Security/SOP/Access to Phabricator Security Issues

SOP Name: WIKISEC-PHABSECACCESS-SOP

SOP Description: Process to gain access to sensitive and nonpublic issues in Phabricator

Authority: Director of Security

Last reviewed on: 28 February 2019

Author(s): Wikimedia Security Team

Data Classification: Public

Purpose
Access to view and edit private Security issues in Phabricator by default is limited, and granted on an as-needed basis at the discretion of the Wikimedia Security Team. Access to individual tasks related to a particular issue or incident does not, by itself, constitute the need for access to all Security issues.

Procedure

 * 1) Create a Phabricator account
 * 2) Sign a volunteer non-disclosure agreement or a WMF employee non-disclosure agreement. If you're already a working WMF employee, you have likely already signed an NDA as part of your Terms of Employment and can skip this.  Real names are required at this step for NDA/Legal purposes, but are only visible to required personnel.
 * 3) Set up Two-Factor Authentication for your Phabricator account under Settings → Authentication → Multi-Factor Auth.
 * 4) If you are a WMF employee then link your Staff SUL account that ends in (WMF) or -WMF to your Phabricator account. This should be created for you during the onboarding process by OIT.
 * 5) Submit an access request, supplying your Phabricator username, and the reason(s) you need access to private Security issues in Wikimedia Phabricator. Do not include private information in the access request.
 * 6) If you are a WMF employee then your manager and the Security Team will sign off on your access.  If you are not a WMF employee then access is granted at the discretion of the Security team.  Please note that in the latter case, there may be both a lengthier time period for approval and more onerous requirements for approval.

Requests are reviewed on a weekly basis in the Security Team clinic meeting, which is usually on Monday of each week.

Access Review
On certain occasions, Phabricator security access may be reviewed by the Security Team and revoked if it is determined that an individual or entity has abused, been negligent with or no longer requires said security access. These audits are meant to be performed annually at a minimum.

default