Wikimedia Foundation Annual Plan/2017-2018/Draft/Privacy Security and Data Management/en

Privacy, Security, and Data Management

Team: Technology (Security, Analytics, Technical Operations, & Services), Finance & Administration (OIT, Administration), Community Engagement (Support & Safety), Product (Reading & Reading Design), Advancement (Fundraising Technology)

Program Leads: Aeryn Palmer (Legal), Victoria Coleman and Nuria Ruiz (Technology)

Strategic priorities: Communities, Reach

Timeframe: 12 months. Specific segments of the program may have finite time frames, but some aspects (for example, providing Privacy by Design product counseling) are ongoing throughout Q1-Q4.

Summary

As technological and legal circumstances evolve, we are continuing our work to maintain and improve the Wikimedia Foundation's privacy and security practices in order to protect Wikimedia community member and donor information and ensure safe and secure connection to Wikimedia projects and sites.

Goal

Our privacy and security work is three-fold. The programmatic aspects (Privacy) involve safeguarding user and donor information through legal compliance and protective policies, best practices, and trainings; communicating our privacy practices to users and donors; and ensuring that privacy issues are considered throughout the product design process and lifecycle. The core/non-programmatic aspects (Security and Data Management) include implementing technical and physical measures to ensure secure connections to Wikimedia sites and protect data the Foundation holds; improving organizational security posture and architecture; ensuring the Wikimedia projects, sites, property, staff, and fundraising operations remain protected from external threats; and improving data management and practices.

Outcome 1: Through improvements to our organizational security posture, the Foundation ensures the high-quality protection and security of our infrastructure and data

  • Objective 1: Evaluate current security practices and make changes and provide training as appropriate

Outcome 2: The Wikimedia Foundation provides clear communications with members of the communities and public regarding our privacy practices

  • Objective 1: Work with relevant teams to answer user and donor privacy questions
  • Objective 2: Draft and update public-facing privacy-related policies and procedures

Outcome 3: The Wikimedia Foundation continues compliance with best practices for privacy

  • Objective 1: Provide training in, draft internal policies relating to, and ensure privacy compliance
  • Objective 2: Ensure that privacy issues are considered throughout the product design process and lifecycle
  • Objective 3: Ensure compliance with applicable privacy, security, and data protection law

Outcome 4: The Wikimedia Foundation continues compliance with best practices for data management

  • Outcome 1: To protect user data and uphold movement values, the Wikimedia Foundation continues compliance with best practices for data management

Segment 2: Technology

Lead Team: Technology

Outcome 1: Through improvements to our organizational security posture, the Foundation ensures the high-quality protection and security of our infrastructure and data

  • Objective 1: Increase capacity to participate in security-centric activities
  • Objective 2: Update tools and processes to keep pace with industry-wide security developments
  • Objective 3 Improve our security architecture with more systematic isolation of services and sensitive data

Outcome 2: To protect user data and uphold movement values, the Wikimedia Foundation continues compliance with best practices for data management

  • Objective 1: Guide process for creation/description of new datasets
  • Objective 2: Ensure retention guidelines are being followed
  • Objective 3: Better offboarding / onboarding for data access
  • Objective 4: Sanitization of granular pageview and editing data (geowiki) for public release

Outcome 3: Maintain and enhance connection privacy and security

  • Objective 1:  Evolve edge connection security/privacy software stack vs evolving threats and changes to underlying traffic stack
  • Objective 2: Keep up with evolving public-facing TLS Standards and enhancements (e.g. HPKP, TLSv1.3, ciphersuites)

Segment 3: Office IT

Lead Team: Office IT

Outcome 1: Through improvements to our organizational security posture, the Foundation ensures the high-quality protection and security of our infrastructure and data

  • Objective 1: Evaluate current security practices and make changes and provide training as appropriate

Outcome 2: The Foundation's corporate network has clear, actionable security event monitoring, logging and alerting

  • Objective 1: Security Event Information Monitoring (SIEM) system

Outcome 3: To protect user data and uphold movement values, the Foundation has ongoing compliance with best practices for data management

  • Objective 1: Move from G-Suite non-profit to G-Suite for Business/Enterprise to better manage e-mail and document retention for domain