Security/ServiceDescriptions/SRMsd

Service Description:
The Security Risk Management service seeks to provide the following:.


 * 1) Security Risk Identification, Assessment and Analysis
 * 2) Security Risk Management and tracking
 * 3) Security Risk Communication
 * 4) Security Risk Metrics and Measurements

Security Risk Assessment and Analysis:
The Wikimedia Security team will provide the following services in support of maturing our security risk management processes.


 * 1) Generalized security risk assessment and analysis
 * 2) Risk assessment based on industry standard best practice (FAIR/ISO 31000)
 * 3) Assessments will be either interview or review based
 * 4) Output of assessment will include documented risk assessment and will provide recommended risk treatment options.
 * 5) To request a security risk assessment follow the RFS process
 * 6) The security team will review and complete your risk assessment within 30 day of receiving all the requested information
 * 7) Risk response and owner responsibilities are expected to follow guidance per the risk taxonomy

Security Risk Management and Tracking

 * 1) All risks will be reviewed on no less than an annual basis
 * 2) Ongoing risk tracking for accepted, reduced or transferred risk will be tracked by the Security team in the Enterprise Risk Register

Security Risk Communication

 * 1) Risk owners will be provided a status of ongoing risk no less than bi-annually
 * 2) The security team will report to the audit committee at least annually and provide a register of risks relating the the Cyber impact category.
 * 3) The security and enterprise risk teams will provide at least annually an overview of all risks the Foundation faces in a consumable format
 * 4) The Security team will work with the Risk and Audit committee to provide abstracts of relevant risks to the community

Metrics and Measurements

 * 1) The security team will create the following metrics or measurements in support of the security risk management program
 * 2) Number of open risks without risk owner with a severity of High or greater
 * 3) Number of accepted open risks with a severity of High or greater
 * 4) Number of risk mitigated or reduced to Low severity in the last 6 months
 * 5) Department or team with the greatest risk profile