Change Details

| [[https://phabricator.wikimedia.org/T218034 | <<< January - March 2019]] | **April - June 2019** | >>> | == Q4 Goals == === [[ https://www.mediawiki.org/wiki/Wikimedia_Technology/Annual_Plans/FY2019/CDP1:_Privacy,_Security,_and_Data_Management/CDP_Budget_Segment_2/Goals#Status_2 ]] === == Outcome 1 / Output 1 == Ensure the high-quality protection and security of our infrastructure and data. Review and update current security policies, standards and procedures === **Goal(s)** === -- Review and mature our security policies and awareness functions: -- {T221133} (ongoing goal) -- Provide Security Awareness training (ongoing goal) -- Perform Phishing campaign -- Form Security Council (T221639) -- Form strategy and begin initial steps toward building a data governance platform -- Form strategy and begin initial steps toward building a vulnerability management program -- Assess current security logging capabilities (stretch goal) == Outcome 1 / Output 2 == Ensure the high-quality protection and security of our infrastructure and data. Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach. === **Goal(s)** === -- Expansion of CSP (ongoing goal) (T28508) -- Security Release (ongoing goal) (T205041) -- Analytics Risk Assessment and Threat Model -- Incorporation of Phan-taint-check into MW Core (stretch goal) (T203630, T183174, T216348) -- Evaluate dynamic scanners (T219567) -- Routine penetration testing -- Polish and demo appsec docker “toolboxes” (PHP, Python) (T221477) -- Improve security tooling for Phab/Gerrit monitoring (T217673, T218743, T212508) -- Formalized process and SOP for concept/design reviews ([[ https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews#Process | new form and SOP update ]], T220624, done) -- Generate initial security metrics/measurements == Outcome 1 / Output 3 == Ensure the high-quality protection and security of our infrastructure and data. --Increase maturity and capabilities in the event of a security incident. === **Goal(s)** === -- Perform tooling and process retro -- Finalize and test our Security Incident Response documentation -- Create incident play by play dashboard -- Perform 1 large scale tabletop exercise

| [[https://phabricator.wikimedia.org/T218034 | <<< January - March 2019]] | **April - June 2019** | >>> | == Q4 Goals == === [[ https://www.mediawiki.org/wiki/Wikimedia_Technology/Annual_Plans/FY2019/CDP1:_Privacy,_Security,_and_Data_Management/CDP_Budget_Segment_2/Goals#Status_2 ]] === == Outcome 1 / Output 1 == Ensure the high-quality protection and security of our infrastructure and data. Review and update current security policies, standards and procedures === **Goal(s)** === -- Review and mature our security policies and awareness functions: -- {T221133} (ongoing goal) (T221642) -- Provide Security Awareness training (ongoing goal) -- Perform Phishing campaign -- Form Security Council (T221639) -- Form strategy and begin initial steps toward building a data governance platform -- Form strategy and begin initial steps toward building a vulnerability management program -- Assess current security logging capabilities (stretch goal) == Outcome 1 / Output 2 == Ensure the high-quality protection and security of our infrastructure and data. Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach. === **Goal(s)** === -- Expansion of CSP (ongoing goal) (T28508) -- Security Release (ongoing goal) (T205041) -- Analytics Risk Assessment and Threat Model -- Incorporation of Phan-taint-check into MW Core (stretch goal) (T203630, T183174, T216348) -- Evaluate dynamic scanners (T219567) -- Routine penetration testing -- Polish and demo appsec docker “toolboxes” (PHP, Python) (T221477) -- Improve security tooling for Phab/Gerrit monitoring (T217673, T218743, T212508) -- Formalized process and SOP for concept/design reviews ([[ https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews#Process | new form and SOP update ]], T220624, done) -- Generate initial security metrics/measurements == Outcome 1 / Output 3 == Ensure the high-quality protection and security of our infrastructure and data. --Increase maturity and capabilities in the event of a security incident. === **Goal(s)** === -- Perform tooling and process retro -- Finalize and test our Security Incident Response documentation -- Create incident play by play dashboard -- Perform 1 large scale tabletop exercise

| [[https://phabricator.wikimedia.org/T218034 | <<< January - March 2019]] | **April - June 2019** | >>> | == Q4 Goals == === [[ https://www.mediawiki.org/wiki/Wikimedia_Technology/Annual_Plans/FY2019/CDP1:_Privacy,_Security,_and_Data_Management/CDP_Budget_Segment_2/Goals#Status_2 ]] === == Outcome 1 / Output 1 == Ensure the high-quality protection and security of our infrastructure and data. Review and update current security policies, standards and procedures === **Goal(s)** === -- Review and mature our security policies and awareness functions: -- {T221133} (ongoing goal) (T221642) -- Provide Security Awareness training (ongoing goal) -- Perform Phishing campaign -- Form Security Council (T221639) -- Form strategy and begin initial steps toward building a data governance platform -- Form strategy and begin initial steps toward building a vulnerability management program -- Assess current security logging capabilities (stretch goal) == Outcome 1 / Output 2 == Ensure the high-quality protection and security of our infrastructure and data. Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach. === **Goal(s)** === -- Expansion of CSP (ongoing goal) (T28508) -- Security Release (ongoing goal) (T205041) -- Analytics Risk Assessment and Threat Model -- Incorporation of Phan-taint-check into MW Core (stretch goal) (T203630, T183174, T216348) -- Evaluate dynamic scanners (T219567) -- Routine penetration testing -- Polish and demo appsec docker “toolboxes” (PHP, Python) (T221477) -- Improve security tooling for Phab/Gerrit monitoring (T217673, T218743, T212508) -- Formalized process and SOP for concept/design reviews ([[ https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews#Process | new form and SOP update ]], T220624, done) -- Generate initial security metrics/measurements == Outcome 1 / Output 3 == Ensure the high-quality protection and security of our infrastructure and data. --Increase maturity and capabilities in the event of a security incident. === **Goal(s)** === -- Perform tooling and process retro -- Finalize and test our Security Incident Response documentation -- Create incident play by play dashboard -- Perform 1 large scale tabletop exercise