Compliance

It is the goal of the Bramble Security Compliance team to:

1. Enable Bramble sales by providing customers information and assurance about our information security program and remove security as a barrier to adoption by our customers.
2. Enable security to scale through the definition of security controls and determining the boundaries and applicability of the information security management system to establish its scope.
3. Work across industries and verticals to support Bramble customers in their own compliance journey.
4. Identify and mitigate Bramble information security risk through continuous control monitoring and automation.

Security Compliance Core Competencies

A part of the Security Assurance team, these are the primary functions of the Security Compliance team:

1. Governance
   • BCF Control Maintenance
   • Security Compliance Handbook Pages
   • Security Policies and Standards
   • Security Compliance Training
   • Regulatory and Compliance Landscape Monitoring
   • Security Compliance Metrics
   • GRC Application Administration
2. Internal Compliance Audit
   • BCF Continuous Control Monitoring
3. Security Certifications
   • External Audits (e.g. SOC, FedRAMP, ISO, etc.)
   • Readiness Planning
   • Gap Assessments
4. Observation and Remediation
   • Control test findings
   • External audit findings
   • Gap analysis findings
   • Customer assessments findings
   • BitSight scanners findings

Security Compliance Work Inputs

1. BCF Continuous Control Testing
   • Controls are tested based on Security Certification requirements, Bramble Internal Audit team needs, and security risk.
2. External Audit requirements
   • When an external security audit is kicked off, work is performed as required within that audit.
3. Goveranance requirements
   • Work supporting the Security Compliance governance core competency is based on industry best practices, security certification requirements, and Bramble business need.
4. Customer Support
   • The Security Compliance team is engaged as subject matter experts to support specific security compliance customer requests.
   • The Security Compliance team triages findings produced by external scanning services when responses are required according to the Bramble Risk and Field Security team.
5. Ad-hoc work streams
   • If you have a request for the Bramble Security Compliance team please open an ad-hoc issue and we will review and prioritize that work weekly.

Security Compliance Work Outputs

1. Governance documentation
   • The Security Compliance team manages security policies and standards.
   • The Security Compliance team evaluates Bramble handbook documentation through the course of continuous control testing and proposes updates as required.
2. Security Certifications (e.g. SOC, FedRAMP, ISO, etc.)
3. Remediation documentation
   • Control Test Observations
   • External Audit Observations
   • Gap Analysis Observations
4. Metrics/Reporting
   • The Security Compliance team provides the data relating to the health of the above core competencies.

Bramble’s Control Framework (BCF)

Bramble uses a common control framework that maps to a variety of industry compliance requirements and best practices. For information about how we developed this framework and a list of all of our security controls, please see the security controls handbook page.

Ownership/DRI’s

Security Compliance Program DRI’s

1. Internal Compliance Audit (BCF) - Lee Gardiner
2. SOC/ISO - Lee Gardiner
3. FedRAMP/Phishing - Glenn Roberts
4. Governance - Dan Wain
5. Observations/Remediation - Lee Gardiner

Bramble system DRI’s

The Security Compliance team uses an application-based ownership model for control testing. The information below represents the current ownership for systems that have already been tested or scheduled to being testing. This list will expand as our continuous control testing expands to include new systems.

1. brmbl.io source code/implement/deploy - Glenn Roberts
2. brmbl.io database - Glenn Roberts
3. AWS Cloud Platform- Glenn Roberts
4. Bastion Host - Glenn Roberts
5. GitLab.com - Glenn Roberts
6. PagerDuty - Glenn Roberts
7. Snyk - Glenn Roberts
8. GSuite - Lee Gardiner
9. Expensify - Dan Wan
10. Xero - Dan Wain
11. Hubspot - Dan Wain

Contact the Compliance Team

• Email
  • security+compliance@brmbl.io
• Tag us in GitLab
  • @brmbl.io/security/security-assurance/sec-compliance
• Slack
  • Feel free to tag is with @team-sec-compliance
  • The #sec-assurance slack channel is the best place for questions relating to our team (please add the above tag)
• Bramble compliance project
• Access Requests