Wikimedia Technology/Annual Plans/FY2019/CDP1: Privacy, Security, and Data Management/CDP Budget Segment 2/Goals

=Program Goals and Status for FY18/19=

Segment 2 - Security
 * Goal Owner: John Bennett
 * Program Goals for FY18/19: Develop, maintain and mature our privacy, security, and data management practices in order to protect Wikimedia community member and donor information, comply with applicable privacy and data protection regulations, and ensure safe and secure connection to Wikimedia projects and sites in accordance with the values of the movement.
 * Annual Plan: Segment 2 - Security
 * Primary Goal is Knowledge Equity: grow new contributors and content



 = Q1 Goals =

Outcome 1 / Output 1
Ensure the high-quality protection and security of our infrastructure and data.
 * Review and update current security policies, standards and procedures

Goal(s)

 * Review and mature our security policies and awareness functions:
 * Create or update 3 security policies
 * Provide Security Awareness training
 * Perform Phishing campaign

Status
July 2018


 * ✅ 1 of the 3 policies has been created
 * ✅ Define Awareness content

August 2018


 * Define additional policies to update/create
 * Draft version of "Protecting your Digital Identity" created for Awareness Campaign
 * On board vendor to support Phishing platform

September 2018


 * Update/create identified policies
 * Provide awareness training
 * Perform phishing campaign

Outcome 1 / Output 2
Ensure the high-quality protection and security of our infrastructure and data.
 * Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

Goal(s)

 * Testing campaigns:
 * Implement CSP in alert only mode
 * Penetration testing for English Wikipedia site
 * Security Release
 * Analytics Risk Assessment and Threat Model

Status
July 2018


 * ✅ initial test rollout of CSP on test wiki
 * ✅ Define scope and onboard vendor for pen testing
 * identify elements for security release
 * ✅ identify and scope Analytics assessment

August 2018


 * Expand CSP rollout
 * Select pen testing dates
 * Prepare security release
 * identify and scope Analytics assessment

September 2018


 * Expand CSP rollout
 * Complete pen testing
 * Prepare security release
 * Complete Analytics assessment



Outcome 1 / Output 3
Ensure the high-quality protection and security of our infrastructure and data.
 * Increase maturity and capabilities in the event of a security incident.

Goal(s)

 * Perform 2 Incident Response table top exercises

Status
July 2018
 * ✅ Perform Incident response exercise

August 2018


 * ✅ Perform 2nd Incident response exercise

September 2018

Update Incident Response Plan



 =Q2 Goals =

Outcome X / Output X
Lorem ipsum dolor sit amet, consectetur adipiscing elit.
 * Nullam interdum, elit in malesuada aliquam, libero lorem auctor lacus, eu mattis lacus velit vitae mauris.

Dependencies on: ___________

Goal(s)

 * Ut eget sodales odio. Maecenas a varius leo.

Status
October 2018
 * Discussed...

November 2018
 * Discussed...

December 2018
 * Discussed...