Ensure the high-quality protection and security of our infrastructure and data.

Review and update current security policies, standards and procedures

• Review and mature our security policies and awareness functions:
  • Create or update 3 security policies
  • Provide Security Awareness training
  • Perform Phishing campaign

  Note: July 2018

•   'Done' 1 of the 3 policies has been created
• '  Done' Define Awareness content

  Note: August 2018

•   To do Define additional policies to update/create
•   In progress Draft version of "Protecting your Digital Identity" created for Awareness Campaign
•   To do On board vendor to support Phishing platform

  Note: September 12, 2018

•   In progress Update/create identified password use policies and incident response policies
•   Partially done Provide awareness training (will be presented in October)
•   To do Perform phishing campaign, this will completed in Q2

Ensure the high-quality protection and security of our infrastructure and data.

Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

• Testing campaigns:
  • Implement CSP in alert only mode
  • Penetration testing for English Wikipedia site
  • Security Release
  • Analytics Risk Assessment and Threat Model

  Note: July 2018

•   'Done' initial test rollout of CSP on test wiki
•   'Done' Define scope and onboard vendor for pen testing
•   In progress identify elements for security release
•   'Done' identify and scope Analytics assessment

  Note: August 2018

•   In progress Expand CSP rollout
•   In progress Select pen testing dates
•   In progress Prepare security release
•   In progress identify and scope Analytics assessment

  Note: September 12, 2018

•   In progress Expand CSP rollout
•   To do Complete pen testing--will start at end of September
•   To do Prepare security release (currently stalled based on hiring)
•   In progress Complete Analytics assessment

Ensure the high-quality protection and security of our infrastructure and data.

Increase maturity and capabilities in the event of a security incident.

• Perform 2 Incident Response table top exercises

  Note: July 2018

'  Done' Perform Incident response exercise

  Note: August 2018

'  Done' Perform 2nd Incident response exercise

  Note: September 12, 2018

  In progress Update Incident Response Plan

  Note: Due to major security incidents in October and November, all Security Resources were dedicated to working on them incidents and this negatively affected the ongoing scheduled work to be done by the team.

Ensure the high-quality protection and security of our infrastructure and data.

Review and update current security policies, standards and procedures

• Review and mature our security policies and awareness functions:
  • Create or update 3 security policies
  • Provide Security Awareness training
  • Perform Phishing campaign

  Note: October 18, 2018

• On track to publish policy changes by the end of Oct
• Awareness content created and ready to deliver
• Phishing campaign will be delayed until Nov.

  Note: December 12, 2018

• This is now   Done — one training session for FR-Tech happened in November, and the new policy was used during that training. Blog will go out by end of December.
• Phishing campaign is  N Stalled and hope to be done in early 2019

Ensure the high-quality protection and security of our infrastructure and data.

Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

• Testing campaigns:
  • Implement CSP in alert only mode
  • Penetration testing for mobile apps
  • Security Release
  • OIT Risk Assessment and Threat Model
  • NIST CSF style assessment
  • Consider incorporation of Phan-taint-check into MW Core

  Note: October 18, 2018

• CSP changes in progress
• 1st round of pen testing (on en wikipedia)will conclude by the end of Oct.
• OIT assessment will be pushed into at least Nov
• NIST CSF assessment on track to begin in Oct but will conclude likely in Nov.
• Initial discussion have begun to include Phan into MW core but will not be completed in Oct.

  Note: December 12, 2018

• CSP changes are now   Done
• 1st round of pen testing (on en wikipedia) is   Done
• OIT assessment is  N Cancelled, might be picked up in 2019.
• NIST CSF assessment is  N Stalled, should be picked up again in early 2019.
• Initial discussion is   In progress to include Phan into MW core and should be completed by end of December.

Ensure the high-quality protection and security of our infrastructure and data.

Increase maturity and capabilities in the event of a security incident.

• Finalize and test our Incident Response documentation

  Note: October 18, 2018

• Final tabletop with Legal will be held on Oct 30.

  Note: December 12, 2018

• This is   In progress with writing the documentation and should get published on MediaWiki sometime in late December. This goal will probably finish up in Q3 (early January). It has been throughly tested and will be published in January 2019.

Ensure the high-quality protection and security of our infrastructure and data. Review and update current security policies, standards and procedures

Review and mature our security policies and awareness functions:

• Create or update 3 security policies
• Provide Security Awareness training
• Perform Phishing campaign
• Security Code Review process improvements completed and published
• Update/Consolidate security documentation

  Note: January 9, 2019

• Security policy updates are   In progress ('acceptable use' is first up)
• Training is   In progress, working on revising content to be published later in January
• Phishing campaign will start after the awareness training is done (most likely in Feb 2019)
• Security code review improvements are   In progress and hope to be published by end of quarter (in review now)
• Updating and consolidating security documentation is also   In progress

  Note: February 13, 2019

• Security policy updates still   In progress with incident responses, we're hoping for 3 to be published this quarter.
• Training is still   In progress and recently published https://www.mediawiki.org/wiki/Protecting_your_digital_identity
• Phishing campaign will start in the next couple of weeks, going dept by dept to train folks.
• Security code review improvements are   In progress and documentation is hoping to be released this week.
• Updating and consolidating security documentation is still   In progress, we are inventorying all the docs we have now and consolidating (policy, SOP, standards, etc).

  Note: March 14, 2019

• Security code review improvements is   Done
• Updating and consolidating security documentation is   Partially done but will finish up in Q4
• Security policy updates are   Partially done right now, and will complete by EOQ
• Phishing campaign has been  N Postponed for Q4
• Security code review improvements are   In progress but hope to be done by EOQ

Ensure the high-quality protection and security of our infrastructure and data. Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

• Expansion of CSP
• Security Release
• Analytics Risk Assessment and Threat Model
• Incorporation of Phan-taint-check into MW Core
• Evaluate dynamic scanners
• Routine penetration testing

  Note: January 9, 2019

• Expansion of CSP (a long running goal) is   In progress as well as security release.
• Risk assessment is also   In progress and should be done by end of Feb 2019
• Incorporation of Phan-taint-check into MW Core is a bit slow to get going — adoption of getting it into Core is slow and might be delayed into Q4.
• Dynamic scanner work will be completed in March or April 2019
• Next round of penetration testing is   In progress using info from latest incidents

  Note: February 13, 2019

• Expansion of CSP (a long running goal) is a bit  N Stalled but still expected to be done this quarter.
• Security release is also  N Stalled and will most likely be pushed to Q4.
• Risk assessment is also   In progress and should be done by end of Feb 2019
• Incorporation of Phan-taint-check into MW Core is also  N Stalled
• Dynamic scanner work will be most likely be completed in Q4, or pushed into next FY. We'd like to do some manual scanning first, rather than building an automatic version.
• Next round of penetration testing is still   In progress but we're not totally happy with the results from enwiki, so the vendor did the work again and got a Javascript threat model. We think we can call this   Done for this quarter.

  Note: March 14, 2019

• Expansion of CSP (a long running goal) is still  N Stalled for now - will be revised for Q4 work, and might take about a year to complete
• Security release is also  N Stalled, but looking to do a release in Q4
• Risk assessment is   Partially done and will be completed by EOQ
• Incorporation of Phan-taint-check into MW Core (another long running goal), will transition the work within the team this quarter; it might take another 6 months to be fully incorportated into MediaWiki core.
• Dynamic scanner work has been  N Postponed to Q4
• Penetration testing is   Done for this FY

Ensure the high-quality protection and security of our infrastructure and data.

Increase maturity and capabilities in the event of a security incident.

• Perform tooling and process retro
• Finalize and test our Incident Response documentation
• Create incident play by play dashboard
• Perform 1 large scale tabletop exercise

  Note: January 9, 2019

• Tooling and process retro will take place in Feb 2019
• Response documentation finalization will be most likely completed in March 2019
• play by play dashboard is   In progress
• Large scale tabletop exercise will happen in March

  Note: February 13,, 2019

• Tooling and process retro is   Partially done during our All Hands offsite, but we'll need to do a bit more. This will become a longer running goal in the future.
• Response documentation finalization has started,   In progress and will have a working version by EOQ.
• Play by play dashboard is  N Stalled for now, we hope to get back to it.
• Large scale tabletop exercise will happen in sometime in March, but the work might be moved into Q4.

  Note: March 14, 2019

• Tooling and process retro was   Done earlier in the quarter and we are still building out the incident response documentation from the last incident; this process will run into Q4 (mostly for alerting)
• Incident Response documentation playbooks are still   In progress and will go into next FY
• Incident play by play dashboard is now a stretch goal to be tackled in Q4
• Large scale tabletop exercise has been  N Postponed to Q4

Ensure the high-quality protection and security of our infrastructure and data. Review and update current security policies, standards and procedures

Review and mature our security policies and awareness functions:

• Create or update 3 security policies (ongoing goal)
• Provide Security Awareness training (ongoing goal)
• Perform Phishing campaign
• Form Security Council
• Form strategy and begin initial steps toward building a data governance platform
• Form strategy and begin initial steps toward building a vulnerability management program
• Assess current security logging capabilities (stretch goal)

  Note: April 2019

• Policy -   In progress updates and review of new Security Readiness Review SOP
• Policy -   In progress SOP for creating new security policy has been drafted, and is in review
• Policy -   In progress Acceptable Use Policy has been drafted, is in review, and scheduled to go effective in 10 June 2019
• Policy -   In progress Security Incident Response policy is being drafted, due by end of 4Q 2019
•   In progress Security Awareness/Phishing - Once the Acceptable Use Policy is approved, awareness sessions will be held
•   In progress Data governance platform review and construction in progress
•   In progress Vuln mgmt
•   In progress Logging - needs update

  Note: May 30, 2019

•   In progress Policy - reconcile and polish the Data Classification and Data Protection policies
•   Done Membership for Security Council selected, planning on 1st meeting in June
• Policy -   In progress updates and review of new Security Readiness Review SOP
• Policy -   In progress SOP for creating new security policy has been drafted, and is in review
• Policy -   In progress Acceptable Use Policy has been drafted, is in review, and scheduled to go effective in June 2019
• Policy -   Done Security Incident Response policy is being drafted, due by end of 4Q 2019
•   In progress Vuln mgmt -- Initial scans performed, evaluating scanning solutions and results.
•   In progress Logging - Updates to alerting capabilities.
•  N Stalled Perform Phishing campaign. Maybe catch up on some pieces next month.
• Policy -   In progress update Data Classification policy.

  To do June 2019

•   Done Create or update 3 security policies (ongoing goal)
•   In progress Provide Security Awareness training (ongoing goal)
•  N Stalled Perform Phishing campaign
•   Done Form Security Council
•   In progress Form strategy and begin initial steps toward building a data governance platform
•   In progressForm strategy and begin initial steps toward building a vulnerability management program
•   In progress Assess current security logging capabilities (stretch goal)

Ensure the high-quality protection and security of our infrastructure and data. Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

• Expansion of CSP (ongoing goal)
• Security Release (ongoing goal)
• Analytics Risk Assessment and Threat Model
• Incorporation of Phan-taint-check into MW Core (stretch goal)
• Phan 2.x development and release (stretch goal)
• Evaluate dynamic scanners
• Routine penetration testing
• Polish and demo appsec docker “toolboxes” (PHP, Python)
• Improve security tooling for Phab/Gerrit monitoring
• Formalized process and SOP for concept/design reviews.
• Generate initial security metrics/measurements

  Note: April 2019

•   In progress Routine penetration testing - Scoping
•   In progress Phan 2.x development and release - 2.x branch created, updates cherry-picked, older patches reviewed and cherry-picked
•   In progress Evaluate dynamic scanners - new task created T219567, tool review, meeting w/ ZAP lead dev (Simon @ Mozilla)
•   In progress See: T221477, hopefully some WIP patches soon
•   In progress Formalized process and SOP for concept/design reviews - still reviewing, see also related Output 1 goal
•   Done Improve security tooling for Phab/Gerrit monitoring - calling this done for this quarter

  Note: May 30, 2019

•   In progress Routine penetration testing - Scoping completed, awaiting scheduling
•   In progress Phan 2.x development and release - 2.x branch created, updates cherry-picked, older patches reviewed and cherry-picked
•   In progress Evaluate dynamic scanners - new task created T219567, tool review, meeting w/ ZAP lead dev (Simon @ Mozilla)
•   In progress See: T221477, hopefully some WIP patches soon
•   In progress Formalized process and SOP for concept/design reviews - still reviewing, see also related Output 1 goal
•  N Stalled Metrics generation, maybe catch-up next month.
•   Done Improve security tooling for Phab/Gerrit monitoring - calling this done for this quarter
•   Done Analytics Risk Assessment and Threat Model
•   In progress Security release on track and scheduled for next month.

  To do June 2019

•   In progress Expansion of CSP (ongoing goal)
•   Done Security Release (ongoing goal)
•   Done Analytics Risk Assessment and Threat Model
•   In progress Incorporation of Phan-taint-check into MW Core (stretch goal)
•   In progress Phan 2.x development and release (stretch goal)
•   In progress Evaluate dynamic scanners
•   In progress Routine penetration testing
•   In progress Polish and demo appsec docker “toolboxes” (PHP, Python)
•   In progress Improve security tooling for Phab/Gerrit monitoring
•   Done Formalized process and SOP for concept/design reviews.
•  N Stalled Generate initial security metrics/measurements

Ensure the high-quality protection and security of our infrastructure and data.

Increase maturity and capabilities in the event of a security incident.

• Perform tooling and process retro
• Finalize and test our Security Incident Response documentation
• Create incident play by play dashboard
• Perform 1 large scale tabletop exercise

  Note: April 2019

•   Done Security incident scale proposals drafted, now in review
•   In progress Security Incident Response policy and supporting incident response playbooks are being drafted

  Note: May 30, 2019

•   In progress Security incident scale proposals drafted, now in review
•   In progress Security Incident Response policy and supporting incident response playbooks are being drafted
•  N Stalled Create incident play by play dashboard and likely delayed until next quarter.

  To do June 2019

•   Done Perform tooling and process retro
•   In progress Finalize and test our Security Incident Response documentation
•  N Stalled Create incident play by play dashboard
•   Done Perform 1 large scale tabletop exercise