►
From YouTube: Compliance
Description
Saumya with Product Marketing presents on trust & security, our SOC 2 Type 1 report, CAIQ reports, PCI compliance, and more. Saumya also discusses how GitLab supports customers to achieve compliance. Learn more at https://about.gitlab.com/solutions/compliance/.
Additional Resources:
Trust & Security at GitLab presentation: https://bit.ly/3589jXJ (GitLab internal only)
Managing Compliance with GitLab presentation: https://bit.ly/3gUbWik (GitLab internal only)
A
Okay,
so
I'm
gonna
cover
two
topics.
Actually
today
when
it
comes
to
compliance
typically,
two
types
of
questions
that
customers
have
one
is,
you
know
how
secure
is
gitlab
as
a
product
early
and
then
how
can
lab
help
to
achieve
compliance
right
so
I'm
going
to
cover
both
of
them
today
in
brief
and
then
with?
These
can
have
some
questions
towards
the
end.
So
the
first
topic
is
around
trust
and
security
at
gitlab.
You
might
have
recently
seen
that
we
we
just
achieved
this
off
to
like
one
certification
or
we
have
the
report.
A
So
essentially,
what
is
the
soft
two
certification?
So
it's
it's
a
third-party
agency,
which
kind
of
validates
on
five
basic
trust
principles.
We
got
the
report
on
security,
trust
principle.
We
got
the
certification
on
security,
trance
principle,
so
type
1
normally
looks
at
the
design
of
the
products
and
tire
two
looked
looks
at
the
operate
operating
efficiencies
right,
so
we've
received
the
type
1
report
and
we
are
continuing
to
pursue
the
type
2
as
we
move
into
that
said,
what
does
it
mean
to
your
customer?
A
So
normally
such
reports
from
third-party
agencies
are
quite
shocked
or
sought-after
by
customers
when
they
have
their
security
teams
requesting
them
to
validate
if
a
vendor
actually
needs
a
bunch
of
their
requirements
from
a
company
point
of
view,
so
this
report
can
then
be
provided
to
the
customer
rather
than
us.
You
know
answering
each
of
the
security
questions
that
they
may
have.
Typically,
the
support
might
cover
most
of
the
questions,
and
then
you
know
it
kind
of
reduces
the
load
on
our
security
department
to
answer
just
the
differential
questions
that
might
be
required
right.
A
So
this
is
an
industry
baseline
it
it
can
only
be
given
to
customers
under
NDA.
So
once
we
know
that
a
current
customer
or
a
prospect
is
under
NDA,
then
we
can
request
it
from
the
security
key
in
the
process
is
actually
all
in
this
handbook
page,
so
I'm
I'm
going
through
the
presentation,
but
for
each
of
these
topics
the
have
related
handbook
pages
in
the
notes.
I
am
going
through
the
presentation.
Finally,
because
it's
easier
to
kind
of
sort
through
this,
but
all
of
this
information
is
already
in
the
handbook
page.
A
The
second
type
of
questionnaire
that
we
have
access
to
and
which
we
can
give
customers
is,
they
can
see
a
IQ
questionnaire
again.
It
is
in
an
industry.
Standard
security
questionnaire
answers
most
of
the
questions
that
a
customer
customer
might
have
things
like.
You
know
how.
How
often
do
we
test
our
product
things
like?
How
do
we
audit
our
product,
whether
we
do
afford
quality,
whether
we
do
security?
A
You
know
there
are
tons
of
questions
that
come
under
this
questionnaire,
so
gitlab
CA
IQ
is
available
at
this
link,
so
you
can
actually
go
and
I
might
have
that
over
open
over
here,
which
I
may
not
be
sharing,
but
we
can
actually
go
and
view
it
labs
or
questionnaire
right
over
here
and,
as
you
can
see,
we
are
we
address
most
of
the
questions.
The
next
compliance
is
the
PCI
compliance.
A
Normally,
there
are
four
levels
of
compliance
based
on
the
number
of
transactions
that
a
Windows
is
running
level.
One
is
upwards
of
six
million
transactions
and
level
level
is
below
twenty
thousand
transactions,
so
it
lab
is
currently
at
level
four,
so
we
actually
received
that
compliance
for
level
four
where
and
we
have
to
actually
do
a
self-assessment
as
well
as
do
a
quarterly
scan
or
by
our
third-party
vendor.
Now
again,
this
report
is
available.
A
If
your
customer
asks
for
it,
you
can
request
it
with
from
the
security
team
through
this
mail
ID
and
the
fourth
one
is
the
Kitab
control
framework.
So
there
are
a
lot
of
you
know:
industry
regulations
available
soft
to
iso
PCI
FedRAMP
HIPPA.
So
on
a
lot
of
times,
you
know
some
of
the
specifications
in
in
in
various
of
these.
A
Frameworks
actually
are
common,
so
Adobe
actually
came
up
with
came
up
with
a
common
control
framework,
which
kind
of
consolidates
a
lot
of
the
requirements
from
each
of
these
frameworks
and
gives
a
common
framework.
So
the
flat
controlled
framework
is
based
on
this
control.
Flip
framework
can
be
covered.
You
know
about
15
to
20
controls
that
I've
listed
down
here
below.
So,
if
you
actually
go
to,
if
you
actually
go
to
the
handbook
page
you
can
you
can
really
see
for
each
of
these
controls.
A
You
know
there
are
various
different
criteria
that
are
defined
and
how
good
lab
kind
of
classifies
each
of
this,
and
for
which
particular
free
does
it
matter,
for
example,
this
particular
control
framework,
which
is
the
data
classification
criteria.
It
tries
to
explain
how
we
classify
the
data
and
it
kind
of
maps
to
the
soft
two
and
sesame
also
lists
out
the
specific
requirements.
So
this
is
something
that,
if
your
customer
is
interested
can
share
it
with
them.
A
You
can
afford
how
we
handle
some
of
these
requirements
as
well,
and
then
the
last
one
that
I'll
talk
about
from
trust
and
security.
Point
of
view
is
external
testing,
and
penetration
testing
is
one
of
them,
so
we
do
an
annual
registration
penetration
testing
for
both
calm,
as
well
as
the
self
self
hosted
product,
and
it's
done
by
a
third-party
vendor
called
cream,
and
the
report
again
is
available
from
from
our
security
team.
So
that
was
about.
A
So
our
main
goal,
so
in
general
audit
and
compliance
actually
is
a
lot
of
headache.
You
know,
auditors
actually
tend
to
get
a
lot
of
pain
by
by
doing
audits,
primarily
because
data
is
split
across
multiple
different
tools.
It's
not
consolidated,
they
are,
they
don't
even
know
if
they
actually
have
that
particular
data
right.
So
the
goal
of
get
labs
compliance
management
is
to
really
make
this
whole
process,
simple,
friendly
and
as
frictionless
as
possible,
and
the
way
we
try
to
do
it
is
any
kind
of
compliance.
A
The
second,
you
need
to
be
able
to
enforce
the
policies
that
you're
already
defined
and
that's
what
we
talk
about
in
automating
compliance,
workflows
and
then
the
third
is
once
you
have
defined
and
enforced
it
when,
in
order
to
is
requesting
for
proof
of
of
compliance,
you
actually
need
to
be
able
to
report
on
it
and
that's
what
we
will
cover
under
audit
management
under
that
pillow
speaking
about
policy
management,
which
is
actually
where
we
define
the
rules
and
policies
in
general,
the
typical
rules
and
policies
that
may
be
required.
Are
you
know?
A
How
do
we
manage
our
passwords?
Are
we
performing
segregation
of
duties?
Are
we
making
sure
that
only
users
with
the
right
credentials
are
able
to
access
access
the
product
or
not
other
than
the
right
users
being
able
to
do?
We
have
approval
rules
and
be
able
to
allow
the
right
users
to
push
into
the
product
or
not
right.
So
this
these
are
some
of
the
rules
that
a
customer
might
want
to
define
and
we
have
various
different
features
that
kind
of
covers
some
of
those.
So
we
have.
A
We
do
offer
brand
new
user
roles
and
permissions.
We
have
five
different
user
roles.
We
also
have
an
additional
auditor
role
that
is
required,
and
these
are
based
on
the
peep,
the
rule
that
a
person
plays
rather
than
what
access
that
the
person
requires
right.
So
we're
able
to
define
most
of
these
rules
in
both
the
self-hosted
and
the
dot-com
product,
then
that
is
the
compliance
setting
which
actually
helps
to
create.
Some
of
these
rules
create
the
approval
rules.
How
many
approvers
do
we
need
for
merge
requests
and
so
on?
A
Credential
inventory
is
primarily
for
the
self
managed
product
where
you
can
keep
track
of
the
credentials
that
can
access
it
lab
instances,
and
then
we
have
the
protected
by
our
branches,
which
kind
of
maintain
who
can
create
a
branch,
delete
a
branch,
modify
a
branch
or
push
into
a
branch.
Those
are
the
permissions
and
approvers
for
such
branches
are
actually
defined
for
protected
branches,
itzá.
A
A
The
second
key
pillar
that
we
spoke
about
the
ability
to
enforce
rules
and
policies
so
in
this
on
this
rant,
so
there
are
a
bunch
of
frameworks
that
are
available.
Of
course.
Currently
we
don't
support
all
of
them,
but
the
first
steps
in
this
in
this
front
have
been
started
from
the
last
release,
where
the
first
one
is
we'll
be
able
to
define
framework,
specific
project
templates.
So,
for
example,
the
HIPAA
framework
specific
template
has
been
defined
in
12.10.
A
We're
in
the
180
odd
requirements
that
are
actually
required
to
be
compliant
to
HIPAA
are
actually
created
as
say,
180
different
issues,
and
there
is
a
project
template
that
is
created.
So
a
customer
who
wants
to
track
compliance
to
HIPAA
can
use
that,
rather
than
using
spreadsheets
tracking.
Each
of
you
know
attracting
each
compliance
requirement
on
a
spreadsheet.
This
makes
it
a
lot
more
collaborative.
They
can
actually
also,
then
add
various
different
proof
elements
into
the
issues
itself
as
they
are
going
on
with
with
their
day-to-day
operations
right.
A
The
goal
is
which
I'll
talk
about
in
the
next
slide.
The
goal
is
to
have
this
such
project
template
specific
to
compliance
framework
and
then
automating
the
workflows
for
those
frameworks,
as
well
as
the
the
next
one
is
framework
specific
project
label,
so
to
be
able
to
apply
a
label
to
projects
and
then
eventually
be
able
to
apply
common
compliance.
Settings
to
each
of
these
project
labels
is
is,
is
the
goal
so
that
you,
you
don't
have
to
for
every
single
project
that
is
compliant
to
a
specific
framework.
A
A
Excuse
me
from
a
road
map
point
too
few.
So
far,
like
I
said,
we've
introduced
the
HIPAA
strain
book,
socks
and
soft
to
the
next
frameworks
that
that
mean
tend
to
go
forward
and
then
the
next.
The
other
aspect
from
a
workflow
point
of
view,
is
to
be
able
to
detect
compliance
breaches
within
the
pipeline
itself
and
the
pipeline
results
or
the
model
will
show
the
success
or
failure
of
from
a
compliance
point
of
view
as
well.
So
that's
Nick
coming
up
next
from
an
enforcement
point
of
view.
A
The
third
one
is
to
report
on
on
whatever
rules
and
policies
that
have
been
enforced.
So
basically
things
like
who
took
an
action
whether
the
action
was
loved,
whether
it
was
compliant
were
they
approved
to
take
that
particular
action?
Are
there
gaps
from
what
was
defined
to
what
was
actually
done?
So
a
bunch
of
these
questions
tend
to
be
asked
when
a
compliance
auditor
is
is
auditing
the
organization.
So
in
that
regard,
there
are
a
couple
of
features
that
that
are
applicable.
A
So
the
first
one
is
the
audit
events
which
actually
captures
various
different
project
and
group
group
and
user
level
actions
in
the
audit
events
itself,
which
we
which
we
can
extract
through
UI
or
API,
and
then
there
is
the
audit
log
system
as
well.
We
are
as
well
as
the
system
logs
which
actually
capture
everything
that
is
actually
done
within
developed
instance
and
then
the
compliance
dashboard,
which
the
goal
is
to
actually
show
a
consolidated
view
of
all
the
compliance
actions
and
which
should
be
able
to
filter
based
on
what
requirement
we
have.
A
Currently,
it
shows
the
most
recently
merged
activity
who
were
the
approvers
and
so
on,
but
we
talked
about
the
road,
nothing
else
it
from
an
audit
management
roadmap.
Point
of
view.
The
first
phase
was
to
consolidate
everything
in
one
place,
so
I
think
that's
something
that's
done
going
forward.
Their
ability
to
export
or
audit
events
and
logs
is
the
net
immediate
next
step
to
export
user
permissions
and
by
project
and
group
audit
reports
are
something
that's
in
the
roadmap,
which
has
not
even
started.
A
A
So,
from
a
compliance
dashboard
point
of
view,
like
I
said
today,
it
actually
shows
the
latest
merge,
request
activity
and
was
the
approval
for
that
merge
request,
but
of
the
vision
of
the
compliance.
Dashboard
itself
is
to
actually
show
pretty
much.
You
know
everything
from
a
compliance
point
of
view,
so
how
many
projects
we
have
configured
for
each
of
the
frameworks
and
what
is
the
compliance
status
on
each
of
those
frameworks
right?
What
are
the?
What
is
the
license?
Compliance
status?
What
is
you
know?
A
We
can
add
specific
data
points
with
with
regards
to
pipeline
results,
security,
results
and
so
on.
So
today
there
there
could
be
some
of
these
some
clients
data
spread
across,
let's
say
a
security
dashboard
or
compliance
dashboard.
It
would
be
accepted
under
analytics
dashboard.
The
goal
of
the
compliance
dashboard
is
to
give
a
way
to
pull
all
of
this
information
together
by
issue
to
merge
request
by
projects
also
by
specific
framework,
so
that
an
auditor
will
get
a
consolidated,
look
and
feel
of
of
the
report
and
also
be
able
to
filter.
A
You
know
based
on
either
user
or
approver
or
something,
and
then
also
then
export
that
particular
that's
that's
where
the
goal
is.
We
don't
have
one
at
the
moment.
One
customer
who's
actually
claimed
that
it
lab
actually
helped
them
from
a
compliance
point
of
view.
That's
for
is
where,
in
fact,
they
were
using
our
API
stack
to
pull
out
all
the
information
that
they
required,
but
there
is
a
reference
customer
which
talks
about
compliance
itself.
A
This
is
my
last
slide,
so
so
compliance
as
a
capability.
There
are
multiple
different
things
that
we
are
acting
where
each
of
those
lies.
So
on
the
under
the
policy
management,
where
we
define
the
rules
and
policies
you
know
most
of
it
is
available
in
core,
except
for
the
credential
inventory,
which
is
available
in
ultimate
in
the
protected
branches.
Some
capabilities
are
available
in
premium,
which
is
excuse
me.
A
Some
capabilities
are
available
in
premium,
which
is
specifically
saying
that
you
know
approval
can
only
be
by
the
court
order
can
be
configured
and
that
feature
is
available
in
premium,
but
pretty
much.
Everything
else
is
in
in
the
code
itself
if
the
enforcement
part
of
it,
where
we
have
both
the
templates
and
labels,
which
is
where
they'll
be
doing
some
significant
amount
of
work
or
both
of
which
is
our
ultimate
amongst
the
reporting
part
of
fit,
which
is
the
audit
avenge
logs
and
compliance
dashboard,
they're,
spread
across
start
a
premium
and
complement
again
here.
B
C
First,
off
I
come
from
a
customer
site
that
had
a
lot
of
different
compliance
regulations
and
I'm
super
excited
about
what
what
this
is
offering
our
customers
so
great
work.
So
far,
do
we
have
my
question?
Do
we
have
any
plans
for
proper
segregation
of
duties?
A
common
auditing
requirement
in
segregation
of
duties
is
that
approve
or
employers
should
never
be
able
to
contribute
to
the
codebase.
We
currently
have
to
approval,
deploy
or
constructs
the
first
one
is
merge
request
approvals.
The
second
one
is
playing
jobs
that
deploy
to
protected
environments
both
of
those
roles.
A
So
I
know
that
there
is
some
work
being
done
on
the
segregation
of
duties.
I
I
had
spoken
back,
I,
don't
know
if
mangas
Alice,
who
is
the
product
manager
for
for
compliance
itself,
I
know
there
is
an
issue
that
tracks
that
is
well,
but
I,
don't
have
a
contrary
timeline
on
that
time.
So
let
me
check
on
that
and
get
back
to
you
and
when
that's
happening.
D
Folks,
we
had
a
call
earlier
today
and
this
exact
issue
came
up
so
the
time
it
couldn't
be
better.
It
was
around
HIPAA
and
they
were
essentially
asking
for
some
direction
from
from
on
how
they
could
not
necessarily
build
applications
that
were
HIPAA
compliant,
but
they
do
have
some
already
in
place,
HIPAA
tools
that
you
know
that
they
would
like
to
possibly
integrate
into
into
our
CI
pipeline.
So
the
question
is
essentially:
do
we
have
an
integration
into
an
external
compliance
tool
from
the
CI
pipeline
that
we
could
reference
that
we've
already
done?
A
So,
as
far
as
I
know,
there
is
no
out-of-the-box
integration
available.
I
think
the
recommended
approach
was
to
export
when
we
have
the
export
capability
to
export
the
data
into
another
GRC
tool
at
the
woman.
That's
not
available.
I'll
have
to
check,
if
that's
even
in
the
roadmap.
I,
don't
think
it's
on
the
roadmap.
But
let
me
check
and
get
back
to
you.
D
A
D
B
E
Ýà
fh-
and
this
is
Hayden
I-
was
just
looking
at
the
compliance
page
on
the
website.
That's
a
subset
of
our
solutions.
Page
there's
a
demo
in
there
from
2018,
which
talks
about
the
security
dashboard
wondering
there's
a
really
good
stuff
into
those
presentations
on
you.
Thank
you
wondering
if
we
could
get
a
demo
update,
updated
demo
on
this
page
yeah.
E
B
All
right,
so
we
are
about
out
of
time.
I
do
have
a
question
for
the
group,
though,
for
those
of
you
who
are
still
here,
the
field
enablement
team
is
looking
for
a
couple
volunteers,
particularly
Account
Executive
or
and/or
Sal,
who
would
like
to
have
a
brief
15-minute
coffee
chat
and
review.
Some
upcoming
learning
paths
that
we're
gonna
be
releasing
so
I
have
a
place
in
this
notes
document.
If
you'd
like
to
sign
up
to
take
a
look
at
this
and
give
us
your
feedback,
we
would
love
to
hear
your
thoughts
on
that.