The Tech stack is a list of all the technology that MUI currently uses to support the business. The Tech stack lists systems/applications/tools/data used by all departments and details the business purpose/description, the owners, the provisioners, the teams that access the tool, and other details.

Why?

• Centralize user data we collect
• Facilitate off-boarding to know where to remove user access
• Identify opportunities to improve security
• Avoid duplication of tools used internally (e.g. HelloSign + DocuSign)

List

Tech stack applications

Legend

2FA mandatory

This is true if 2FA can be enforced. Set it to false if we are able to configure 2FA but we can’t enforce it at the organization level.

Provisioner

People in charge of granting and removing team members’ access to a tool.

A minimum of two provisioners/deprovisioners should be named for every tool because of the bus factor.

Also, see ‣

Data classification

• Red. Restricted and must remain confidential. This is MUI’s most sensitive data and access to it should be considered privileged and must be explicitly approved. Exposure of this data to unauthorized parties could cause extreme loss to MUI and/or its customers. In the gravest scenario, exposure to this data could trigger or cause a business extinction event.

  Examples include:

  • Customer data

• Orange. Data is subject to laws and regulations that should not be made generally available. Unauthorized access or disclosure could cause significant or financial material loss, risk of harm to MUI if exposed to unauthorized parties, break contractual obligations, and/or adversely impact MUI, its partners, employees, contractors, and customers.

  Examples:

  • Personal data
    • Any vendor who is in possession of any form of Personal data must have appropriate contractual terms that address GitLab data protection requirements (e.g. a Data Processing Agreement).
    • If Personal data comprises a part of the data set to be processed, then the data classification for that data set should be Orange and the classification cannot be Yellow or Green, even if the majority of the data set is Yellow or Green data.
    • The source of the Personal data should not change its classification to a level below Orange since Personal data gathered from public sources is not exempt from protection under certain data protection laws.
  • MUI Intellectual property
  • Customer metadata
  • Audit logs
  • Open security incidents, vulnerabilities, and risks

• Yellow. Data and information that should not be made publicly available that is created and used in the normal course of business. Unauthorized access or disclosure could cause minimal risk or harm and/or adversely impact MUI, its partners, employees, contractors, and customers.

  Examples:

  • General internal company communications
  • MUI work instructions/manuals/policies/procedures containing data NOT appearing in the public handbook.

• Green. Data that is publicly shareable and does not expose MUI or its customers to any harm or material impact. Examples:

  • Public handbook