Wikimedia Technology/Annual Plans/FY2019/CDP1: Privacy, Security, and Data Management/CDP Budget Segment 2/Goals

=Program Goals and Status for FY18/19=

Segment 2 - Security
 * Goal Owner: John Bennett
 * Program Goals for FY18/19: Develop, maintain and mature our privacy, security, and data management practices in order to protect Wikimedia community member and donor information, comply with applicable privacy and data protection regulations, and ensure safe and secure connection to Wikimedia projects and sites in accordance with the values of the movement.
 * Annual Plan: Segment 2 - Security
 * Primary Goal is Knowledge Equity: grow new contributors and content



 = Q1 Goals =

Outcome 1 / Output 1
Ensure the high-quality protection and security of our infrastructure and data.
 * Review and update current security policies, standards and procedures

Goal(s)

 * Review and mature our security policies and awareness functions:
 * Create or update 3 security policies
 * Provide Security Awareness training
 * Perform Phishing campaign

Status
July 2018


 * ✅ 1 of the 3 policies has been created
 * ✅ Define Awareness content

August 2018


 * Define additional policies to update/create
 * Draft version of "Protecting your Digital Identity" created for Awareness Campaign
 * On board vendor to support Phishing platform

September 12, 2018


 * Update/create identified password use policies and incident response policies
 * Provide awareness training (will be presented in October)
 * Perform phishing campaign, this will completed in Q2

Outcome 1 / Output 2
Ensure the high-quality protection and security of our infrastructure and data.
 * Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

Goal(s)

 * Testing campaigns:
 * Implement CSP in alert only mode
 * Penetration testing for English Wikipedia site
 * Security Release
 * Analytics Risk Assessment and Threat Model

Status
July 2018


 * ✅ initial test rollout of CSP on test wiki
 * ✅ Define scope and onboard vendor for pen testing
 * identify elements for security release
 * ✅ identify and scope Analytics assessment

August 2018


 * Expand CSP rollout
 * Select pen testing dates
 * Prepare security release
 * identify and scope Analytics assessment

September 12, 2018


 * Expand CSP rollout
 * Complete pen testing--will start at end of September
 * Prepare security release (currently stalled based on hiring)
 * Complete Analytics assessment

Outcome 1 / Output 3
Ensure the high-quality protection and security of our infrastructure and data.
 * Increase maturity and capabilities in the event of a security incident.

Goal(s)

 * Perform 2 Incident Response table top exercises

Status
July 2018
 * ✅ Perform Incident response exercise

August 2018


 * ✅ Perform 2nd Incident response exercise

September 12, 2018

Update Incident Response Plan

 =Q2 Goals =

Outcome 1 / Output 1
Ensure the high-quality protection and security of our infrastructure and data.


 * Review and update current security policies, standards and procedures

Goal(s)

 * Review and mature our security policies and awareness functions:
 * Create or update 3 security policies
 * Provide Security Awareness training
 * Perform Phishing campaign

Status
October 18, 2018
 * On track to publish policy changes by the end of Oct
 * Awareness content created and ready to deliver
 * Phishing campaign will be delayed until Nov.

November 2018
 * Discussed...

December 2018
 * Discussed...

Outcome 1 / Output 2
Ensure the high-quality protection and security of our infrastructure and data.


 * Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

Goal(s)

 * Testing campaigns:
 * Implement CSP in alert only mode
 * Penetration testing for mobile apps
 * Security Release
 * OIT Risk Assessment and Threat Model
 * NIST CSF style assessment
 * Consider incorporation of Phan-taint-check into MW Core

Status
October 18, 2018


 * CSP changes in progress
 * 1st round of pen testing (on en wikipedia)will conclude by the end of Oct.
 * OIT assessment will be pushed into at least Nov
 * NIST CSF assessment on track to begin in Oct but will conclude likely in Nov.
 * Initial discussion have begun to include Phan into MW core but will not be completed in Oct.

November 2018


 * Discussed...

December 2018


 * Discussed...
 * Due to Major Security Incident, all Security Resources were dedicated to working on this Incident during October and November.
 * November 30, 2018
 * CSP changes completed 95%
 * 1st round of pen testing (on en wikipedia) completed
 * OIT assessment will be pushed into at least Nov -- cancelled
 * NIST CSF assessment on track to begin in Oct but will conclude likely in Nov. - on hold
 * Initial discussion have begun to include Phan into MW core but will not be completed in November

November 2018
 * Discussed...

December 2018
 * Discussed...

Outcome 1 / Output 3
Ensure the high-quality protection and security of our infrastructure and data.


 * Increase maturity and capabilities in the event of a security incident.

Goal(s)

 * Finalize and test our Incident Response documentation

Status
October 18, 2018


 * Final tabletop with Legal will be held on Oct 30.

November 2018


 * Discussed...

December 2018


 * Discussed...