Security/ServiceDescriptions/SRMsd

Service Description:

The Security Risk Management service seeks to provide the following:.

The Wikimedia Security team will provide the following services in support of maturing our security risk management processes.

Generalized security risk assessment and analysis
1. Risk assessment based on industry standard best practice (FAIR/ISO 31000)
2. Assessments will be either interview or review based
3. Output of assessment will include documented risk assessment and will provide recommended risk treatment options.
To request a security risk assessment follow the RFS process
The security team will review and complete your risk assessment within 30 day of receiving all the requested information
Risk response and owner responsibilities are expected to follow guidance per the risk taxonomy

All risks will be reviewed on no less than an annual basis
Ongoing risk tracking for accepted, reduced or transferred risk will be tracked by the Security team in the Enterprise Risk Register

Risk owners will be provided a status of ongoing risk no less than bi-annually
The security team will report to the audit committee at least annually and provide a register of risks relating the the Cyber impact category.
The security and enterprise risk teams will provide at least annually an overview of all risks the Foundation faces in a consumable format
The Security team will work with the Risk and Audit committee to provide abstracts of relevant risks to the community

The security team will create the following metrics or measurements in support of the security risk management program
1. Number of open risks without risk owner with a severity of High or greater
2. Number of accepted open risks with a severity of High or greater
3. Number of risk mitigated or reduced to Low severity in the last 6 months
4. Department or team with the greatest risk profile