Wikimedia Security Team/Services

We seek to secure access to and the integrity of free knowledge.

Purpose

Services outlined here are currently provided by the Security Team and may be in different stages of maturity for process, documentation, standardization and exposition. Please be patient with us as we try to operate as transparently and in good faith as possible.

See our Charter for an outline of our mandate.

See our ongoing Strategy thinking to understanding our mindset and priorities

Services Arenas and Services

Security Governance

Service Name	High level description	Activities associated	RFS and additional documentation
Security Risk Management	Provide a security risk management framework to identify and treat risk. Provide security risk assessment and treatment services to the Foundation	Risk identification Risk assessment Risk reporting Risk treatment	Request for Service Service Description
Data Protection	Provide a data protection framework in the pursuit of data management and governance.	Data classification Data inventory Data release review Data governance	Request for Service
Security policy and procedure	Provide a comprehensive set of security policy and procedures to create governance and repeatability for security relevant processes.	Policy creation Policy management Policy exception	Request for Service
Security Incident Response	Ensure that threats against the confidentiality, availability and integrity of the Wikimedia Community and Foundation are identified, contained, investigated and remediated.	Security incident plan Security incident coordination Security incident playbooks	Request for Service Policy
Threat Modeling	Provide an overview of the threats the bad actors as they relate to the threat landscape.	Foundation threat model Individual project/service threat modeling	Request for Service
Supplier Assessments	Provide oversight, guidance and assessments for 3rd party suppliers or partners.	Security review for 3rd parties suppliers. Security specific contract language Auditing of 3rd parties	Request for Service
Security Awareness	Provide education and security best practice guidance to the Foundation and to the community	Delivery of security relevant educational material	Request for Service Policy
Fusion Center	Serve as the Security team's intake point for work from all sources. Provide a training ground (talent incubator) for new Security team staff.	Conduct the weekly Security team Clinic meeting Talent Incubator	Request for Service

Security Engineering

Service Name	High level description	Activities associated	RFS and additional documentation
Application Security	Security-focused code reviews and audits ranging from basic guidance on a gerrit patch set to full-featured reviews of MediaWiki core, extensions and stand-alone services.	Manual review of patches and code Dynamic analysis of libraries and applications Report creation and review	Security Readiness Reviews Request for Service
Vulnerability Management
Privacy Engineering	Provide procedures and tools for the review of data processing activities to identify and mitigate associated risks to the organization and its users, including compliance with existing policies.	Privacy data reviews Privacy functionality reviews Privacy mitigation support Privacy Awareness and Privacy by Design Training	Request for Service Privacy Review Template / Example

Security Architecture

Service Name	Activities associated	RFS and additional documentation
Security Tooling	GRC and other tooling creation and management
Audit	Control Audits Penetration Testing Compliance Red Team	Request for Service
[P]reviews (Products, Projects, and Programs)		Request for Service
Enterprise Risk		Request for Service