On this pageThis is a Controlled Document Show
Inline with GitLab's regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged. PurposeGitLab's user access review is an important control activity required for internal and external IT audits, helping to minimize threats and provide assurance that the right people have the right access to critical systems and infrastructure. This procedure details process steps and provides control owner guidance for access reviews. Benefits to the organization:
ScopeIn-Scope SystemsSecurity Compliance performs Access Reviews for Tier 1 and Tier 2 systems in scope for our compliance and regulatory programs. See the tech stack for the current listing of Tier 1 and Tier 2 systems. Out-of-scope SystemsTier 3 applications as defined in the tech stack are not in scope, however, all system owners are highly encouraged to perform a minimum of an annual terminated access review for their owned systems using this process as a guide. Roles & Responsibilities
What is Authomize and why do I have an Okta tile for it?Authomize is GitLab's User Access Review tool. It is used to facilitate all user access reviews. By default, all team members will receive access to Authomize upon onboarding. To access Authomize, team members can select the Authomize tile in Okta. If you are assigned an access review, please follow the runbook linked below to complete the access review. Access Review ProcedureTerminated Users
Entitlement
Access Review runbookThe Authomize review runbook here provides the outline to complete these access reviews, including how to confirm least privilege. In the event access is identified to no longer be required, open an Access Removal issue for each account that no longer requires access and relate it to the system access review issue. If you have any questions or require assistance with completing an access review, please contact the GitLab Security Compliance team. Access Review Cadence FY23:
All components of a user access review must be completed within the time period under audit. For example, if a user access review is scheduled for Q2, all components of the review including any required actions for modification/removal and lookbacks must be completed by the end of the quarter. It would not be sufficient to have outstanding requests for modification/removal at the quarter end, regardless of the users being identified for modification/removal prior to quarter end. The determination and tracking of systems ranked by tiers 1-4 are managed in the GitLab Critical Systems Inventory and is the SSOT of which systems require UARs and should always be referenced when in doubt. Access RemovalsIf appropriateness of access cannot be verified as part of the review or a system owner/reviewer flags a user for removal, a validation will take place with the team member’s manager prior to access removal as per the Observation Management Procedure. This validation must take place within 7 calendar days and if access is determined to not be required OR no agreement can be reached within that SLA between the Manager and system owner/reviewer, access will be removed. If the risk associated with unvalidated access is too high, access will be revoked immediately and impacted users will be directed towards the new access request process for re-provisioning. While we want to avoid disruption in access whenever possible, we need to balance the impact of that disruption with the risk of continued and unvalidated access to GitLab systems. Additional GuidanceTiming of Quarterly Access Reviews
Lookback ReviewsFor any accounts that require any removal of access (full removal or individual roles/privileges), a lookback review may be required. A lookback review is a review of activity for the period of time which the access was inappropriate. Example scenarios where a lookback may be required:
In cases where there is a disagreement between system owner and manager as to whether a lookback is required, it should be completed. Engage the appropriate personnel (i.e system owner) to perform a lookback assessment to validate the account(s) did not use the access inappropriately. It may not be necessary to perform a lookback in all cases, for example:
The most simple method to perform a lookback for users is to review their last login date/time and validate it was not after the date access was no longer appropriate. If a last login shows the account did authenticate after the access was inappropriate, a full review should be performed to determine any activity from the account during that time to validate no risk. If a last login is not available, other validations should be performed to confirm the account was not used inappropriately after termination (i.e review of key transactions etc.) Evidence of the completed lookback review should be retained and documented within the access review workbook or other associated documentation. Validation of Modifications completedFor any accounts that are requested for modification or removal, validation they were modified as requested should be completed and evidence captured of their successful modification (i.e screenshot, updated user listing that reflects changes made). Access Review Notification RemindersSecurity Compliance managed access reviews required for audit evidence have a deadline of 10 business days from the launch of the review in Authomize. Automated reminders will be used based on number of days out from the due date:
{-If an access review is not completed within 10 days, identified access will be removed.-} Access List For ReviewAccess List GenerationBased on how the system access is maintained will determine the method of account and related permissions export for access review. This will most likely fall to the business or technical owner identified in the Tech Stack Applications.
Access List Data FieldsThe following fields are the most comprehensive to assist in performing a thorough access review: (all are helpful, but all might not be available)
Access Listing Generation Validation
How to provide a desktop timestamp screenshot:
ExceptionsExceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process. References
What is an access review?Access reviews are just as they sound: they're periodic reviews of who has access privileges to the digital assets in your organization. Also known as “User Access Reviews”, they should happen periodically, removing unnecessary, outdated, or inappropriate privileges.
How is access review done?An access review requires business administrators to review what each user in their system has access to. The process allows a company to keep track of what information users have the privilege to access so that they can change or revoke access when necessary. This process is vital to information security.
What is access review policy?A user access review is a periodic inventory of access rights to certain networks and systems and the users who have access permissions into those networks and systems. It looks at who's accessing what, what level of access they have, and if they have valid reasons for access rights.
What kind of control is user access review?User access review is a control to periodically verify that only legitimate users have access to applications or infrastructure.
|