Modify ISCP Policy To Be Gitlab.com Specific in Scope
Why is this change being made?
Making a slight word modification to the ISCP scope so that per our policy, the ISCP performed covers gitlab.com. As it was worded previously, the ISCP statement referenced that there would be an ISCP for "every system" which is currently not happening.
Also, as an alternative, we could modify the scope to be all Tier 1 systems (the GCF V3 ISCP control is scoped to only tier 1 systems) which would primarily include gitlab.com and its infrastructure. Any tier 1 system that is vendor managed and is tier 1 would likely have continuity plans covered in the SOC reports and could be referenced to, but then we could also open observations for those systems that force us to have some sort of documented plan in terms of what we would do on the GitLab side if we completely lost access/service to those systems.
Author Checklist
-
Provided a concise title for this Merge Request (MR) -
Added a description to this MR explaining the reasons for the proposed change, per say why, not just what - Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
-
Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI) - If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
Maintained bysection on the page being edited - If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
- The when to get approval handbook section explains the workflow in more detail
- If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
-
If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR - If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.