Jump to content

Wikimedia Security Team/Charter

From mediawiki.org

Purpose 

[edit]

A charter is the grant of authority or rights, stating that the granter formally recognizes the prerogative of the recipient to exercise the rights specified. The mandate of the Wikimedia Security team's efforts is to provide services for consumption by the Wikimedia Foundation and broader community that strengthen our collective security posture.  The Security organization has the responsibility and authority to offer, develop and participate in governance and engineering efforts to ensure the confidentiality, integrity and availability of information assets.

Security Governance

[edit]

Risks to information assets will be assessed in a repeatable and collaborative manner.  Policies and procedures (Standard Operating Procedures/SOP) will be created and periodically reviewed to address and balance risk.  Security best practices based on organizational expertise and standards from external organisations (NIST, ISO and CIS) will be used as guiding principles.

  1. Security Risk Management
    1. Security Risk Assessment and Analysis
    2. Security Risk Exception
    3. Security Risk Communication
  2. Data protection
    1. Data categorization
    2. Data governance and management
  3. Creation of Security Policy and procedure
  4. Security Incident Response
  5. Threat Modeling
  6. Partner/Supplier Assessments
  7. Security Awareness

Security Engineering

[edit]

The security organization will work to provide a suite of security engineering capabilities such as:

  1. Application Security
  2. Privacy Engineering

Security Architecture

[edit]

The architecture service arena provides technical and governance guidance to the rest of the Security organization and serves as a security center of excellence to the rest of the Foundation.

  1. Concept reviews
  2. Vulnerability Management
  3. Audit
    1. Control Audits
    2. Penetration Testing
    3. Compliance
    4. Red Team
  4. Enterprise Risk