Team Handbook


The security organization exists to serve and guide the community and Foundation by providing security services to inform risk and to cultivate a culture of security.


We seek to secure access to and the integrity of free knowledge.

Team Ideals

As a team, we strive to hold ourselves and each other accountable for the following types of behavior:
  • Integrity: For us to be successful folks have to trust us and we need to trust each other.
  • Efficacy: in service and in self.
  • Constructive conflict: is healthy and promotes a growth mindset. Challenging each other is a good thing and makes us all better.
  • Move on: Let go of the past, forgive, forget and start new.
  • Sharing: Share the knowledge you have, share your successes and your failures.
  • Learning: be receptive to learning from others. Nobody knows everything.
  • Healthy body, mind and team: If you are stressed out, sick or just need a break, feel free to get away from all of this! That doesn’t mean you can ignore your work forever but get out of here for a while and go for a walk, read a book, take a nap, stare at the clouds. We need you but we need you healthy, none of this work is going anywhere and we will survive while you are gone. Part of building trust is being able to be vulnerable so it’s ok to talk about it and from time to time to step away from all this.
  • Reflection: What went well, what didn’t, what should I do next time? Everyday is an opportunity and you will both fail and succeed on a regular basis, adversity is your friend, failures are expected, cherished, a blessing and an opportunity. Now get out there and mess some stuff up!
  • Teamwork: We are all in this together and the concept of teamwork extends beyond the security team. We each have a job to do here and while you may feel your approach is the best we need to respect each other and allow everyone to do their job.
  • Problem Solving: Solving problems can be tricky and is usually iterative so don’t be afraid to take a 1st step. Behaviors such as being combative, strawdogging, bikeshedding, and fixed thinking do not help forward the solution. Perfect is the enemy of good.
  • Practice gratitude: Be thankful. We have a great team filled with super awesome folks. Don't let negativity chart your or our path forward.



#security-team is our team channel. It is expected that team members will be logged in and responding to Slack conversation during their personal work hours. Additional team channels include #privacy-engineering and #app-sec.

There are many WMF channels geared towards both work and personal interests which you are welcome to join.


Asana is used to create an agenda for the weekly Team Meeting, and to track any ongoing tasks that are created as a result of that call. Asynchronous communication via Asana tickets is highly encouraged. Assigned tickets are to be kept current with regards to status.

Asana is widely used both by the team and across the Foundation. Please feel free to track ideas, tasks, and self-defined projects in Asana. If you would like assistance in setting up a system that works for you, please talk to your Project Manager.


Meeting Protocol

  • Meetings are an important part of our team dynamic and should be accepted or declined asap, and at least 24 hours prior to meeting time.
  • Meetings are not optional unless you are specifically invited as an optional attendee.
  • Being late is sometimes unavoidable but do your best to be on time as a sign of respect to others.
  • We generally try to live by the 5 minute rule. If someone is 5 minutes late for a meeting we start without them.

Standing Meetings

  • Who: Individual team member and Director
  • What: Come with your own agenda and if you don't have one the Director will provide one
  • When / Where: Cadence TBD by team member but not to exceed 1 month w/out meeting
Team Meeting
  • Who: Security Team members and Director
  • What: This weekly meeting is intended to serve as an all-team touchpoint where news, shoutouts, and guest speakers provide relevant and timely information and general questions can be addressed.
  • Note: Asynchronous agenda building and communication via the Team Meeting Asana board is highly encouraged
  • When / Where: Tuesdays at 9:05am PT via Google Hangout (invite only)
Security Clinic
  • Who: Security Team members
  • What: The Security team’s Clinic serves as the intake point for work from all sources
  • When / Where: Usually on Mondays at 8:00am PT via Google Hangout (invite only)
Quarterly Retro
  • Who: Security Team members
  • What: A quarterly opportunity for the team to reflect on and discuss what does and does not work well. Action items are created to facilitate improvement
  • When / Where: This meeting is held once per quarter in Retrium (invite only)
AppSec Stand-Up
  • Who: Application Security engineers and PM
  • What: Review of ticket status, clearing of blockers, and triage if needed
  • When / Where: Tuesdays at 8:45am PT via Google Hangout (invite only)

Work Hours

  • If you are going on vacation or will be out for half a day or longer, update the team calendar to reflect that you are out of office. Create an event in the team calendar and then invite yourself to the event to have an easily updated entry on both calendars. Please do not provide additional details.
  • If you are sick drop a note to our team mailing list or Slack channel so folks are not trying to track you down.
  • If you take vacation time then you need to really take vacation time. This means disconnecting and spending your time away from work. If something bad happens we’ll figure it out. Enjoy your time off, you earned it!
  • As a corollary to the previous statement, if you feel like you cannot take off we need to discuss this as a team and make sure everyone has a backup. If you don’t have a backup now, let’s get that fixed ASAP.
  • If you are taking a remote training course, or working on remote continuing education this is is work time. Count it as work time. If you are in a week long remote SANS course, for example, you are not available for regular work and should concentrate on the material at hand. A rising tide lifts all boats! :)

Quarterly Goals, OKRs and development

This information evolves as new initiatives evolve and is subject to (potentially frequent) change.

  • Quarterly goal should be sized to be executed in roughly 6 weeks.
  • Goals will be developed with guidance from the Director taking into account current priorities and needs.
  • Goals should be entered in Betterworks and properly aligned with team goals as needed prior to the beginning of the quarter. Exact dates for relevant meetings, dates, etc. will be provided by PM.
  • Updates to percentages and comments are to be entered in Betterworks monthly, at a minimum.

In addition to quarterly goals and OKRs, each staff member will have a personal development plan. These are reviewed and updated quarterly. It is the responsibility of each team member to complete these and review with the director of security. The purpose of this development plan is to help inform areas where each team member would like to grow.

Workflow and Intake


Intake channels must flow into the #security-team Phabricator workboard as canonical if they are to be triaged as part of Wikimedia Security Team work. Exceptions such as Privacy Engineering in Asana (and Phab), or #secscrum must be clearly and explicitly defined.

We need to have anonymous (as in non-community and non-staff) and external user support in limited cases.

We need to have support for non-Tech users to submit general requests for service.


Incoming work that follows a recognized workflow will be (at a minimum) discussed by the Security Team during our team weekly (or the appropriately designated) meeting.

These meeting may sometimes be delayed or canceled due to travel or other circumstances. The Security Team will do our best to communicate when circumstances result in longer than expected delays.

The Security Team is a limited component within Wikimedia Foundation and tasks that cannot be resourced or are not part of the team charter will be left with the general #security project attached as appropriate.


Ticket status should always be easily discernible by all stakeholders. This includes accurate and current board placement, priority, and privacy settings.

Team members should update/comment on tickets to which they are assigned monthly (at a minimum) and regardless of progress made. Not meeting this minimum of communication will result in the ticket displaying as "moldy" in the weekly team "Peek" report.