Wikimedia Foundation Annual Plan/2017-2018/Final/Privacy Security and Data Management
Privacy, Security, and Data Management
editTeam: Technology (Security, Analytics, Technical Operations, & Services), Finance & Administration (OIT, Administration), Community Engagement (Support & Safety), Product (Reading & Reading Design), Advancement (Fundraising Technology)
Program Leads: Aeryn Palmer (Legal), Victoria Coleman and Nuria Ruiz (Technology)
Strategic priorities: Communities, Reach
Timeframe: 12 months. Specific segments of the program may have finite time frames, but some aspects (for example, providing Privacy by Design product counseling) are ongoing throughout Q1-Q4.
Description | FY17-18 Plan | |||
---|---|---|---|---|
Privacy and Security | Description of Privacy and Security Expenses | |||
Staffing Expenses | 1,081 | 8.08 FTE in Technology and Legal | ||
Non Staffing Expenses | - | |||
Data Center Expenses | - | |||
Grants | - | |||
Endowment Contribution | - | |||
Donation Processing Fees | - | |||
Outside Contract Services | 121 | Contractor and contracting services cost to support the privacy and security program, audit, and trainings | ||
Legal Fees | 60 | Legal fees related to safeguarding user and donor information through legal compliances and protective policies | ||
Travel & Conferences | 52 | For security personnels to travel to community events and community conferences | ||
Other expenses (Wikidata, Personal Property Taxes) | 140 | Cost for security audit (penetration testing), and additional payroll fees and personnel related expenses not captured in "Staffing Expenses" | ||
Total Program Expenses | 1,454 |
Summary
editAs technological and legal circumstances evolve, we are continuing our work to maintain and improve the Wikimedia Foundation's privacy and security practices in order to protect Wikimedia community member and donor information and ensure safe and secure connection to Wikimedia projects and sites.
Goal
editOur privacy and security work is three-fold. The programmatic aspects (Privacy) involve safeguarding user and donor information through legal compliance and protective policies, best practices, and trainings; communicating our privacy practices to users and donors; and ensuring that privacy issues are considered throughout the product design process and lifecycle. The core/non-programmatic aspects (Security and Data Management) include implementing technical and physical measures to ensure secure connections to Wikimedia sites and protect data the Foundation holds; improving organizational security posture and architecture; ensuring the Wikimedia projects, sites, property, staff, and fundraising operations remain protected from external threats; and improving data management and practices.
Segment 1: Legal
editOutcome 1: Through improvements to our organizational security posture, the Foundation ensures the high-quality protection and security of our infrastructure and data
- Objective 1: Evaluate current security practices and make changes and provide training as appropriate
Outcome 2: The Wikimedia Foundation provides clear communications with members of the communities and public regarding our privacy practices
- Objective 1: Work with relevant teams to answer user and donor privacy questions
- Objective 2: Draft and update public-facing privacy-related policies and procedures
Outcome 3: The Wikimedia Foundation continues compliance with best practices for privacy
- Objective 1: Provide training in, draft internal policies relating to, and ensure privacy compliance
- Objective 2: Ensure that privacy issues are considered throughout the product design process and lifecycle
- Objective 3: Ensure compliance with applicable privacy, security, and data protection law
Outcome 4: The Wikimedia Foundation continues compliance with best practices for data management
- Outcome 1: To protect user data and uphold movement values, the Wikimedia Foundation continues compliance with best practices for data management
Segment 2: Technology
editLead Team: Technology
Outcome 1: Through improvements to our organizational security posture, the Foundation ensures the high-quality protection and security of our infrastructure and data
- Objective 1: Increase capacity to participate in security-centric activities
- Objective 2: Update tools and processes to keep pace with industry-wide security developments
- Objective 3 Improve our security architecture with more systematic isolation of services and sensitive data
Outcome 2: To protect user data and uphold movement values, the Wikimedia Foundation continues compliance with best practices for data management
- Objective 1: Guide process for creation/description of new datasets
- Objective 2: Ensure retention guidelines are being followed
- Objective 3: Better offboarding / onboarding for data access
- Objective 4: Sanitization of granular pageview and editing data (geowiki) for public release
Outcome 3: Maintain and enhance connection privacy and security
- Objective 1: Evolve edge connection security/privacy software stack vs evolving threats and changes to underlying traffic stack
- Objective 2: Keep up with evolving public-facing TLS Standards and enhancements (e.g. HPKP, TLSv1.3, ciphersuites)
Segment 3: Office IT
editLead Team: Office IT
Outcome 1: Through improvements to our organizational security posture, the Foundation ensures the high-quality protection and security of our infrastructure and data
- Objective 1: Evaluate current security practices and make changes and provide training as appropriate
Outcome 2: The Foundation's corporate network has clear, actionable security event monitoring, logging and alerting
- Objective 1: Security Event Information Monitoring (SIEM) system
Outcome 3: To protect user data and uphold movement values, the Foundation has ongoing compliance with best practices for data management
- Objective 1: Move from G-Suite non-profit to G-Suite for Business/Enterprise to better manage e-mail and document retention for domain