Security/SOP/Requests For Service

SOP Name: WIKISEC-RFS-SOP

SOP Description: Processes through which to request resourcing, feedback and commitment from the Security Team

Authority: Director of Security

Review Required by: 1/10/21

Author(s): Wikimedia Security Team

Data Classification: Public

Purpose
In order to effectively resource the highest priority work and to enable predictability (as much as it is possible) in customer interactions we have defined standards for work intake and processing.

Requests that follow a recognized intake flow will be (at a minimum) discussed by the Security Team during our weekly clinic meeting. The Security Team is a limited component within Wikimedia Foundation and tasks that cannot be resourced or are not part of the team charter will be left with the general #security project attached if they are in the security arena.

Please visit our page of services to understand the scope of the team charter.

Requests for Service Flows

 * 1) Users who wish to discuss new projects, new work, or require assistance determining which services are relevant should fill out our request for service form.
 * 2) Privacy review requests should use our Privacy intake form in Asana
 * 3) Security Readiness Review requests should follow our SOP for that service
 * 4) Users reporting general issues with security should use Reporting Security Bugs.

Advanced Requests for Service Flows

 * 1) Gerrit: add the security team group to reviewers. Changsets must have an associated task, and that task needs the #security-team.
 * 2) Phabricator
 * 3) Newly created Tasks in #security-team ‘Needs Triage’ will be triaged during weekly clinic to the intake column of #security-team. Tasks not #security-team are triaged to #security only with a comment.
 * 4) Security project added to existing task should use the ’Protect as security issue’ feature
 * IRC
 * 1) Any significant work needs to follow an approved work intake flow.
 * 2) Email
 * 3) Email to security-help@ is a valid initial step when there is uncertainty regarding process, scope, services needed, etc.
 * 4) Email to individual team members is not a valid work intake flow
 * 5) Email to security-team@ is not by itself a valid work intake flow, and is considered an internal team list.

Phabricator and Security
Phabricator permissions and security may not be intuitive. It is strongly recommended users take advantage of the 'Protect as Security Issue' and Report Security Issue mechanisms where appropriate.

Definitions
Phabricator: Bug/Task tracking software used by Wikimedia Foundation and community