Ensure the high-quality protection and security of our infrastructure and data.

Review and update current security policies, standards and procedures

• Review and mature our security policies and awareness functions:
  • Create or update 3 security policies
  • Provide Security Awareness training
  • Perform Phishing campaign

 Note: July 2018

• Done 1 of the 3 policies has been created
• Done Define Awareness content

 Note: August 2018

• To do Define additional policies to update/create
• In progress Draft version of "Protecting your Digital Identity" created for Awareness Campaign
• To do On board vendor to support Phishing platform

 Note: September 12, 2018

• In progress Update/create identified password use policies and incident response policies
• Partially done Provide awareness training (will be presented in October)
• To do Perform phishing campaign, this will completed in Q2

Ensure the high-quality protection and security of our infrastructure and data.

Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

• Testing campaigns:
  • Implement CSP in alert only mode
  • Penetration testing for English Wikipedia site
  • Security Release
  • Analytics Risk Assessment and Threat Model

 Note: July 2018

• Done initial test rollout of CSP on test wiki
• Done Define scope and onboard vendor for pen testing
• In progress identify elements for security release
• Done identify and scope Analytics assessment

 Note: August 2018

• In progress Expand CSP rollout
• In progress Select pen testing dates
• In progress Prepare security release
• In progress identify and scope Analytics assessment

 Note: September 12, 2018

• In progress Expand CSP rollout
• To do Complete pen testing--will start at end of September
• To do Prepare security release (currently stalled based on hiring)
• In progress Complete Analytics assessment

Ensure the high-quality protection and security of our infrastructure and data.

Increase maturity and capabilities in the event of a security incident.

• Perform 2 Incident Response table top exercises

 Note: July 2018

Done Perform Incident response exercise

 Note: August 2018

Done Perform 2nd Incident response exercise

 Note: September 12, 2018

In progress Update Incident Response Plan

 Note: Due to major security incidents in October and November, all Security Resources were dedicated to working on them incidents and this negatively affected the ongoing scheduled work to be done by the team.

Ensure the high-quality protection and security of our infrastructure and data.

Review and update current security policies, standards and procedures

• Review and mature our security policies and awareness functions:
  • Create or update 3 security policies
  • Provide Security Awareness training
  • Perform Phishing campaign

 Note: October 18, 2018

• On track to publish policy changes by the end of Oct
• Awareness content created and ready to deliver
• Phishing campaign will be delayed until Nov.

 Note: December 12, 2018

• This is now Done — one training session for FR-Tech happened in November, and the new policy was used during that training. Blog will go out by end of December.
• Phishing campaign is N Stalled and hope to be done in early 2019

Ensure the high-quality protection and security of our infrastructure and data.

Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

• Testing campaigns:
  • Implement CSP in alert only mode
  • Penetration testing for mobile apps
  • Security Release
  • OIT Risk Assessment and Threat Model
  • NIST CSF style assessment
  • Consider incorporation of Phan-taint-check into MW Core

 Note: October 18, 2018

• CSP changes in progress
• 1st round of pen testing (on en wikipedia)will conclude by the end of Oct.
• OIT assessment will be pushed into at least Nov
• NIST CSF assessment on track to begin in Oct but will conclude likely in Nov.
• Initial discussion have begun to include Phan into MW core but will not be completed in Oct.

 Note: December 12, 2018

• CSP changes are now Done
• 1st round of pen testing (on en wikipedia) is Done
• OIT assessment is N Cancelled, might be picked up in 2019.
• NIST CSF assessment is N Stalled, should be picked up again in early 2019.
• Initial discussion is In progress to include Phan into MW core and should be completed by end of December.

Ensure the high-quality protection and security of our infrastructure and data.

Increase maturity and capabilities in the event of a security incident.

• Finalize and test our Incident Response documentation

 Note: October 18, 2018

• Final tabletop with Legal will be held on Oct 30.

 Note: December 12, 2018

• This is In progress with writing the documentation and should get published on MediaWiki sometime in late December. This goal will probably finish up in Q3 (early January). It has been throughly tested and will be published in January 2019.

Ensure the high-quality protection and security of our infrastructure and data. Review and update current security policies, standards and procedures

Review and mature our security policies and awareness functions:

• Create or update 3 security policies
• Provide Security Awareness training
• Perform Phishing campaign
• Security Code Review process improvements completed and published
• Update/Consolidate security documentation

 Note: January 9, 2019

• Security policy updates are In progress ('acceptable use' is first up)
• Training is In progress, working on revising content to be published later in January
• Phishing campaign will start after the awareness training is done (most likely in Feb 2019)
• Security code review improvements are In progress and hope to be published by end of quarter (in review now)
• Updating and consolidating security documentation is also In progress

 Note: February 13, 2019

• Security policy updates still In progress with incident responses, we're hoping for 3 to be published this quarter.
• Training is still In progress and recently published https://www.mediawiki.org/wiki/Protecting_your_digital_identity
• Phishing campaign will start in the next couple of weeks, going dept by dept to train folks.
• Security code review improvements are In progress and documentation is hoping to be released this week.
• Updating and consolidating security documentation is still In progress, we are inventorying all the docs we have now and consolidating (policy, SOP, standards, etc).

 Note: March 14, 2019

• Security code review improvements is Done
• Updating and consolidating security documentation is Partially done but will finish up in Q4
• Security policy updates are Partially done right now, and will complete by EOQ
• Phishing campaign has been N Postponed for Q4
• Security code review improvements are In progress but hope to be done by EOQ

Ensure the high-quality protection and security of our infrastructure and data. Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

• Expansion of CSP
• Security Release
• Analytics Risk Assessment and Threat Model
• Incorporation of Phan-taint-check into MW Core
• Evaluate dynamic scanners
• Routine penetration testing

 Note: January 9, 2019

• Expansion of CSP (a long running goal) is In progress as well as security release.
• Risk assessment is also In progress and should be done by end of Feb 2019
• Incorporation of Phan-taint-check into MW Core is a bit slow to get going — adoption of getting it into Core is slow and might be delayed into Q4.
• Dynamic scanner work will be completed in March or April 2019
• Next round of penetration testing is In progress using info from latest incidents

 Note: February 13, 2019

• Expansion of CSP (a long running goal) is a bit N Stalled but still expected to be done this quarter.
• Security release is also N Stalled and will most likely be pushed to Q4.
• Risk assessment is also In progress and should be done by end of Feb 2019
• Incorporation of Phan-taint-check into MW Core is also N Stalled
• Dynamic scanner work will be most likely be completed in Q4, or pushed into next FY. We'd like to do some manual scanning first, rather than building an automatic version.
• Next round of penetration testing is still In progress but we're not totally happy with the results from enwiki, so the vendor did the work again and got a Javascript threat model. We think we can call this Done for this quarter.

 Note: March 14, 2019

• Expansion of CSP (a long running goal) is still N Stalled for now - will be revised for Q4 work, and might take about a year to complete
• Security release is also N Stalled, but looking to do a release in Q4
• Risk assessment is Partially done and will be completed by EOQ
• Incorporation of Phan-taint-check into MW Core (another long running goal), will transition the work within the team this quarter; it might take another 6 months to be fully incorportated into MediaWiki core.
• Dynamic scanner work has been N Postponed to Q4
• Penetration testing is Done for this FY

Ensure the high-quality protection and security of our infrastructure and data.

Increase maturity and capabilities in the event of a security incident.

• Perform tooling and process retro
• Finalize and test our Incident Response documentation
• Create incident play by play dashboard
• Perform 1 large scale tabletop exercise

 Note: January 9, 2019

• Tooling and process retro will take place in Feb 2019
• Response documentation finalization will be most likely completed in March 2019
• play by play dashboard is In progress
• Large scale tabletop exercise will happen in March

 Note: February 13,, 2019

• Tooling and process retro is Partially done during our All Hands offsite, but we'll need to do a bit more. This will become a longer running goal in the future.
• Response documentation finalization has started, In progress and will have a working version by EOQ.
• Play by play dashboard is N Stalled for now, we hope to get back to it.
• Large scale tabletop exercise will happen in sometime in March, but the work might be moved into Q4.

 Note: March 14, 2019

• Tooling and process retro was Done earlier in the quarter and we are still building out the incident response documentation from the last incident; this process will run into Q4 (mostly for alerting)
• Incident Response documentation playbooks are still In progress and will go into next FY
• Incident play by play dashboard is now a stretch goal to be tackled in Q4
• Large scale tabletop exercise has been N Postponed to Q4

Ensure the high-quality protection and security of our infrastructure and data. Review and update current security policies, standards and procedures

Review and mature our security policies and awareness functions:

• Create or update 3 security policies (ongoing goal)
• Provide Security Awareness training (ongoing goal)
• Perform Phishing campaign
• Form Security Council
• Form strategy and begin initial steps toward building a data governance platform
• Form strategy and begin initial steps toward building a vulnerability management program
• Assess current security logging capabilities (stretch goal)

 Note: April 2019

• Policy - In progress updates and review of new Security Readiness Review SOP
• Policy - In progress SOP for creating new security policy has been drafted, and is in review
• Policy - In progress Acceptable Use Policy has been drafted, is in review, and scheduled to go effective in 10 June 2019
• Policy - In progress Security Incident Response policy is being drafted, due by end of 4Q 2019
• In progress Security Awareness/Phishing - Once the Acceptable Use Policy is approved, awareness sessions will be held
• In progress Data governance platform review and construction in progress
• In progress Vuln mgmt
• In progress Logging - needs update

 Note: May 30, 2019

• In progress Policy - reconcile and polish the Data Classification and Data Protection policies
• Done Membership for Security Council selected, planning on 1st meeting in June
• Policy - In progress updates and review of new Security Readiness Review SOP
• Policy - In progress SOP for creating new security policy has been drafted, and is in review
• Policy - In progress Acceptable Use Policy has been drafted, is in review, and scheduled to go effective in June 2019
• Policy - Done Security Incident Response policy is being drafted, due by end of 4Q 2019
• In progress Vuln mgmt -- Initial scans performed, evaluating scanning solutions and results.
• In progress Logging - Updates to alerting capabilities.
• N Stalled Perform Phishing campaign. Maybe catch up on some pieces next month.
• Policy - In progress update Data Classification policy.

To do June 2019

• Done Create or update 3 security policies (ongoing goal)
• In progress Provide Security Awareness training (ongoing goal)
• N Stalled Perform Phishing campaign
• Done Form Security Council
• In progress Form strategy and begin initial steps toward building a data governance platform
• In progressForm strategy and begin initial steps toward building a vulnerability management program
• In progress Assess current security logging capabilities (stretch goal)

Ensure the high-quality protection and security of our infrastructure and data. Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

• Expansion of CSP (ongoing goal)
• Security Release (ongoing goal)
• Analytics Risk Assessment and Threat Model
• Incorporation of Phan-taint-check into MW Core (stretch goal)
• Phan 2.x development and release (stretch goal)
• Evaluate dynamic scanners
• Routine penetration testing
• Polish and demo appsec docker “toolboxes” (PHP, Python)
• Improve security tooling for Phab/Gerrit monitoring
• Formalized process and SOP for concept/design reviews.
• Generate initial security metrics/measurements

 Note: April 2019

• In progress Routine penetration testing - Scoping
• In progress Phan 2.x development and release - 2.x branch created, updates cherry-picked, older patches reviewed and cherry-picked
• In progress Evaluate dynamic scanners - new task created T219567, tool review, meeting w/ ZAP lead dev (Simon @ Mozilla)
• In progress See: T221477, hopefully some WIP patches soon
• In progress Formalized process and SOP for concept/design reviews - still reviewing, see also related Output 1 goal
• Done Improve security tooling for Phab/Gerrit monitoring - calling this done for this quarter

 Note: May 30, 2019

• In progress Routine penetration testing - Scoping completed, awaiting scheduling
• In progress Phan 2.x development and release - 2.x branch created, updates cherry-picked, older patches reviewed and cherry-picked
• In progress Evaluate dynamic scanners - new task created T219567, tool review, meeting w/ ZAP lead dev (Simon @ Mozilla)
• In progress See: T221477, hopefully some WIP patches soon
• In progress Formalized process and SOP for concept/design reviews - still reviewing, see also related Output 1 goal
• N Stalled Metrics generation, maybe catch-up next month.
• Done Improve security tooling for Phab/Gerrit monitoring - calling this done for this quarter
• Done Analytics Risk Assessment and Threat Model
• In progress Security release on track and scheduled for next month.

To do June 2019

• In progress Expansion of CSP (ongoing goal)
• Done Security Release (ongoing goal)
• Done Analytics Risk Assessment and Threat Model
• In progress Incorporation of Phan-taint-check into MW Core (stretch goal)
• In progress Phan 2.x development and release (stretch goal)
• In progress Evaluate dynamic scanners
• In progress Routine penetration testing
• In progress Polish and demo appsec docker “toolboxes” (PHP, Python)
• In progress Improve security tooling for Phab/Gerrit monitoring
• Done Formalized process and SOP for concept/design reviews.
• N Stalled Generate initial security metrics/measurements

Ensure the high-quality protection and security of our infrastructure and data.

Increase maturity and capabilities in the event of a security incident.

• Perform tooling and process retro
• Finalize and test our Security Incident Response documentation
• Create incident play by play dashboard
• Perform 1 large scale tabletop exercise

 Note: April 2019

• Done Security incident scale proposals drafted, now in review
• In progress Security Incident Response policy and supporting incident response playbooks are being drafted

 Note: May 30, 2019

• In progress Security incident scale proposals drafted, now in review
• In progress Security Incident Response policy and supporting incident response playbooks are being drafted
• N Stalled Create incident play by play dashboard and likely delayed until next quarter.

To do June 2019

• Done Perform tooling and process retro
• In progress Finalize and test our Security Incident Response documentation
• N Stalled Create incident play by play dashboard
• Done Perform 1 large scale tabletop exercise