Skip to content

Revamp GCF controls table to match ZenGRC controls in-scope and control descriptions language

Byron Boots requested to merge bb-update-GCF-control-set into master

Why is this change being made?

PART 1

During Q1 a significant number of control changes were made to both control tiering as well as ultimately descoping some controls and bringing others into scope. With all of the changes, the hb needs to be updated so that non-ZenGRC users can have visibility into our current control set.

The set of controls in-scope are captured by filtering for Critical System Tiering (0, 1, 2) and a filtered list can be found by following this link.

Given the numerous changes that have been made across many CRs, a full review/comparison to ZenGRC should be performed to ensure hb/ZenGRC matching. This recent CR to add in the tiering field for all controls was a similar full review that took place.

Other significant CRs for reference (though a full review should still be conducted):

  1. https://gitlab.com/gitlab-com/gl-security/security-assurance/grc-application/-/issues/246#note_1347182789

PART 2 - Can move this to a second MR if easier but maybe easiest to update all at one time

The Description field/columnn in our GCF controls table does not match with information provided in ZenGRC, nor does it provide enough detail to allow non-compliance team members strong visibility into the requirements for each control. We should update that field to match the Description field in ZenGRC with official control language OR provide guidance for team members as to how to access the detailed control information in ZenGRC so that they can review the full details if they desire.

A recent ask came up to provide a set of controls applicable to a system and looking at the Description field in the hb alone greatly varies from the control expectations which we would evaluate/consider in ZenGRC.

Author Checklist

  • Provided a concise title for this Merge Request (MR)
  • Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
  • Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
    • The when to get approval handbook section explains the workflow in more detail
  • If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR
    • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.

Merge request reports