| [[https://phabricator.wikimedia.org/T218034 | <<< January - March 2019]] | **April - June 2019** | >>> |
== Q4 Goals ==
=== [[ https://www.mediawiki.org/wiki/Wikimedia_Technology/Annual_Plans/FY2019/CDP1:_Privacy,_Security,_and_Data_Management/CDP_Budget_Segment_2/Goals#Status_2 ]] ===
== Outcome 1 / Output 1 ==
Ensure the high-quality protection and security of our infrastructure and data. Review and update current security policies, standards and procedures
=== **Goal(s)** ===
-- Review and mature our security policies and awareness functions:
-- {T221133} (ongoing goal)
-- Provide Security Awareness training (ongoing goal)
-- Perform Phishing campaign
-- Form Security Council (T221639)
-- Form strategy and begin initial steps toward building a data governance platform
-- Form strategy and begin initial steps toward building a vulnerability management program
-- Assess current security logging capabilities (stretch goal)
== Outcome 1 / Output 2 ==
Ensure the high-quality protection and security of our infrastructure and data. Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.
=== **Goal(s)** ===
-- Expansion of CSP (ongoing goal) (T28508)
-- Security Release (ongoing goal) (T205041)
-- Analytics Risk Assessment and Threat Model
-- Incorporation of Phan-taint-check into MW Core (stretch goal) (T203630, T183174, T216348)
-- Evaluate dynamic scanners (T219567)
-- Routine penetration testing
-- Polish and demo appsec docker “toolboxes” (PHP, Python) (T221477)
-- Improve security tooling for Phab/Gerrit monitoring (T217673, T218743, T212508)
-- Formalized process and SOP for concept/design reviews ([[ https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews#Process | new form and SOP update ]], T220624, done)
-- Generate initial security metrics/measurements
== Outcome 1 / Output 3 ==
Ensure the high-quality protection and security of our infrastructure and data.
--Increase maturity and capabilities in the event of a security incident.
=== **Goal(s)** ===
-- Perform tooling and process retro
-- Finalize and test our Security Incident Response documentation
-- Create incident play by play dashboard
-- Perform 1 large scale tabletop exercise