Security/SOP/Access to Phabricator Security Issues

SOP Name: WIKISEC-PHABSECACCESS-SOP

SOP Description: Process to gain access to sensitive and nonpublic issues in Phabricator

Authority: Director of Security

Review Required by: 2/28/2020

Author(s): Wikimedia Security Team

Data Classification: Public

Purpose
Access to view and edit private Security issues in Phabricator by default is limited, and granted on an as-needed basis at the discretion of the Wikimedia Security Team. Access to individual tasks related to a particular issue or incident does not, by itself, constitute the need for access to all Security issues.

Procedure

 * 1) Create a Phabricator account
 * 2) Sign a volunteer non-disclosure agreement or a WMF employee non-disclosure agreement. If you're already a working WMF employee, you have likely already signed an NDA as part of your Terms of Employment and can skip this.  Real names are required at this step for NDA/Legal purposes, but are only visible to required personnel.
 * 3) Set up Two-Factor Authentication for your Phabricator account under Settings → Authentication → Multi-Factor Auth.
 * 4) If you are a WMF employee then link your Staff SUL account that ends in (WMF) to your Phabricator account. This should be created for you during the onboarding process by OIT.
 * 5) Submit an access request, supplying your Phabricator username, and the reason(s) you need access to private Security issues in Wikimedia Phabricator.   Do not include private information in the access request.

Requests are reviewed on a weekly basis in the Security Team meeting, which is usually on Tuesday of each week.

Definitions
Phabricator: Bug/Task tracking software used by Wikimedia Foundation and community