Websites/Data Safety Kick-Off Form

From MozillaWiki
Jump to navigation Jump to search
Draft-template-image.png THIS PAGE IS A WORKING DRAFT Pencil-emoji U270F-gray.png
The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly.
If you have any questions or ideas, please add them as a new topic on the discussion page.

Objective

The objective of the Data Safety Kick-Off Form is to have a single point of entry for generating all safety review bugs, including: legal, privacy and security.

Background

Goal: 1. Info Gathering - Determine basic questions that every team needs to know - owner, location for more info, deadlines etc 2. Build Triggers - Create minimal questions that determine if X review is needed. For example, "Does this system interact with user data?" May be the trigger for a data safety review bug. Keep in mind: We want to make this form as easy as possible We're brainstorming now, so include ideas and we'll refine as necessary Triggers Goal is to ask basic question that will trigger a review bug for your area. Error on the side of being overly inclusive - you can also close a bug as "review not needed". We'll keep the questions here limited to just triggers. You can ask additional questions within your individual review bug. Potential Reviews Include: Legal Privacy Policy Security Privacy Technical Data Safety Finance What about: l10n a11y Question: how do we direct people to this page in the first place? Is this a product checklist? Is this a relationship checklist?

Team

Technical Details

Requirements

Step 1: Basic Info

  1. Who are the points of contact for this review?
  2. Please provide a short description of the feature / application / project / business relationship (e.g. problem solved, use cases, etc.):
  3. Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
  4. Please attach relevant documents (contract, RFP, creative brief, SOW/work order, proposal, mocks, flows, etc)
  5. What is the urgency of this project?
  6. Does it support a current goal (if so, which one)?
  7. What are your key release / launch dates?
  8. What is the current state of your project?
  9. Does this product/service/project access or interact with Mozilla (customer, contributor, user, employee) data? [yes / no]
    • If yes - trigger Data Safety, Legal, Privacy Policy, Privacy Technical, Security
  10. Does / Will your product/service/project utilize Client-side, End-to-end Encryption, or Hosted / Cloud (by Mozilla and/or contracted hosting provider) architecture?
    • If hosted / cloud --> Trigger Data Safety, Privacy Technical
  11. Is this a new Mozilla product/service/project or an update or new feature of a Mozilla product/serviceproject? [yes / no]
    • If yes - trigger Legal Review, Privacy Policy
    • if yes - prompt with additional questions:
      • is this a new product/service/project?
        • If yes, open Legal bug in component Other Product
      • If this is a new feature or update, what is the affected product/service/project?
        • If yes, open Legal bug in the relevant component (Boot to Gecko, Marketplace, Persona or Other Product for anything else)
      • What Mozilla products/services/projects does this product/service/project integrate with or relate to?
  12. Does this project involve a relationship with another party (such as a third party vendor, hosted service provider, consultant or strategic partner (business deals)). This includes NDAs, click to accept, API agreements, open source licenses, renewals, additional services or goods, and any other agreements. ? [yes / no]
    • If yes - trigger Legal Review
    • If yes - prompt with additional questions:
      • Will the other party have access to Mozilla (customer, contributor, user, employee) data? (If this is for an NDA, choose no) [yes / no]
        • If yes - trigger Privacy Policy/Vendor, Security
      • What is the url for their privacy policy? [1 line Text box] user can leave blank
      • What is the anticipated cost of the vendor relationship? [Would it be better to have 3 options here, N/A, $25,000 or less and Over $25,000, and if Over $25,000 selected, a Finance bug is triggered?]
        • If greater than $25,000, trigger finance bug

Legal Note: For negotiated deals (NDAs, vendors, consultants, and partners for example), we typically start with a Mozilla form when available - talk to legal to see if we have a form agreement.

Other requirements to consider:

If a legal bug is required should we ensure that all filed bugs are restricted access bugs? Or, should we ensure that the vendor information is not copied into any of the non-secured bugs (e.g. only the legal bug has that data)?

For all bug types, need the following:

Product, Component, Security group flags, keywords, etc This will be added to the wiki page. A security bug will be filed in all cases (I'm trying to think of scenarios where we wouldn't want one and would need to qualify with a question) Sample Bug Info For each group we need the following bug info:

Security - Michael

  • File Bug as: whoever filed out the intake form
  • Title: Security Review for {project name}
  • Product: mozilla.org
  • Component: Security Assurance: Review Request
  • Security Flags: Confidential Mozilla Corporation Bug
  • Whiteboard Tags (if any)
  • Keywords (if any): sec-review-needed
  • Data to add within comment 0:
  • All intake questions and answers
  • Data to add within comment 1: (please add all of the following)
    • Additional questions to be completed by the requester:
    • Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
    • Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
    • If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):

Privacy (Technical) - Michael

  • Title: Complete Privacy-Technical Review for {project name}
  • Product: mozilla.org
  • Component: Security Assurance: Review Request
  • Security Flags: Confidential Mozilla Corporation Bug
  • Whiteboard Tags (if any):
  • Keywords (if any): privacy-review-needed
  • Data to add within comment 0:
  • All intake questions and answers

Privacy (Policy) - Alina

[** Need to check with my team about whether the Privacy Policy review bugs should be default "Public"]

  • Title: Complete Privacy-Policy Review for {project name}
  • Product: Privacy
  • Component: Privacy Review
  • Security Flags: Privacy Bug
  • Whiteboard Tags (if any):
  • Keywords (if any):
  • Data to add within comment 0:
  • All intake questions and answers
  • Data to add within comment 0 or 1: (please add all of the following)
  • Additional questions to be completed by the requester:
    • Do you currently have a privacy policy for your project / site / product?
      • If YES --> Provide link to policy
      • If NO --> (Privacy Policy review / discusssion needed)
    • Does / Will your product/service/project collect, use or maintain any user data?
    • * If YES --> Provide link to Data Safety bug:
      • If NO --> (Data Safety review not needed)
  • For reference, please provide link to related Legal bug:

Privacy (Policy) - Stacy

[I added the new Privacy Component below - this will need Stacy's input]

  • Title: Complete Privacy / Vendor Review for {project name}
  • Product: Privacy
  • Component: Vendor Review
  • Security Flags: Privacy Bug
  • Whiteboard Tags (if any):
  • Keywords (if any):
  • Data to add within comment 0:
  • All intake questions and answers
  • Data to add within comment 0 or 1: (please add all of the following)
  • Additional questions to be completed by the requester:
  • Will the vendor have access to Mozilla (customer, contributor, user, employee) data?
    • If Yes, please provide link to vendor's privacy policy.
    • If Yes, has vendor completed Mozilla Vendor Privacy Questionnaire?

Legal - Liz

  • Title: Complete Legal Review for {project name}
  • Product: Legal
  • Component: Boot to Gecko or Marketplace or Persona or Other Product or NDA or Distribution/Bundling or Search or Vendor/Services
  • Security Flags: none - whatever is normally assigned to legal bugs
  • Whiteboard Tags (if any): none
  • Keywords (if any): none
  • Data to add within comment 0:
  • All intake questions and answers
  • Data to add within comment 0 or 1:
    • Goal (company goal request maps to) - free form [This won't be needed if it will be requested during the initial intake]
    • Priority to your team - drop down with the choices Low, Medium, High
    • Timeframe for completion - drop down with the choices 2 days, a week, 2-4 weeks, this will take a while but please get started soon, no rush
    • CCs - free form
    • Name of other party - free form [This won't be needed if it will be requested during the initial intake]
    • Business objective - free form
  • URL - free form [This won't be needed if it will be requested during the initial intake]
    • Description (Describe your project in more detail and/or provide any relevant deal terms. Also provide context and background.)
    • SOW details [Only if the component is Vendor/Services]

Finance - Winnie

  • Title: Complete Finance Review for {project name}
  • Product: Finance
  • Component: Purchase Request Form
  • Security Flags: Finance Group
  • Whiteboard Tags (if any):
  • Keywords (if any):
  • Data to add within comment 0:
  • All intake questions and answers
  • Data to add within comment 1: (please add all of the following)
  • Additional questions to be completed by the requester:
    • What is this purchase for?:
    • Why is this purchase needed?:
    • What is the risk if this is not purchased?:
    • What is the alternative?:
    • Total Cost:

Data Safety - Alina

  • Title: Complete Data Safety Review for {project name}
  • Product: Data Safety
  • Component: General
  • Security Flags:
  • Whiteboard Tags (if any):
  • Keywords (if any):
  • Data to add within comment 0:
  • All intake questions and answers
  • Data to add within comment 0 or 1: (please add all of the following)
  • Additional questions to be completed by the requester:

About your data

    • Does your project collect data from users? [Yes / No]
      • If YES --> How many users are currently involved? How many users do you anticipate to be involved?
      • If NO --> Stop. No Data Safety bug should be filed.
    • Please provide examples of the types of user data you collect:
    • Why do you need to collect user data?:
    • What community benefits are derived from the collection of user data for your project?:
    • How is the data being collected? (e.g., forms on web site, provided directly by user, observed data collection, etc.) (Consider that you may be collecting data unintentionally such as automatic logging by web servers)
    • Will your project / team members need to retain user data? [Yes / No]
      • If YES --> For how long?:
    • Will any user data be shared or accessed by third party partners, customers or providers? [Yes / No]
      • If YES --> Please provide answers to the following:
    • What is the data being shared or accessed?
    • How would the data be communicated / transferred to the third parties?
    • Who are the third party vendors and in what countries are they based?
    • Community Visibility and Input
    • Has your proposal been shared publicly, including requirements for Mozilla to collect and host user data? [Yes / No]
      • If YES --> What communication channels are you using and what kind of input have you received thus far?:
      • If NO --> Data Safety discussion needed. Provide your plan for publicly sharing your proposal.
Retrieved from "https://wiki.allizom.org/index.php?title=Websites/Data_Safety_Kick-Off_Form&oldid=461002"