The Security Risk Management service seeks to provide the following:.
- Security Risk Identification, Assessment and Analysis
- Security Risk Management and tracking
- Security Risk Communication
- Security Risk Metrics and Measurements
Security Risk Assessment and Analysis:
The Wikimedia Security team will provide the following services in support of maturing our security risk management processes.
- Generalized security risk assessment and analysis
- Risk assessment based on industry standard best practice (FAIR/ISO 31000)
- Assessments will be either interview or review based
- Output of assessment will include documented risk assessment and will provide recommended risk treatment options.
- To request a security risk assessment follow the RFS process
- The security team will review and complete your risk assessment within 30 day of receiving all the requested information
- Risk response and owner responsibilities are expected to follow guidance per the risk taxonomy
Security Risk Management and Tracking
- All risks will be reviewed on no less than an annual basis
- Ongoing risk tracking for accepted, reduced or transferred risk will be tracked by the Security team in the Enterprise Risk Register
Security Risk Communication
- Risk owners will be provided a status of ongoing risk no less than bi-annually
- The security team will report to the audit committee at least annually and provide a register of risks relating the the Cyber impact category.
- The security and enterprise risk teams will provide at least annually an overview of all risks the Foundation faces in a consumable format
- The Security team will work with the Risk and Audit committee to provide abstracts of relevant risks to the community
Metrics and Measurements
- The security team will create the following metrics or measurements in support of the security risk management program
- Number of open risks without risk owner with a severity of High or greater
- Number of accepted open risks with a severity of High or greater
- Number of risk mitigated or reduced to Low severity in the last 6 months
- Department or team with the greatest risk profile