Security/SOP/Application Security Reviews

= IT Standard Operating Procedure - Security Readiness Reviews =

REVIEW PROCEDURE

List how often the SOP should be reviewed and updated and who is responsible. PURPOSE

What is the purpose of the SOP? Note any policy or regulations that govern the document. SCOPE

What facets of operations and equipment or departments do these procedures apply to? ROLES AND RESPONSIBILITY

Define who these SOPs apply to and the responsibilities of each role. KEYWORDS AND DEFINITIONS

Define any acronyms, jargon, or terms that might have multiple meanings.

PROCEDURES

1) At least 30 days prior to deployment date, User opens a Phabricator Task using a Request a Review

2) Weekly, the Security Coordinator reviews Requests. 3) Security Teams Readiness Reviews MUST include the following:

Name of tool/project

Description of the tool/project

Description of how the tool will be used at WMF

Name of individual/group requesting review and primary contact

Name of individual/group responsible for tool/project after deployment and primary contact

Target date for deployment (or approximate date deployed if already in production or labs)

Information from any review of the tool that has already been conducted

Working test environment

Programming language(s) used

Source code repository location

Upstream project home page (if applicable)

WMF project home page (if applicable)

Related Phabricator tickets

Related patchset(s)

4) Security Coordinator checks that Task is at least 30 days prior to deployment date or declines the Task.

5) Security Coordinate checks that Task has ALL required information or holds the Task for 3 days awaiting information.

6) If Task meets the requirements for 4) and 5), then the Security Coordinator approves the Task, assigns it to an Engineer and places the Task in the “In Progress” queue.

7) See the #Security-Teams Readiness Reviews workboard for currently planned reviews.

8) The “In Progress” queue reflects all active tasks. These tasks have target dates of two to four weeks.

9) Engineer will review Task and if approved, will comment in the task closed as Resolved.

10) If your project is not on the schedule and you believe it should be, or if you have any questions about the Security Teams Readiness Review process, please contact the Security Team (security-team@wikimedia.org) as soon as possible.

11) If your Task is reviewed by the Engineer and then they require an action on your part, the Task is placed in the Waiting on Response/Mitigation queue. The Task may reside there no more than one (1) month.

12) If the Engineer has not received a response within 30 days, the Task will be closed and moved to the Frozen column.

13) Tasks that have been on the Frozen column more than 180 days will be removed from the Security-Team-Reviews tab.

TROUBLESHOOTING PROCEDURES

How will incidents be investigated, escalated, and resolved? CHECKLISTS

Add all checklists used for processes and describe filing systems for completed checklists. ESCALATIONS

How are service issues escalated? SIGNATURES

Obtain signatures from employees to confirm that they have read and understood procedures. Security