Security/SOP/Access to Phabricator Security Issues

SOP Name: WIKISEC-PHABSECACCESS-SOP

SOP Description: Process to gain access to sensitive and nonpublic issues in Phabricator

Authority: Director of Security

Review Required by: 2/28/2020

Author(s): Wikimedia Security Team

Data Classification: Public

Purpose
Access to view and edit private Security issues in Phabricator by default is limited, and granted on an as-needed basis at the discretion of the Wikimedia Security Team. Access to individual tasks related to a particular issue or incident does not, by itself, constitute the need for access to all Security issues.

Procedure

 * 1) Create a Phabricator account
 * 2) Sign a volunteer non-disclosure agreement or a WMF employee non-disclosure agreement. If you're already a working WMF employee, you have likely already signed an NDA as part of your Terms of Employment and can skip this.  Real names are required at this step for NDA/Legal purposes, but are only visible to required personnel.
 * 3) Set up Two-Factor Authentication for your Phabricator account under Settings → Authentication → Multi-Factor Auth.
 * 4) If you are a WMF employee then link your Staff SUL account that ends in (WMF) to your Phabricator account. This should be created for you during the onboarding process by OIT.
 * 5) Submit an access request, supplying your Phabricator username, and the reason(s) you need access to private Security issues in Wikimedia Phabricator.   Do not include private information in the access request.
 * 6) If you are a WMF employee then your manager and the Director of Security will sign off on your access.  If you are not a WMF employee then access is granted at the discretion of the Director of Security

Requests are reviewed on a weekly basis in the Security Team clinic meeting, which is usually on Wednesday of each week.

Definitions
Phabricator: Bug/Task tracking software used by Wikimedia Foundation and community