Jump to content

Wikimedia Technology/Annual Plans/FY2019/CDP1: Privacy, Security, and Data Management

From mediawiki.org

Program outline

[edit]

Teams contributing to the program

[edit]

Analytics, Legal, Security, TruSa, Communications, Advancement, Community Engagement, Audiences, Talent & Culture, Technology

Annual Plan priorities

[edit]

#3) Knowledge as a Service - evolve our systems and structures

How does your program affect annual plan priority?

[edit]

We will contribute to the evolution of our systems and structures by supporting and strengthening privacy and security-related systems, structures and services within the Wikimedia Foundation and projects.

Program Goal

[edit]

Develop, maintain and mature our privacy, security, and data management practices in order to protect Wikimedia community member and donor information, comply with applicable privacy and data protection regulations, and  ensure safe and secure connection to Wikimedia projects and sites in accordance with the values of the movement.

Outcome 1

[edit]
Ensure the high-quality protection and security of our infrastructure and data.

Outcome 2

[edit]
We will work to analyze existing and emerging privacy regulations, understand their impact on our communities and build tools and processes to continue improving their health and privacy.

Outcome 3

[edit]
Be compliant with best practices for data management  while upholding the values of our movement represented in the privacy policy

Outcome 4

[edit]
Continue efforts in litigation on NSA case in collaboration with outside counsel.

CDP Budget Segment 1

[edit]
Team:Legal

Outcome 1

[edit]
Ensure the high-quality protection and security of our infrastructure and data.

Output 1

Support improvements to current practices based on FY17-18 security audit or other assessments (Q1-Q2)

Output 2

Support completion of security audit or other assessments in order to assess current practices and plan improvements (Q3-Q4)

Outcome 2

[edit]
We will work to analyze existing and emerging privacy regulations, understand their impact on our communities and build tools and processes to continue improving their health and privacy.

Output 3

As appropriate, ensure full compliance with applicable privacy, security, and data protection laws, including data breach notification laws.  Identify, vet, and recommend privacy data management best practices.

Output 4

Conduct bi-annual compliance assessment relating to Foundation policies, with a view towards recommended privacy best practices

Output 5

Draft and update public-facing and internal privacy-related policies and procedures, and provide training as necessary

Output 6

Work with relevant teams to address privacy-related questions and requests from users, donors, and regulators

Output 7

Conduct privacy by design check-ins or provide other privacy counseling to teams as needed

Output 8

Work with Legal to recruit and hire a director of privacy (at least a director-level req).

Outcome 3

[edit]
Be compliant with best practices for data management  while upholding the values of our movement represented in the privacy policy

Output 8

Complete the data mapping project (if not yet complete by the end of FY17-18), and support Tech in the creation of the data access guidelines

Outcome 4

[edit]
Continue efforts in litigation on NSA case in collaboration with outside counsel.

Output 9

Needs for lawsuit that involve WMF legal team are promptly resolved.

CDP Budget Segment 2

[edit]

Team: Security

Outcome 1

[edit]
Ensure the high-quality protection and security of our infrastructure and data.

Output 1

  1. Review and update current security policies, standards and procedures
  2. Review and mature security awareness functions
  3. Create Risk Taxonomy for evaluating IT Risk.

Output 2

Reduce risk, improve application security practices, improve code quality, reduce vulnerabilities and attack surface and encourage a secure by design approach.

Output 3

Increase maturity and capabilities in the event of a security incident.

CDP Budget Segment 3

[edit]
Team: Analytics

Outcome 2

[edit]
We will work to analyze existing and emerging privacy regulations, understand their impact on our communities and build tools and processes to continue improving their health and privacy.

Output 1

Make systems compliant with privacy and data management best practices, as vetted and recommended by Legal.

Outcome 3

[edit]
Ensure that our data management practices uphold our movement’s values, as represented in the privacy policy.

Output 2

Implement data retention guidelines in new data storage and newer datasets.

Outcome 4

[edit]
Continue efforts in litigation on NSA case in collaboration with outside counsel.

Output 3

Data needs for lawsuit that involve technology teams are promptly resolved.

CDP Budget Segment 4

[edit]
Team: TruSa

Outcome 2

[edit]
We will work to analyze existing and emerging privacy regulations, understand their impact on our communities and build tools and processes to continue improving their health and privacy.

Output 1

Make systems compliant with privacy and data management best practices, as vetted and recommended by Legal.
  • Review and provide feedback on applicable policy material from a
  • community-supporting perspective in support of segment 1 outcome 2.
  • Prepare community-facing draft material in support of segment 1 outcome 2 as applicable.

Targets

[edit]

Outcome 1

[edit]
Ensure the high-quality protection and security of our infrastructure and data.
Target
Assess our current security practices and make adjustments and improvements as necessary
Measurement method

Assess the current security maturity level of the organization against the NIST CyberSecurity Framework and the SANS CIS controls and perform routine penetration testing.  

Outcome 2

[edit]

We will work to analyze existing and emerging privacy regulations, understand their impact on our communities and build tools and processes to continue improving their health and privacy.

Target 2
WMF is in compliance with applicable privacy and data protection laws
WMF responds appropriately to privacy-related questions or requests, and provides information about our privacy practices to to users, donors, regulators, and the public

Measurement method

  • Constantly monitor relevant legal developments around the world
  • Conduct bi-annual assessment relating to privacy and data management best practices, as vetted and recommended by Legal.
  • Ensure compliance with applicable laws and best practices through training and changes to policies and procedures
  • Timely and accurate responses to user, donor, and regulator questions or requests regarding privacy-related issues, with a targeted initial response time of 7 business days for simple inquiries
  • Draft, edit, or update public-facing privacy policies and processes, as appropriate

Outcome 3

[edit]
Ensure that our data management practices uphold our movement’s values, as represented in the privacy policy.
Target
New and older data has compliance policy executed. No data out of compliance.
Measurement method

Data management infrastructure retention keeps up with newer data sources.

Outcome 4

[edit]
Continue efforts in litigation on NSA case in collaboration with outside counsel.
Target
No pending data needs by outside counsel.
Measurement method

Needs from outside counsel in relation of data to support the lawsuit are promptly attended to.

CDP Budget Segment 5

[edit]
Team: Communications

Outcome 2

[edit]
We will work to analyze existing and emerging privacy regulations, understand their impact on our communities and build tools and processes to continue improving their health and privacy.

Output 1

Support privacy-related communications efforts

CDP Budget Segment 6

[edit]
Team: Advancement

Outcome 2

[edit]
We will work to analyze existing and emerging privacy regulations, understand their impact on our communities and build tools and processes to continue improving their health and privacy.

Output 1

Make systems compliant with privacy and data management best practices, as vetted and recommended by Legal.

Output 2

Work with Advancement and other departments to create functionality to better respond to privacy and personal data-related inquiries from donors.

CDP Budget Segment 7

[edit]
Team: Community Engagement

Outcome 2

[edit]
We will work to analyze existing and emerging privacy regulations, understand their impact on our communities and build tools and processes to continue improving their health and privacy.

Output 1

Work with Community Engagement and other departments to build processes to better respond to privacy and personal data-related inquiries from users.

CDP Budget Segment 8

[edit]
Team: Audiences

Outcome 2

[edit]
We will work to analyze existing and emerging privacy regulations, understand their impact on our communities and build tools and processes to continue improving their health and privacy.

Output 1

Work with Audiences, Technology, and other departments to create functionality to better respond to privacy and personal data-related inquiries from users.

Output 2

Work with Audiences, Technology, and other departments to determine how to best manage the personal data of non-registered contributors to Wikimedia projects.

CDP Budget Segment 9

[edit]
Team: Talent & Culture

Outcome 2

[edit]
We will work to analyze existing and emerging privacy regulations, understand their impact on our communities and build tools and processes to continue improving their health and privacy.

Output 1

Support Talent & Culture in adopting best practices relating to the management of staff & contractors’ personal data.

CDP Budget Segment 10

[edit]
Team: Technology

Outcome 2

[edit]
We will work to analyze existing and emerging privacy regulations, understand their impact on our communities and build tools and processes to continue improving their health and privacy.

Output 1

Work with Audiences, Technology, and other departments to create functionality to better respond to privacy and personal data-related inquiries from users.

Output 2

Work with Audiences, Technology, and other departments to determine how to best manage the personal data of non-registered contributors to Wikimedia projects.

Resources

[edit]
FY17-18 FY18-19
Security
  • Director, Engineering
  • Engineer
  • Engineer
  • Engineer
  • Security Architect
  • Security Contractor (Sam Reed)
  • Part-time Security Contractor (Brian Wolff)
  • Director, Engineering
  • Engineer
  • Engineer
  • Engineer
  • Engineer (contractor)
  • 0.5 ✕ Engineer (contractor)
  • Privacy Engineer (new hire)
  • Security Architect
Legal
  • Director, Privacy
Contract 1 ✕ Phishing Campaign (Wombat or PhishMe)
  • 2 ✕ Phishing Campaigns
  • 2 ✕ Infrastructure and Application Penetration test
  • 8 ✕ general Penetration testing
Travel & Other
  • 3 ✕ Hackathon
  • 3 ✕ Developer Summit
  • 3 ✕ Staff offsites
  • 3 ✕ Hackathon
  • 3 ✕ Developer Summit
  • 8 ✕ Staff offsites
  • 8 ✕ General conferences