Security/SOP/Requests For Service

SOP Name: WIKISEC-RFS-SOP

SOP Description: Processes through which to request resourcing, feedback and commitment from the Security Team

Authority: Director of Security

Review Required by: 1/10/21

Author(s): Wikimedia Security Team

Data Classification: Public

Purpose
In order to effectively resource the highest priority work and to enable predictability (as much as it is possible) in customer interactions we have defined standards for work intake and processing.

Requests that follow a recognized intake flow will be (at a minimum) discussed by the Security Team during our weekly clinic meeting. The Security Team is a limited component within Wikimedia Foundation and tasks that cannot be resourced or are not part of our current Services offerings will be left with the general #security project attached if they are in the security arena.

Please see our services to understand the implemented portion of our charter.

Making a Request for Service

 * 1) Users who wish to discuss new initiatives or require assistance determining which services are relevant should fill out our request for service form.
 * 2) Privacy review requests should use our Privacy intake form in Asana
 * 3) Security Readiness Review requests should follow our SOP for that service
 * 4) Users reporting general issues with security should see Reporting Security Bugs.

If all else fails, an email to [mailto:security-help@wikimedia.org security-help@] is a valid initial step when there is uncertainty regarding process, scope, services needed, etc. We want to assist you in navigating our workflows :)

Advanced Requests for Service

 * 1) Gerrit: add the security team group to reviewers. Changsets must have an associated task, and that task needs the #security-team project associated.
 * 2) Phabricator
 * 3) Newly created Tasks in #security-team ‘Needs Triage’ will be triaged during weekly clinic to the intake column of #security-team. Tasks not #security-team resourced are triaged to #security only with a comment.
 * 4) Security protections added to existing tasks should use the ’Protect as security issue’ feature. This is selectable on the right side panel of existing tasks.
 * IRC
 * 1) Any significant work needs to follow an approved work intake flow.
 * 2) Email
 * 3) Email to security-help@ is a valid initial step when there is uncertainty regarding process, scope, services needed, etc.
 * 4) Email to individual team members is not a valid work intake flow
 * 5) Email to security-team@ is not by itself a valid work intake flow, and is considered an internal team list.

Phabricator and Security
Phabricator permissions and security may not be intuitive. It is strongly recommended users take advantage of the Protect as Security Issue and Report Security Issue mechanisms where appropriate.

Definitions
Phabricator: Bug/Task tracking software used by Wikimedia Foundation and community