Jump to content

Wikimedia Security Team/Services

From mediawiki.org

We seek to secure access to and the integrity of free knowledge.

Purpose 

[edit]

Services outlined here are currently provided by the Security Team and may be in different stages of maturity for process, documentation, standardization and exposition. Please be patient with us as we try to operate as transparently and in good faith as possible.

See our Charter for an outline of our mandate.

See our ongoing Strategy thinking to understanding our mindset and priorities

Services Arenas and Services

[edit]

Security Governance

[edit]
Service Name High level description Activities associated RFS and additional documentation
Security Risk Management Provide a security risk management framework to identify and treat risk.  Provide security risk assessment and treatment services to the Foundation Risk identification

Risk assessment

Risk reporting

Risk treatment

Request for Service Service Description
Data Protection Provide a data protection framework in the pursuit of data management and governance.   Data classification

Data inventory

Data release review

Data governance

Request for Service
Security policy and procedure Provide a comprehensive set of security policy and procedures to create governance and repeatability for security relevant processes. Policy creation

Policy management

Policy exception

Request for Service
Security Incident Response Ensure that threats against the confidentiality, availability and integrity of the Wikimedia Community and Foundation are identified, contained, investigated and remediated.   Security incident plan

Security incident coordination

Security incident playbooks


Request for Service Policy
Threat Modeling Provide an overview of the threats the bad actors as they relate to the threat landscape. Foundation threat model

Individual project/service threat modeling

Request for Service
Supplier Assessments Provide oversight, guidance and assessments for 3rd party suppliers or partners.   Security review for 3rd parties suppliers.  

Security specific contract language

Auditing of 3rd parties

Request for Service
Security Awareness Provide education and security best practice guidance to the Foundation and to the community Delivery of security relevant educational material Request for Service Policy
Fusion Center Serve as the Security team's intake point for work from all sources. Provide a training ground (talent incubator) for new Security team staff. Conduct the weekly Security team Clinic meeting

Talent Incubator

Request for Service

Security Engineering

[edit]
Service Name High level description Activities associated RFS and additional documentation
Application Security Security-focused code reviews and audits ranging from basic guidance on a gerrit patch set to full-featured reviews of MediaWiki core, extensions and stand-alone services.
  1. Manual review of patches and code
  2. Dynamic analysis of libraries and applications
  3. Report creation and review
Security Readiness Reviews

Request for Service

Vulnerability Management
Privacy Engineering Provide procedures and tools for the review of data processing activities to identify and mitigate associated risks to the organization and its users, including compliance with existing policies.
  • Privacy data reviews
  • Privacy functionality reviews
  • Privacy mitigation support
  • Privacy Awareness and Privacy by Design Training
Request for Service

Privacy Review Template / Example

Security Architecture

[edit]
Service Name High level description Activities associated RFS and additional documentation
Security Tooling GRC and other tooling creation and management
Audit
  1. Control Audits
  2. Penetration Testing
  3. Compliance
  4. Red Team
Request for Service
[P]reviews (Products, Projects, and Programs) Request for Service
Enterprise Risk Request for Service

Reference Materials

[edit]