Security/Risk management/Rapid Risk Assessment: Difference between revisions

Automated sync from https://github.com/mozilla/wikimo_opsec
(Automated sync from https://github.com/mozilla/wikimo_opsec)
(Automated sync from https://github.com/mozilla/wikimo_opsec)
Line 133: Line 133:


* Ensure no previous RRA exist, else re-use the previous RRA.
* Ensure no previous RRA exist, else re-use the previous RRA.
* Create a copy of the [https://drive.google.com/open?id=160V89R-VdIe1AEHcT_sX89UToV2gv8mLshhoia2-6mM template] and move it to the correct directory (or your personal Google drive if you're testing the RRA process).
* Create a copy of the [https://docs.google.com/spreadsheets/d/1jxUEQUSAC-q1rVdZ29fH5ijKfIRNBKfCCgWMsfHNqvQ template] and move it to the correct directory (or your personal Google drive if you're testing the RRA process).
* Invite 1 or 2 members (product owners, lead engineers, etc.) related to the service with enough technical knowledge, ensure they will bring a diagram of data
* Invite 1 or 2 members (product owners, lead engineers, etc.) related to the service with enough technical knowledge, ensure they will bring a diagram of data
flows and have an understanding of the data being stored or processed by the service. You do not want more than 4 or 5 people total as this will slow down the RRA. Most RRAs are run 1 on 1 (2 people total).
flows and have an understanding of the data being stored or processed by the service. You do not want more than 4 or 5 people total as this will slow down the RRA. Most RRAs are run 1 on 1 (2 people total).
Line 330: Line 330:
=== Recommendations (5 minutes) ===
=== Recommendations (5 minutes) ===


While the RRA is not meant as a true security-review, recommendations do come up and this is a great time to
While the RRA is not meant as a complete review, recommendations do come up and this is a great time to
have a quick 5 minute chat about these.
have a quick 5 minute chat about these.


Confirmed users
502

edits