Security/SOP/Requests For Service

SOP Name: WIKISEC-RFS-SOP

SOP Description: Processes through which to request resourcing, feedback and commitment from the Security Team

Authority: Director of Security

Review Required by: X/X/XX

Author(s): Wikimedia Security Team

Data Classification: Public

Purpose
To effectively resource the highest priority work and in order to enable predictability (as much as it is possible) in our interactions with customers we have defined standards for work intake and processing.

Requests that follow a recognized intake flow will be (at a minimum) discussed by the Security Team during our weekly clinic meeting. The Security Team is a limited component within Wikimedia Foundation and tasks that cannot be resourced or are not part of the team charter will be left with the general #security project attached if they are in the security arena.

Please visit our page of to understand the scope of the team charter.

Requests for Service Flows

 * 1) Users reporting general issues with security should use Reporting a Security Bugs.
 * 2) Users who want to discuss new projects, new work, or need a consultation on what are relevant should fill out our [request for service...is this asana, phab, ? Most friendly thing (TM)]
 * 3) Privacy review requests should use our intake form for Asana
 * 4) Security Readiness Review requests should follow our SOP for that service

Advanced Requests for Service Flows

 * 1) Gerrit: add the security team group to reviewers. Changsets must have an associated task, and that task needs the #security-team.
 * 2) Phabricator
 * 3) Newly created Tasks in with #security or #security-team ‘Needs Triage’ will be triaged during clinic to the intake column of #security-team. Tasks not #security-team are triaged to #security only with a comment.
 * 4) Security project added to existing task should use the Protect as security issue’ feature
 * IRC
 * 1) Any significant work needs to follow an approved work intake flow.
 * 2) Email
 * 3) Email to individual team members is not a valid work intake flow
 * 4) Email to security-team@ is not by itself a valid work intake flow, and is considered an internal team list.

Phabricator and Security
Phabricator permissions and security may not be intuitive. It is strongly recommended users take advantage of the 'Protect as Security Issue' and Report Security Issue mechanisms where appropriate.

Definitions
Phabricator: Bug/Task tracking software used by Wikimedia Foundation and community