Wikimedia Technology/Annual Plans/FY2019/CDP1: Privacy, Security, and Data Management/CDP Budget Segment 2/Goals

From mediawiki.org

Program Goals and Status for FY18/19[edit]

  • Goal Owner: John Bennett
  • Program Goals for FY18/19: Develop, maintain and mature our privacy, security, and data management practices in order to protect Wikimedia community member and donor information, comply with applicable privacy and data protection regulations, and ensure safe and secure connection to Wikimedia projects and sites in accordance with the values of the movement.
  • Annual Plan: Segment 2 - Security

[edit]

Outcome 1 / Output 1[edit]

Ensure the high-quality protection and security of our infrastructure and data.

Review and update current security policies, standards and procedures

Goal(s)[edit]

  • Review and mature our security policies and awareness functions:
    • Create or update 3 security policies
    • Provide Security Awareness training
    • Perform Phishing campaign

Status[edit]

Note Note: July 2018

  • Yes 'Done' 1 of the 3 policies has been created
  • 'Yes Done' Define Awareness content

Note Note: August 2018

  • To do To do Define additional policies to update/create
  • In progress In progress Draft version of "Protecting your Digital Identity" created for Awareness Campaign
  • To do To do On board vendor to support Phishing platform

Note Note: September 12, 2018

  • In progress In progress Update/create identified password use policies and incident response policies
  • Incomplete Partially done Provide awareness training (will be presented in October)
  • To do To do Perform phishing campaign, this will completed in Q2

Outcome 1 / Output 2[edit]

Ensure the high-quality protection and security of our infrastructure and data.

Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

Goal(s)[edit]

  • Testing campaigns:
    • Implement CSP in alert only mode
    • Penetration testing for English Wikipedia site
    • Security Release
    • Analytics Risk Assessment and Threat Model

Status[edit]

Note Note: July 2018

  • Yes 'Done' initial test rollout of CSP on test wiki
  • Yes 'Done' Define scope and onboard vendor for pen testing
  • In progress In progress identify elements for security release
  • Yes 'Done' identify and scope Analytics assessment

Note Note: August 2018

  • In progress In progress Expand CSP rollout
  • In progress In progress Select pen testing dates
  • In progress In progress Prepare security release
  • In progress In progress identify and scope Analytics assessment

Note Note: September 12, 2018

  • In progress In progress Expand CSP rollout
  • To do To do Complete pen testing--will start at end of September
  • To do To do Prepare security release (currently stalled based on hiring)
  • In progress In progress Complete Analytics assessment

Outcome 1 / Output 3[edit]

Ensure the high-quality protection and security of our infrastructure and data.

Increase maturity and capabilities in the event of a security incident.

Goal(s)[edit]

  • Perform 2 Incident Response table top exercises

Status[edit]

Note Note: July 2018

'Yes Done' Perform Incident response exercise

Note Note: August 2018

'Yes Done' Perform 2nd Incident response exercise

Note Note: September 12, 2018

In progress In progress Update Incident Response Plan


[edit]

Note Note: Due to major security incidents in October and November, all Security Resources were dedicated to working on them incidents and this negatively affected the ongoing scheduled work to be done by the team.

Outcome 1 / Output 1[edit]

Ensure the high-quality protection and security of our infrastructure and data.

Review and update current security policies, standards and procedures

Goal(s)[edit]

  • Review and mature our security policies and awareness functions:
    • Create or update 3 security policies
    • Provide Security Awareness training
    • Perform Phishing campaign

Status[edit]

Note Note: October 18, 2018

  • On track to publish policy changes by the end of Oct
  • Awareness content created and ready to deliver
  • Phishing campaign will be delayed until Nov.

Note Note: December 12, 2018

  • This is now Yes Done — one training session for FR-Tech happened in November, and the new policy was used during that training. Blog will go out by end of December.
  • Phishing campaign is N Stalled and hope to be done in early 2019


Outcome 1 / Output 2[edit]

Ensure the high-quality protection and security of our infrastructure and data.

Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

Goal(s)[edit]

  • Testing campaigns:
    • Implement CSP in alert only mode
    • Penetration testing for mobile apps
    • Security Release
    • OIT Risk Assessment and Threat Model
    • NIST CSF style assessment
    • Consider incorporation of Phan-taint-check into MW Core

Status[edit]

Note Note: October 18, 2018

  • CSP changes in progress
  • 1st round of pen testing (on en wikipedia)will conclude by the end of Oct.
  • OIT assessment will be pushed into at least Nov
  • NIST CSF assessment on track to begin in Oct but will conclude likely in Nov.
  • Initial discussion have begun to include Phan into MW core but will not be completed in Oct.

Note Note: December 12, 2018

  • CSP changes are now Yes Done
  • 1st round of pen testing (on en wikipedia) is Yes Done
  • OIT assessment is N Cancelled, might be picked up in 2019.
  • NIST CSF assessment is N Stalled, should be picked up again in early 2019.
  • Initial discussion is In progress In progress to include Phan into MW core and should be completed by end of December.


Outcome 1 / Output 3[edit]

Ensure the high-quality protection and security of our infrastructure and data.

Increase maturity and capabilities in the event of a security incident.

Goal(s)[edit]

  • Finalize and test our Incident Response documentation

Status[edit]

Note Note: October 18, 2018

  • Final tabletop with Legal will be held on Oct 30.

Note Note: December 12, 2018

  • This is In progress In progress with writing the documentation and should get published on MediaWiki sometime in late December. This goal will probably finish up in Q3 (early January). It has been throughly tested and will be published in January 2019.

[edit]

Outcome 1 / Output 1[edit]

Ensure the high-quality protection and security of our infrastructure and data. Review and update current security policies, standards and procedures

Goal(s)[edit]

Review and mature our security policies and awareness functions:

  • Create or update 3 security policies
  • Provide Security Awareness training
  • Perform Phishing campaign
  • Security Code Review process improvements completed and published
  • Update/Consolidate security documentation

Status[edit]

Note Note: January 9, 2019

  • Security policy updates are In progress In progress ('acceptable use' is first up)
  • Training is In progress In progress, working on revising content to be published later in January
  • Phishing campaign will start after the awareness training is done (most likely in Feb 2019)
  • Security code review improvements are In progress In progress and hope to be published by end of quarter (in review now)
  • Updating and consolidating security documentation is also In progress In progress

Note Note: February 13, 2019

  • Security policy updates still In progress In progress with incident responses, we're hoping for 3 to be published this quarter.
  • Training is still In progress In progress and recently published https://www.mediawiki.org/wiki/Protecting_your_digital_identity
  • Phishing campaign will start in the next couple of weeks, going dept by dept to train folks.
  • Security code review improvements are In progress In progress and documentation is hoping to be released this week.
  • Updating and consolidating security documentation is still In progress In progress, we are inventorying all the docs we have now and consolidating (policy, SOP, standards, etc).

Note Note: March 14, 2019

  • Security code review improvements is Yes Done
  • Updating and consolidating security documentation is Incomplete Partially done but will finish up in Q4
  • Security policy updates are Incomplete Partially done right now, and will complete by EOQ
  • Phishing campaign has been N Postponed for Q4
  • Security code review improvements are In progress In progress but hope to be done by EOQ


Outcome 1 / Output 2[edit]

Ensure the high-quality protection and security of our infrastructure and data. Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

Goal(s)[edit]

  • Expansion of CSP
  • Security Release
  • Analytics Risk Assessment and Threat Model
  • Incorporation of Phan-taint-check into MW Core
  • Evaluate dynamic scanners
  • Routine penetration testing

Status[edit]

Note Note: January 9, 2019

  • Expansion of CSP (a long running goal) is In progress In progress as well as security release.
  • Risk assessment is also In progress In progress and should be done by end of Feb 2019
  • Incorporation of Phan-taint-check into MW Core is a bit slow to get going — adoption of getting it into Core is slow and might be delayed into Q4.
  • Dynamic scanner work will be completed in March or April 2019
  • Next round of penetration testing is In progress In progress using info from latest incidents

Note Note: February 13, 2019

  • Expansion of CSP (a long running goal) is a bit N Stalled but still expected to be done this quarter.
  • Security release is also N Stalled and will most likely be pushed to Q4.
  • Risk assessment is also In progress In progress and should be done by end of Feb 2019
  • Incorporation of Phan-taint-check into MW Core is also N Stalled
  • Dynamic scanner work will be most likely be completed in Q4, or pushed into next FY. We'd like to do some manual scanning first, rather than building an automatic version.
  • Next round of penetration testing is still In progress In progress but we're not totally happy with the results from enwiki, so the vendor did the work again and got a Javascript threat model. We think we can call this Yes Done for this quarter.

Note Note: March 14, 2019

  • Expansion of CSP (a long running goal) is still N Stalled for now - will be revised for Q4 work, and might take about a year to complete
  • Security release is also N Stalled, but looking to do a release in Q4
  • Risk assessment is Incomplete Partially done and will be completed by EOQ
  • Incorporation of Phan-taint-check into MW Core (another long running goal), will transition the work within the team this quarter; it might take another 6 months to be fully incorportated into MediaWiki core.
  • Dynamic scanner work has been N Postponed to Q4
  • Penetration testing is Yes Done for this FY


Outcome 1 / Output 3[edit]

Ensure the high-quality protection and security of our infrastructure and data.

Increase maturity and capabilities in the event of a security incident.

Goal(s)[edit]

  • Perform tooling and process retro
  • Finalize and test our Incident Response documentation
  • Create incident play by play dashboard
  • Perform 1 large scale tabletop exercise

Status[edit]

Note Note: January 9, 2019

  • Tooling and process retro will take place in Feb 2019
  • Response documentation finalization will be most likely completed in March 2019
  • play by play dashboard is In progress In progress
  • Large scale tabletop exercise will happen in March

Note Note: February 13,, 2019

  • Tooling and process retro is Incomplete Partially done during our All Hands offsite, but we'll need to do a bit more. This will become a longer running goal in the future.
  • Response documentation finalization has started, In progress In progress and will have a working version by EOQ.
  • Play by play dashboard is N Stalled for now, we hope to get back to it.
  • Large scale tabletop exercise will happen in sometime in March, but the work might be moved into Q4.

Note Note: March 14, 2019

  • Tooling and process retro was Yes Done earlier in the quarter and we are still building out the incident response documentation from the last incident; this process will run into Q4 (mostly for alerting)
  • Incident Response documentation playbooks are still In progress In progress and will go into next FY
  • Incident play by play dashboard is now a stretch goal to be tackled in Q4
  • Large scale tabletop exercise has been N Postponed to Q4


[edit]

Outcome 1 / Output 1[edit]

Ensure the high-quality protection and security of our infrastructure and data. Review and update current security policies, standards and procedures

Goal(s)[edit]

Review and mature our security policies and awareness functions:

  • Create or update 3 security policies (ongoing goal)
  • Provide Security Awareness training (ongoing goal)
  • Perform Phishing campaign
  • Form Security Council
  • Form strategy and begin initial steps toward building a data governance platform
  • Form strategy and begin initial steps toward building a vulnerability management program
  • Assess current security logging capabilities (stretch goal)

Status[edit]

Note Note: April 2019

  • Policy - In progress In progress updates and review of new Security Readiness Review SOP
  • Policy - In progress In progress SOP for creating new security policy has been drafted, and is in review
  • Policy - In progress In progress Acceptable Use Policy has been drafted, is in review, and scheduled to go effective in 10 June 2019
  • Policy - In progress In progress Security Incident Response policy is being drafted, due by end of 4Q 2019
  • In progress In progress Security Awareness/Phishing - Once the Acceptable Use Policy is approved, awareness sessions will be held
  • In progress In progress Data governance platform review and construction in progress
  • In progress In progress Vuln mgmt
  • In progress In progress Logging - needs update

Note Note: May 30, 2019

  • In progress In progress Policy - reconcile and polish the Data Classification and Data Protection policies
  • Yes Done Membership for Security Council selected, planning on 1st meeting in June
  • Policy - In progress In progress updates and review of new Security Readiness Review SOP
  • Policy - In progress In progress SOP for creating new security policy has been drafted, and is in review
  • Policy - In progress In progress Acceptable Use Policy has been drafted, is in review, and scheduled to go effective in June 2019
  • Policy - Yes Done Security Incident Response policy is being drafted, due by end of 4Q 2019
  • In progress In progress Vuln mgmt -- Initial scans performed, evaluating scanning solutions and results.
  • In progress In progress Logging - Updates to alerting capabilities.
  • N Stalled Perform Phishing campaign. Maybe catch up on some pieces next month.
  • Policy - In progress In progress update Data Classification policy.

To do To do June 2019

  • Yes Done Create or update 3 security policies (ongoing goal)
  • In progress In progress Provide Security Awareness training (ongoing goal)
  • N Stalled Perform Phishing campaign
  • Yes Done Form Security Council
  • In progress In progress Form strategy and begin initial steps toward building a data governance platform
  • In progress In progressForm strategy and begin initial steps toward building a vulnerability management program
  • In progress In progress Assess current security logging capabilities (stretch goal)

Outcome 1 / Output 2[edit]

Ensure the high-quality protection and security of our infrastructure and data. Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

Goal(s)[edit]

  • Expansion of CSP (ongoing goal)
  • Security Release (ongoing goal)
  • Analytics Risk Assessment and Threat Model
  • Incorporation of Phan-taint-check into MW Core (stretch goal)
  • Phan 2.x development and release (stretch goal)
  • Evaluate dynamic scanners
  • Routine penetration testing
  • Polish and demo appsec docker “toolboxes” (PHP, Python)
  • Improve security tooling for Phab/Gerrit monitoring
  • Formalized process and SOP for concept/design reviews.
  • Generate initial security metrics/measurements

Status[edit]

Note Note: April 2019

  • In progress In progress Routine penetration testing - Scoping
  • In progress In progress Phan 2.x development and release - 2.x branch created, updates cherry-picked, older patches reviewed and cherry-picked
  • In progress In progress Evaluate dynamic scanners - new task created T219567, tool review, meeting w/ ZAP lead dev (Simon @ Mozilla)
  • In progress In progress See: T221477, hopefully some WIP patches soon
  • In progress In progress Formalized process and SOP for concept/design reviews - still reviewing, see also related Output 1 goal
  • Yes Done Improve security tooling for Phab/Gerrit monitoring - calling this done for this quarter

Note Note: May 30, 2019

  • In progress In progress Routine penetration testing - Scoping completed, awaiting scheduling
  • In progress In progress Phan 2.x development and release - 2.x branch created, updates cherry-picked, older patches reviewed and cherry-picked
  • In progress In progress Evaluate dynamic scanners - new task created T219567, tool review, meeting w/ ZAP lead dev (Simon @ Mozilla)
  • In progress In progress See: T221477, hopefully some WIP patches soon
  • In progress In progress Formalized process and SOP for concept/design reviews - still reviewing, see also related Output 1 goal
  • N Stalled Metrics generation, maybe catch-up next month.
  • Yes Done Improve security tooling for Phab/Gerrit monitoring - calling this done for this quarter
  • Yes Done Analytics Risk Assessment and Threat Model
  • In progress In progress Security release on track and scheduled for next month.

To do To do June 2019

  • In progress In progress Expansion of CSP (ongoing goal)
  • Yes Done Security Release (ongoing goal)
  • Yes Done Analytics Risk Assessment and Threat Model
  • In progress In progress Incorporation of Phan-taint-check into MW Core (stretch goal)
  • In progress In progress Phan 2.x development and release (stretch goal)
  • In progress In progress Evaluate dynamic scanners
  • In progress In progress Routine penetration testing
  • In progress In progress Polish and demo appsec docker “toolboxes” (PHP, Python)
  • In progress In progress Improve security tooling for Phab/Gerrit monitoring
  • Yes Done Formalized process and SOP for concept/design reviews.
  • N Stalled Generate initial security metrics/measurements


Outcome 1 / Output 3[edit]

Ensure the high-quality protection and security of our infrastructure and data.

Increase maturity and capabilities in the event of a security incident.

Goal(s)[edit]

  • Perform tooling and process retro
  • Finalize and test our Security Incident Response documentation
  • Create incident play by play dashboard
  • Perform 1 large scale tabletop exercise

Status[edit]

Note Note: April 2019

  • Yes Done Security incident scale proposals drafted, now in review
  • In progress In progress Security Incident Response policy and supporting incident response playbooks are being drafted

Note Note: May 30, 2019

  • In progress In progress Security incident scale proposals drafted, now in review
  • In progress In progress Security Incident Response policy and supporting incident response playbooks are being drafted
  • N Stalled Create incident play by play dashboard and likely delayed until next quarter.

To do To do June 2019

  • Yes Done Perform tooling and process retro
  • In progress In progress Finalize and test our Security Incident Response documentation
  • N Stalled Create incident play by play dashboard
  • Yes Done Perform 1 large scale tabletop exercise