Wikimedia Security Team/Services
We seek to secure access to and the integrity of free knowledge.
Purpose
[edit]Services outlined here are currently provided by the Security Team and may be in different stages of maturity for process, documentation, standardization and exposition. Please be patient with us as we try to operate as transparently and in good faith as possible.
See our Charter for an outline of our mandate.
See our ongoing Strategy thinking to understanding our mindset and priorities
Services Arenas and Services
[edit]Security Governance
[edit]Service Name | High level description | Activities associated | RFS and additional documentation |
---|---|---|---|
Security Risk Management | Provide a security risk management framework to identify and treat risk. Provide security risk assessment and treatment services to the Foundation | Risk identification
Risk assessment Risk reporting Risk treatment |
Request for Service Service Description |
Data Protection | Provide a data protection framework in the pursuit of data management and governance. | Data classification
Data inventory Data release review Data governance |
Request for Service |
Security policy and procedure | Provide a comprehensive set of security policy and procedures to create governance and repeatability for security relevant processes. | Policy creation
Policy management Policy exception |
Request for Service |
Security Incident Response | Ensure that threats against the confidentiality, availability and integrity of the Wikimedia Community and Foundation are identified, contained, investigated and remediated. | Security incident plan
Security incident coordination Security incident playbooks
|
Request for Service Policy |
Threat Modeling | Provide an overview of the threats the bad actors as they relate to the threat landscape. | Foundation threat model
Individual project/service threat modeling |
Request for Service |
Supplier Assessments | Provide oversight, guidance and assessments for 3rd party suppliers or partners. | Security review for 3rd parties suppliers.
Security specific contract language Auditing of 3rd parties |
Request for Service |
Security Awareness | Provide education and security best practice guidance to the Foundation and to the community | Delivery of security relevant educational material | Request for Service Policy |
Fusion Center | Serve as the Security team's intake point for work from all sources. Provide a training ground (talent incubator) for new Security team staff. | Conduct the weekly Security team Clinic meeting
Talent Incubator |
Request for Service |
Security Engineering
[edit]Service Name | High level description | Activities associated | RFS and additional documentation |
---|---|---|---|
Application Security | Security-focused code reviews and audits ranging from basic guidance on a gerrit patch set to full-featured reviews of MediaWiki core, extensions and stand-alone services. |
|
Security Readiness Reviews |
Vulnerability Management | |||
Privacy Engineering | Provide procedures and tools for the review of data processing activities to identify and mitigate associated risks to the organization and its users, including compliance with existing policies. |
|
Request for Service |
Security Architecture
[edit]Service Name | High level description | Activities associated | RFS and additional documentation |
---|---|---|---|
Security Tooling | GRC and other tooling creation and management | ||
Audit |
|
Request for Service | |
[P]reviews (Products, Projects, and Programs) | Request for Service | ||
Enterprise Risk | Request for Service |