Security/SOP/Application Security Reviews

= IT Standard Operating Procedure - Security Readiness Reviews =

REVIEW PROCEDURE PURPOSE SCOPE ROLES AND RESPONSIBILITY KEYWORDS AND DEFINITIONS

PROCEDURES

1) At least 30 days prior to deployment date, User opens a Phabricator Task using a Request a Review

2) Weekly, the Security Coordinator reviews Requests. 3) Security Teams Readiness Reviews MUST include the following:

Name of tool/project

Description of the tool/project

Description of how the tool will be used at WMF

Name of individual/group requesting review and primary contact

Name of individual/group responsible for tool/project after deployment and primary contact

Target date for deployment (or approximate date deployed if already in production or labs)

Information from any review of the tool that has already been conducted

Working test environment

Programming language(s) used

Source code repository location

Upstream project home page (if applicable)

WMF project home page (if applicable)

Related Phabricator tickets

Related patchset(s)

4) Security Coordinator checks that Task is at least 30 days prior to deployment date or declines the Task.

5) Security Coordinate checks that Task has ALL required information or holds the Task for 3 days awaiting information.

6) If Task meets the requirements for 4) and 5), then the Security Coordinator approves the Task, assigns it to an Engineer and places the Task in the “In Progress” queue.

7) See the #Security-Teams Readiness Reviews workboard for currently planned reviews.

8) The “In Progress” queue reflects all active tasks. These tasks have target dates of two to four weeks.

9) Engineer will review Task and if approved, will comment in the task closed as Resolved.

10) If your project is not on the schedule and you believe it should be, or if you have any questions about the Security Teams Readiness Review process, please contact the Security Team (security-team@wikimedia.org) as soon as possible.

11) If your Task is reviewed by the Engineer and then they require an action on your part, the Task is placed in the Waiting on Response/Mitigation queue. The Task may reside there no more than one (1) month.

12) If the Engineer has not received a response within 30 days, the Task will be closed and moved to the Frozen column.

13) Tasks that have been on the Frozen column more than 180 days will be removed from the Security-Team-Reviews tab.



TROUBLESHOOTING PROCEDURES CHECKLISTS ESCALATIONS SIGNATURES Security