Security/ServiceDescriptions/SRMsd

Service Description:

edit

The Security Risk Management service seeks to provide the following:.

  1. Security Risk Identification, Assessment and Analysis
  2. Security Risk Management and tracking
  3. Security Risk Communication
  4. Security Risk Metrics and Measurements

Security Risk Assessment and Analysis:

edit

The Wikimedia Security team will provide the following services in support of maturing our security risk management processes.  

  1. Generalized security risk assessment and analysis
    1. Risk assessment based on industry standard best practice (FAIR/ISO 31000)
    2. Assessments will be either interview or review based
    3. Output of assessment will include documented risk assessment and will provide recommended risk treatment options.
  2. To request a security risk assessment follow the RFS process
  3. The security team will review and complete your risk assessment within 30 day of receiving all the requested information
  4. Risk response and owner responsibilities are expected to follow guidance per the risk taxonomy

Security Risk Management and Tracking

edit
  1. All risks will be reviewed on no less than an annual basis
  2. Ongoing risk tracking for accepted, reduced or transferred risk will be tracked by the Security team in the Enterprise Risk Register

Security Risk Communication

edit
  1. Risk owners will be provided a status of ongoing risk no less than bi-annually
  2. The security team will report to the audit committee at least annually and provide a register of risks relating the the Cyber impact category.
  3. The security and enterprise risk teams will provide at least annually an overview of all risks the Foundation faces in a consumable format  
  4. The Security team will work with the Risk and Audit committee to provide abstracts of relevant risks to the community

Metrics and Measurements

edit
  1. The security team will create the following metrics or measurements in support of the security risk management program
    1. Number of open risks without risk owner with a severity of High or greater
    2. Number of accepted open risks with a severity of High or greater
    3. Number of risk mitigated or reduced to Low severity in the last 6 months  
    4. Department or team with the greatest risk profile