Security/SOP/Access to Phabricator Security Issues

SOP Name: WIKISEC-PHABSECACCESS-SOP

SOP Description: Process to gain access to sensitive and nonpublic issues in Phabricator

Authority: Director of Security

Review Required by: 28 February 2020

Author(s): Wikimedia Security Team

Data Classification: Public

Purpose
Access to view and edit private Security issues in Phabricator by default is limited, and granted on an as-needed basis at the discretion of the Wikimedia Security Team. Access to individual tasks related to a particular issue or incident does not, by itself, constitute the need for access to all Security issues.

Procedure

 * 1) Create a Phabricator account
 * 2) Sign a volunteer non-disclosure agreement or a WMF employee non-disclosure agreement. If you're already a working WMF employee, you have likely already signed an NDA as part of your Terms of Employment and can skip this.  Real names are required at this step for NDA/Legal purposes, but are only visible to required personnel.
 * 3) Set up Two-Factor Authentication for your Phabricator account under Settings → Authentication → Multi-Factor Auth.
 * 4) If you are a WMF employee then link your Staff SUL account that ends in (WMF) to your Phabricator account. This should be created for you during the onboarding process by OIT.
 * 5) Submit an access request, supplying your Phabricator username, and the reason(s) you need access to private Security issues in Wikimedia Phabricator.   Do not include private information in the access request.
 * 6) If you are a WMF employee then your manager and the Director of Security will sign off on your access.  If you are not a WMF employee then access is granted at the discretion of the Director of Security

Requests are reviewed on a weekly basis in the Security Team clinic meeting, which is usually on Wednesday of each week.

Access Review
On certain occasions, Phabricator security access may be reviewed by the Security Team and revoked if it is determined that an individual or entity has abused, been negligent with or no longer requires said security access. These audits are meant to be performed annually at a minimum.

Definitions
Phabricator: Bug/Task tracking software used by Wikimedia Foundation and community