? Is that documented? Can that process be bypassed towards this end? We've released the compliance dashboard, which aims to save these professionals time and stress, rather than delving into every regulated group or project that needs to be monitored. We can surface important compliance insights to help them narrow their focus.

A

Does a specific project have a merger quest that was authored and approved by the same person? Did the project have a security scan recently? These and many more answers should be available, so the time required to manage compliances and gitlab is dramatically reduced, allowing our customers to focus on the most important value, adding activities on their plate.

A

We want this dashboard to be the single source of truth for compliance and get left, and it should empower customers to see their current compliance status, their progress towards specific compliance frameworks and provide the visuals and summaries that executive leadership needs to inform their decisions. Another category is audit events, which is critical because it should provide all of the traceability and auditability our customers need to meet their compliance requirements. Our customers should be able to answer questions about who took what action.

A

When on what resource, they should be able to pull samples of the same activity type or pull a holistic view from the last three weeks or 12 months. The audit events should enforce non-repudiation so that nobody can deny that they took some action. Are any events necessarily need to be granular, but also easy to search through easy to export as evidence, and they should help customers be proactive about anomalous activity?

A

We want to work towards an experience where unexpected behavior is known to group owners and administrators immediately and without them having to find out when it's too late and having to search for the events themselves. Our last category right now is audit reports, which is a big opportunity. In all audits, evidence is requested to prove your organization as following the policies and procedures. It says it's following finding and collecting evidence compiling it into appropriate format and delivering that evidence to an auditor can be a very time-consuming process.

A

Guilhem is well-positioned to do all of the heavy lifting here, so our customers can obtain the reports or evidence they need to provide to auditors or management. It shouldn't take countless hours and custom tooling to build these reports. That should be a single button within gitlab, and the output should be immediately deliverable to the appropriate stakeholders will be focused on bringing audit events to minimal maturity in q2 this year.

A

With the addition of an audit event, CSV export and an MVC for exporting user group and project membership information, we know that organizations have strict standards to meet and that many of them wish to maintain a level of flexibility for their developers. Also. This is a challenging balance to strike, but we should endeavor to provide customers with the necessary controls. They need to find comfort and knowing gitlab will make their compliance programs or audits easier and not add to the already complex and this an expensive scope of work.

A

I believe we can do this while still providing developers with a great experience thanks for listening.