Wikimedia Security Team/Strategy

= Purpose =

As a top 10 website, the Wikimedia projects rank just below the sites of Google, Facebook, YouTube, and Baidu. And like those sites, Wikimedia’s sites are a potential target of software hackers, server attacks, security breaches, malware infections, phishing campaigns, harassment efforts, and other bad behavior that’s designed to take down the sites, impede their operation, or undermine user engagement.

While threats to our operations happen nearly every day we work proactively to prevent cyber attacks by following best practice and by leveraging available open source software and trusted 3rd party partners to aid our security efforts. As our capabilities mature we update tools and processes to keep pace with industry-wide security best practice and to address emergent threats.

As we pursue a more comprehensive security strategy over the next five years, three areas of interest will be Security Governance, Security Engineering and Security Architecture. We selected these three areas to align with best practice and to address gaps identified through recent security incidents. This list of focus areas should only be considered a starting point for providing a set of functional security areas and services for use now and future practitioners to build upon.

= Moving Targets and Future Planning =

This document outlines the evolving strategy the Wikimedia Security team pursues to ensure the confidentiality, integrity and availability of the Foundation’s infrastructure, applications and data.

This document is used to help guide decisions and resources to reach the goals of the Security organization for the next 1 to 5 years. This document is meant to be iterative in nature and will constantly be evolving as we face new threats, identify and balance new risks and as the Security organization matures.

= High Level Goals =

Secure Culture
 * Provide routine security awareness to the community and foundation
 * Identify and share risk and threat information across the community and foundation
 * Expand capabilities and share security responsibility and process where appropriate with the community

Improving Security Systems and Processes
 * Embed security and privacy into existing and future processes
 * Leverage automation to improve efficiency and address resource gaps

Implementing Best Practices
 * Align with best practice and create repeatable, auditable controls to address current and emergent risks and threats

The Security organization seeks to build a culture of security
For the security organization to be successful in this regard we must first establish what our current capabilities are, where are weaknesses exist and what we should be focusing on in the short and medium-term to address those weaknesses. These beginning efforts have been in play over the last several months and have included but not limited to items such as the hiring of additional security staff to expand our capabilities, high level threat modeling and capability assessments, moderate penetration testing activities, expansion of and a rigorous examination of our Security Incident Response process, building the foundation for supporting the individual members of the security team and creating the foundations of our security program. Upon examination the Security organization has identifies 2 specific audiences we are trying to reach.

The Community and the Wikimedia Foundation
The Security organization recognizes the need to create a more comprehensive approach to addressing and maturing security culture and capabilities across the Community and Wikimedia Foundation. Our early efforts will primarily revolve around a few initiatives to build a good base and to foster change across the Foundation. Security Governance and Security Engineering are the 2 primary areas of focus the Security organization will target on in the next 5 years. These areas have multiple sub-functions to help support the primary initiative.

We will not be creating rules for the sake of creating them. Policies and procedures will be created to address and balance risk. While we will be using security best practice guidance from organizations like NIST, ISO and CIS they will only be used guiding principles and not applied indiscriminately.