The Security Team provides services in the areas of Cyber Risk, Architecture, and Fusion Center. Our services are always evolving and you will find a brief overview of each and its associated activities below.

Capabilities Management

  • Control Audits
  • Penetration Testing
  • Compliance
  • Red Team
Provide project management and engagement for internal and external initiatives, team documentation, process, procedure and team health initiatives.
Provide education and security best practice guidance to the Foundation and to the community.
  • Delivery of security relevant educational material
Operationalize changes to and drives maturity for existing security services, executes planning from leadership to coordinate and manage creation of new security services and capabilities. Create consumable metrics and measurements.

Cyber Risk

Provide compliance with GDPR and PCI
Provide a data protection framework in the pursuit of data management and governance.
  • Data classification
  • Data inventory
  • Data release review
  • Data protection
Provide a comprehensive set of security policy and procedures to create governance and repeatability for security relevant processes.
  • Policy creation
  • Policy management
  • Policy exception
Provide a security risk management framework to identify and treat risk. Provide security risk assessment and treatment services to the Foundation.
  • Risk identification
  • Risk assessment
  • Risk reporting
  • Risk treatment

Fusion Center

Ensure that threats against the confidentiality, availability and integrity of the Wikimedia Community and Foundation are identified, contained, investigated and remediated.
  • Security incident plan
  • Security incident coordination
  • Security incident playbooks
Provide an overview of the threats the bad actors as they relate to the threat landscape.
Provide oversight, guidance and assessments for 3rd party suppliers or partners.
  • Security review for 3rd parties suppliers.
  • Security specific contract language
  • Auditing of 3rd parties
coming soon
coming soon
coming soon

Security Architecture

Security-focused code reviews and audits ranging from basic guidance on a gerrit patch set to full-featured reviews of MediaWiki core, extensions and stand-alone services.
  • Manual review of patches and code
  • Dynamic analysis of libraries and applications
  • Report creation and review
Provide procedures and tools for the review of data processing activities to identify and mitigate associated risks to the organization and its users, including compliance with existing policies.
  • Privacy data reviews
  • Privacy functionality reviews
  • Privacy mitigation support
  • Privacy Awareness and Privacy by Design Training
  • GRC and other tooling creation and management
Creation, update, review, exception management, and enforcement.