The Tech stack is a list of all the technology that MUI currently uses to support the business. The Tech stack lists systems/applications/tools/data used by all departments and details the business purpose/description, the owners, the provisioners, the teams that access the tool, and other details.

Why?

• Facilitate on-boarding to know how to gain access user access
• Avoid duplication of tools used internally (e.g. HelloSign + DocuSign)
• Centralize the user data we collect
• Facilitate off-boarding to know where to remove user access
• Identify opportunities to improve security

List

Tech stack applications

Legend

2FA mandatory

Set it to No if we can configure 2FA but we can’t enforce it (for all accounts).

Set it to Yes if 2FA can be enforced for all accounts.

Provisioner

People in charge of granting and removing team members’ access to a tool.

A minimum of two provisioners/deprovisioners should be named for every tool because of the bus factor.

Also, see ‣

Data classification

• Red. Restricted and must remain confidential. This is MUI’s most sensitive data and access to it should be considered privileged and must be explicitly approved. Exposure of this data to unauthorized parties could cause extreme loss to MUI and/or its customers. In the gravest scenario, exposure to this data could trigger or cause a business extinction event.

  Examples include:

  • Customer data

• Orange. Data is subject to laws and regulations that should not be made generally available. Unauthorized access or disclosure could cause significant or financial material loss, risk of harm to MUI if exposed to unauthorized parties, break contractual obligations, and/or adversely impact MUI, its partners, employees, contractors, and customers.

  Examples:

  • Personal data
    • Any vendor who has any form of Personal data must have appropriate contractual terms that address GitLab data protection requirements (e.g. a Data Processing Agreement).
    • If Personal data comprises a part of the data set to be processed, then the data classification for that data set should be Orange and the classification cannot be Yellow or Green, even if the majority of the data set is Yellow or Green data.
    • The source of the Personal data should not change its classification to a level below Orange since Personal data gathered from public sources is not exempt from protection under certain data protection laws.
  • MUI Intellectual property
  • Customer metadata
  • Audit logs
  • Open security incidents, vulnerabilities, and risks