Wikimedia Foundation Annual Plan/2017-2018/Final/Privacy Security and Data Management

Privacy, Security, and Data Management

edit

Team: Technology (Security, Analytics, Technical Operations, & Services), Finance & Administration (OIT, Administration), Community Engagement (Support & Safety), Product (Reading & Reading Design), Advancement (Fundraising Technology)

Program Leads: Aeryn Palmer (Legal), Victoria Coleman and Nuria Ruiz (Technology)

Strategic priorities: Communities, Reach

Timeframe: 12 months. Specific segments of the program may have finite time frames, but some aspects (for example, providing Privacy by Design product counseling) are ongoing throughout Q1-Q4.

Description FY17-18 Plan
Privacy and Security Description of Privacy and Security Expenses
Staffing Expenses 1,081 8.08 FTE in Technology and Legal
Non Staffing Expenses -
Data Center Expenses -
Grants -
Endowment Contribution -
Donation Processing Fees -
Outside Contract Services 121 Contractor and contracting services cost to support the privacy and security program, audit, and trainings
Legal Fees 60 Legal fees related to safeguarding user and donor information through legal compliances and protective policies
Travel & Conferences 52 For security personnels to travel to community events and community conferences
Other expenses (Wikidata, Personal Property Taxes) 140 Cost for security audit (penetration testing), and additional payroll fees and personnel related expenses not captured in "Staffing Expenses"
Total Program Expenses 1,454

Summary

edit

As technological and legal circumstances evolve, we are continuing our work to maintain and improve the Wikimedia Foundation's privacy and security practices in order to protect Wikimedia community member and donor information and ensure safe and secure connection to Wikimedia projects and sites.

Goal

edit

Our privacy and security work is three-fold. The programmatic aspects (Privacy) involve safeguarding user and donor information through legal compliance and protective policies, best practices, and trainings; communicating our privacy practices to users and donors; and ensuring that privacy issues are considered throughout the product design process and lifecycle. The core/non-programmatic aspects (Security and Data Management) include implementing technical and physical measures to ensure secure connections to Wikimedia sites and protect data the Foundation holds; improving organizational security posture and architecture; ensuring the Wikimedia projects, sites, property, staff, and fundraising operations remain protected from external threats; and improving data management and practices.

edit

Outcome 1: Through improvements to our organizational security posture, the Foundation ensures the high-quality protection and security of our infrastructure and data

  • Objective 1: Evaluate current security practices and make changes and provide training as appropriate

Outcome 2: The Wikimedia Foundation provides clear communications with members of the communities and public regarding our privacy practices

  • Objective 1: Work with relevant teams to answer user and donor privacy questions
  • Objective 2: Draft and update public-facing privacy-related policies and procedures

Outcome 3: The Wikimedia Foundation continues compliance with best practices for privacy

  • Objective 1: Provide training in, draft internal policies relating to, and ensure privacy compliance
  • Objective 2: Ensure that privacy issues are considered throughout the product design process and lifecycle
  • Objective 3: Ensure compliance with applicable privacy, security, and data protection law

Outcome 4: The Wikimedia Foundation continues compliance with best practices for data management

  • Outcome 1: To protect user data and uphold movement values, the Wikimedia Foundation continues compliance with best practices for data management

Segment 2: Technology

edit

Lead Team: Technology

Outcome 1: Through improvements to our organizational security posture, the Foundation ensures the high-quality protection and security of our infrastructure and data

  • Objective 1: Increase capacity to participate in security-centric activities
  • Objective 2: Update tools and processes to keep pace with industry-wide security developments
  • Objective 3 Improve our security architecture with more systematic isolation of services and sensitive data

Outcome 2: To protect user data and uphold movement values, the Wikimedia Foundation continues compliance with best practices for data management

  • Objective 1: Guide process for creation/description of new datasets
  • Objective 2: Ensure retention guidelines are being followed
  • Objective 3: Better offboarding / onboarding for data access
  • Objective 4: Sanitization of granular pageview and editing data (geowiki) for public release

Outcome 3: Maintain and enhance connection privacy and security

  • Objective 1:  Evolve edge connection security/privacy software stack vs evolving threats and changes to underlying traffic stack
  • Objective 2: Keep up with evolving public-facing TLS Standards and enhancements (e.g. HPKP, TLSv1.3, ciphersuites)

Segment 3: Office IT

edit

Lead Team: Office IT

Outcome 1: Through improvements to our organizational security posture, the Foundation ensures the high-quality protection and security of our infrastructure and data

  • Objective 1: Evaluate current security practices and make changes and provide training as appropriate

Outcome 2: The Foundation's corporate network has clear, actionable security event monitoring, logging and alerting

  • Objective 1: Security Event Information Monitoring (SIEM) system

Outcome 3: To protect user data and uphold movement values, the Foundation has ongoing compliance with best practices for data management

  • Objective 1: Move from G-Suite non-profit to G-Suite for Business/Enterprise to better manage e-mail and document retention for domain