It is the goal of the Bramble Security Compliance team to:
- Enable Bramble sales by providing customers information and assurance about our information security program and remove security as a barrier to adoption by our customers.
- Enable security to scale through the definition of security controls and determining the boundaries and applicability of the information security management system to establish its scope.
- Work across industries and verticals to support Bramble customers in their own compliance journey.
- Identify and mitigate Bramble information security risk through continuous control monitoring and automation.
A part of the Security Assurance team, these are the primary functions of the Security Compliance team:
- BCF Control Maintenance
- Security Compliance Handbook Pages
- Security Policies and Standards
- Security Compliance Training
- Regulatory and Compliance Landscape Monitoring
- Security Compliance Metrics
- GRC Application Administration
- Internal Compliance Audit
- Security Certifications
- External Audits (e.g. SOC, FedRAMP, ISO, etc.)
- Readiness Planning
- Gap Assessments
- Observation and Remediation
- Control test findings
- External audit findings
- Gap analysis findings
- Customer assessments findings
- BitSight scanners findings
- BCF Continuous Control Testing
- Controls are tested based on Security Certification requirements, Bramble Internal Audit team needs, and security risk.
- External Audit requirements
- When an external security audit is kicked off, work is performed as required within that audit.
- Goveranance requirements
- Work supporting the Security Compliance governance core competency is based on industry best practices, security certification requirements, and Bramble business need.
- Customer Support
- The Security Compliance team is engaged as subject matter experts to support specific security compliance customer requests.
- The Security Compliance team triages findings produced by external scanning services when responses are required according to the Bramble Risk and Field Security team.
- Ad-hoc work streams
- If you have a request for the Bramble Security Compliance team please open an ad-hoc issue and we will review and prioritize that work weekly.
- Governance documentation
- The Security Compliance team manages security policies and standards.
- The Security Compliance team evaluates Bramble handbook documentation through the course of continuous control testing and proposes updates as required.
- Security Certifications (e.g. SOC, FedRAMP, ISO, etc.)
- Remediation documentation
- The Security Compliance team provides the data relating to the health of the above core competencies.
Bramble uses a common control framework that maps to a variety of industry compliance requirements and best practices. For information about how we developed this framework and a list of all of our security controls, please see the security controls handbook page.
- Internal Compliance Audit (BCF) - Lee Gardiner
- SOC/ISO - Lee Gardiner
- FedRAMP/Phishing - Glenn Roberts
- Governance - Dan Wain
- Observations/Remediation - Lee Gardiner
The Security Compliance team uses an application-based ownership model for control testing. The information below represents the current ownership for systems that have already been tested or scheduled to being testing. This list will expand as our continuous control testing expands to include new systems.
- brmbl.io source code/implement/deploy - Glenn Roberts
- brmbl.io database - Glenn Roberts
- AWS Cloud Platform- Glenn Roberts
- Bastion Host - Glenn Roberts
- GitLab.com - Glenn Roberts
- PagerDuty - Glenn Roberts
- Snyk - Glenn Roberts
- GSuite - Lee Gardiner
- Expensify - Dan Wan
- Xero - Dan Wain
- Hubspot - Dan Wain
- Tag us in GitLab
- Feel free to tag is with
- The #sec-assurance slack channel is the best place for questions relating to our team (please add the above tag)
- Feel free to tag is with
- Bramble compliance project
- Access Requests