WIP: update to include additional not public information regarding tech stack information
relates to https://gitlab.com/gitlab-com/business-ops/Business-Operations/-/issues/564
Why is this change being made?
In previous conversations with both Legal and Security Compliance, concerns have been brought forward with how transparent the current tech stack google sheet is. Legal has also brought forward concerns around possible confidentiality agreements we may have with some vendors.
I think what is making this a little complex to manage is, we are trying to get to a SSOT with the tech stack. Different users are using the tech stack for different purposes.
- GitLab team members are referring to the tech stack for provisioning and deprovisioning purposes.
- Sec Compliance and legal is using the Data Classification, Subprocessor identification, "what data is collected", and "is application customer or employee facing".
- Team members are also using the tech stack to reference Business Owners and Technical Owners
While this list is not exhaustive, I wanted to highlight that we are currently displaying data classification and what data we are collecting in addition to Business Owners, Technical Owners, and provisioner information. Security Compliance has mentioned that while internal team members will need this information, publishing provisioner information (gitlab handle) alongside collected data fields may enhance the potential for targeted phishing attacks.
This is still a work in progress as I'm not confident that we have a full list of all information that needs to be Not Public.
/cc @Julia.Lake @jburrows001 @lasayers @SChia @bryanwise @ccnelson @gitlab-com/business-ops/bizops-bsa @emilie
Author Checklist
-
Correct MR template applied (e.g blog post) -
Provided a concise title for the MR -
Added a description to this MR explaining the reasons for the proposed change, per say-why-not-just-what -
Assign this change to the correct DRI - If the DRI for the page/s being updated isn’t immediately clear, then assign it to your manager.
- If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies.
- If the changes relate to any part of the project other than updates to content and/or data files please make sure to ping
@gl-static-site-editor
in a comment for a review and merge. For example changes to.gitlab-ci.yml
, JavaScript/CSS/Ruby code or the layout files.
For help with failing pipelines reach out in #mr-buddies in Slack