MozillaWiki

Websites/Kick-Off Form/Requirements

< Websites‎ | Kick-Off Form
Revision as of 18:55, 14 February 2013 by Mcoates (talk | contribs) (→‎Finance)
Draft-template-image.png THIS PAGE IS A WORKING DRAFT Pencil-emoji U270F-gray.png
The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly.
If you have any questions or ideas, please add them as a new topic on the discussion page.

General Requirements

The user will visit this form when they have a project that has the potential to require Data Safety, Privacy, Legal or Finance reviews. The form will prompt the user for basic information about their project (Step 1) and then determine which additional bugs need to be filed. It will then ask additional questions in order to populate the additional bugs required (Step 2).

  • Form needs to be able to interact with Bugzilla sufficiently to create tickets.
  • A bonus is the ability to pull product/component names.
  • Form needs to be available publicly.
  • Form does not need to retain entered data; generation of the bugzilla bugs is sufficient.
  • Form should be able to link tickets via depends on and blocks fields.

User Story

  1. A user who wishes to initiate the required series of data safety, security, privacy and legal bugs visits the bugzilla form.
  2. They first answer a series of questions that gather the details of their project: name, short description, schedule, priority, link to documentation, etc.
  3. Based on those answers, the user is then prompted for additional information that will be used to create the required child bugs.

Code Repo

Jen Fong got started on re-writing intranet.mozilla.com/webtools, which may or may not be helpful: https://github.com/ednapiranha/webtools-workermgmt/tree/python

We're now looking at using a custom BMO form to accomplish this.

Form Step 1: Basic Info

The first part of the intake form will ask for common data as well ask questions to determine which additional bugs should be filed.

# Question Type Required? Default Data Notes
1 Short name for project Text
 Yes
 n/a
 Should have a character limit since it'll be used in the Bugzilla bug summaries.
2 Master tracking bug number (if it exists)? Text
 No
 n/a
 Should be numbers only

If entered, all child bugs should block this one. If not entered, create tracking bug with relevent info (see below).

3 Who are the points of contact for this review? Text Yes n/a
4 Please provide a short description of the feature / application / project / business relationship (e.g. problem solved, use cases, etc.): Textarea Yes n/a
5 Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description. Textarea
 Yes

6 (not present in current versions) Please attach relevant documents (contract, RFP, creative brief, SOW/work order, proposal, mocks, flows, etc) TBD
 No
 n/a
 Need to figure out the best way to do this. Can we accept file uploads in a temporary location and then post to created bug?
7 (removed in v1.1) What is the urgency of this project? Text
 No
 n/a
8 Does it support a current goal (if so, which one)? Text
 No
 n/a
9 What are your key release / launch dates? Text
 No
 n/a
10 What is the current state of your project? Select n/a
  • Future project under discussion
  • Active planning
  • Development
  • Ready to launch/commit
  • Already launched/committed
11 Does this product/service/project access, interact with, or store Mozilla (customer, contributor, user, employee) data? Example of such data includes email addresses, first and last name, addresses, phone numbers, credit card data.

  • Yes
  • No
 If YES: trigger Data Safety, Legal, Privacy Policy, Privacy Technical, Security
12 (removed in v1.1) Is this a NEW product, service, project, feature, or functionality, a change to an EXISTING one, or neither? Select
 Yes
  • New
  • Existing
  • Neither

If NEW:

  • File legal bug in Legal::Other Product

If EXISTING:

  • Prompt with question 12a
12a (removed v1.1) What product/service/project does this pertain to? Select
 None
  • FirefoxOS
  • Marketplace
  • Persona
  • Marketing Initiative

Open legal bugs accordingly:

  • FirefoxOS - Legal::FirefoxOS
  • Marketplace - Legal::Marketplace
  • Persona - Legal::Persona
  • Marketing Initiative - Legal::Marketing
13 What Mozilla products/services/projects does this product/service/project integrate with or relate to? Text
 No
 n/a
14 Does this project involve a relationship with another party (such as a third party vendor, hosted service provider, consultant or strategic partner (business deals))? This includes NDAs, click to accept, API agreements, open source licenses, renewals, additional services or goods, and any other agreements. Radio
 Yes
  • Yes
  • No

If YES:

  • prompt with additional questions (14a-d)
14a What type of relationship? Select Yes
  • Vendor/Services
  • Distribution/Bundling
  • Search
  • NDA
  • Other

Open legal bugs accordingly:

  • Vendor/Services - Legal::Vendor/Services
  • Distribution/Bundling - Legal::Distribution/Bundling
  • Search - Legal::Search
  • NDA - Legal::NDA
  • Other - Legal::General
14b Will the other party have access to Mozilla (customer, contributor, user, employee) data? (If this is for an NDA, choose no) [yes / no] Radio Yes n/a If YES: Trigger Privacy/Vendor, Security.
14c What is the url for their privacy policy?
 Text
 No
 n/a
14d What is the anticipated cost of the vendor relationship? [Would it be better to have 3 options here, N/A, $25,000 or less and Over $25,000, and if Over $25,000 selected, a Finance bug is triggered?] Radio
 Yes
  • n/a
  • <= $25,000
  • > $25,000
 If > $25,000: Trigger Finance bug.

If *<= $25,000: Show 14d1.

14d1 PO Needed?
 Radio - [yes/no]
 Yes
 n/a
 If Yes: Trigger Finance bug.


Legal Note: For negotiated deals (NDAs, vendors, consultants, and partners for example), we typically start with a Mozilla form when available - talk to legal to see if we have a form agreement.

Other requirements to consider:

If a legal bug is required should we ensure that all filed bugs are restricted access bugs? Or, should we ensure that the vendor information is not copied into any of the non-secured bugs (e.g. only the legal bug has that data)?

Questions

  • How should we handle file attachements?

Form Step 2: Generating Bugs

Additional bugs will need to be generated based on the following criteria. Addtional information will need to be collected for each additional bug that is required.


Data Safety Legal Privacy Policy Privacy Tech Security Finance
Interacts with Mozilla data X X X X X
Hosted not by Mozilla or in the cloud X

X

New Mozilla product and/or feature (see #12)
X X


Relationship with 3rd Party? (see #13)
X



3rd party has access to data? (see #13a)

X
X
3rd party costs > $25k? (see #13c)




X

Security Review

Owner: Michael Coates

  • File Bug as: whoever filed out the intake form
  • Summary: Security Review for {project name}
  • Product: mozilla.org
  • Component: Security Assurance: Review Request
  • Security Flags: Confidential Mozilla Corporation Bug
  • Whiteboard Tags (if any)
  • Keywords (if any): sec-review-needed
  • Data to add within comment 0:
    • All intake questions and answers
  • Data to add within comment 1: (please add all of the following)
    • Additional questions to be completed by the requester:
    • Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
    • Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
    • If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):

Privacy (Technical)

Owner: MIchael Coates

  • Summary: Complete Privacy-Technical Review for {project name}
  • Product: mozilla.org
  • Component: Security Assurance: Review Request
  • Security Flags: Confidential Mozilla Corporation Bug
  • Whiteboard Tags (if any):
  • Keywords (if any): privacy-review-needed
  • Data to add within comment 0:
    • All intake questions and answers

Privacy (Policy/Project)

Owner: Alina Hua

[** Need to check with my team about whether the Privacy Policy review bugs should be default "Public"]

  • Summary: Complete Privacy-Policy Review for {project name}
  • Product: Privacy
  • Component: Privacy Review
  • Security Flags: Privacy Bug
  • Whiteboard Tags (if any):
  • Keywords (if any):
  • Data to add within comment 0:
    • All intake questions and answers
  • Data to add within comment 0 or 1: (please add all of the following)
  • Additional questions to be completed by the requester:
    • Do you currently have a privacy policy for your project / site / product?
      • If YES --> Provide link to policy
      • If NO --> (Privacy Policy review / discusssion needed)
    • Does / Will your product/service/project collect, use or maintain any user data?
      • If YES --> Provide link to Data Safety bug:
      • If NO --> (Data Safety review not needed)
  • For reference, please provide link to related Legal bug:

Privacy (Policy/Vendor)

Owner: Stacy Martin

[I added the new Privacy Component below - this will need Stacy's input]

  • Summary: Complete Privacy / Vendor Review for {project name}
  • Product: Privacy
  • Component: Vendor Review
  • Security Flags: Privacy Bug
  • Whiteboard Tags (if any):
  • Keywords (if any):
  • Data to add within comment 0:
    • All intake questions and answers
  • Data to add within comment 0 or 1: (please add all of the following)
    • Will the vendor have access to Mozilla (customer, contributor, user, employee) data?
      • If Yes, please provide link to vendor's privacy policy.
      • If Yes, has vendor completed Mozilla Vendor Privacy Questionnaire?

Legal

Owner: Liz Compton

  • Summary: Complete Legal Review for {project name}
  • Product: Legal
  • Component: Boot to Gecko or Marketplace or Persona or Other Product or NDA or Distribution/Bundling or Search or Vendor/Services
  • Security Flags: none - whatever is normally assigned to legal bugs
  • Whiteboard Tags (if any): none
  • Keywords (if any): none
  • Data to add within comment 0:
    • All intake questions and answers
  • Data to add within comment 0 or 1:
    • Goal (company goal request maps to) - free form [This won't be needed if it will be requested during the initial intake]
    • Priority to your team - drop down with the choices Low, Medium, High
    • Timeframe for completion - drop down with the choices 2 days, a week, 2-4 weeks, this will take a while but please get started soon, no rush
    • CCs - free form
    • Name of other party - free form [This won't be needed if it will be requested during the initial intake]
    • Business objective - free form
    • URL - free form [This won't be needed if it will be requested during the initial intake]
    • Description (Describe your project in more detail and/or provide any relevant deal terms. Also provide context and background.)
    • SOW details [Only if the component is Vendor/Services]

Finance

Owner: Winnie Aoieong

  • Summary: Complete Finance Review for {project name}
  • Product: Finance
  • Component: Purchase Request Form
  • Security Flags: Finance Group
  • Whiteboard Tags (if any):
  • Keywords (if any):
  • Data to add within comment 0:
    • All intake questions and answers
  • Data to add within comment 1: (please add all of the following)
  • Additional questions to be completed by the requester:
    • What is this purchase for?:
    • Why is this purchase needed?:
    • What is the risk if this is not purchased?:
    • What is the alternative?:
    • When do th items need to be ordered by?:
    • Where will this item be shipped to (if applicable)?:
    • Total Cost:

Data Safety

Owner: Alina Hua

  • Summary: Complete Data Safety Review for {project name}
  • Product: Data Safety
  • Component: General
  • Security Flags:
  • Whiteboard Tags (if any):
  • Keywords (if any):
  • Data to add within comment 0:
  • All intake questions and answers
  • Data to add within comment 0 or 1: (please add all of the following)
  • Additional questions to be completed by the requester:
    • Does your project collect data from users? [Yes / No]
      • If YES --> How many users are currently involved? How many users do you anticipate to be involved?
      • If NO --> Stop. No Data Safety bug should be filed.
    • Please provide examples of the types of user data you collect:
    • Why do you need to collect user data?:
    • What community benefits are derived from the collection of user data for your project?:
    • How is the data being collected? (e.g., forms on web site, provided directly by user, observed data collection, etc.) (Consider that you may be collecting data unintentionally such as automatic logging by web servers)
    • Will your project / team members need to retain user data? [Yes / No]
      • If YES --> For how long?:
    • Will any user data be shared or accessed by third party partners, customers or providers? [Yes / No]
      • If YES --> Please provide answers to the following:
    • What is the data being shared or accessed?
    • How would the data be communicated / transferred to the third parties?
    • Who are the third party vendors and in what countries are they based?
    • Community Visibility and Input
    • Has your proposal been shared publicly, including requirements for Mozilla to collect and host user data? [Yes / No]
      • If YES --> What communication channels are you using and what kind of input have you received thus far?:
      • If NO --> Data Safety discussion needed. Provide your plan for publicly sharing your proposal.
Retrieved from "https://wiki.allizom.org/index.php?title=Websites/Kick-Off_Form/Requirements&oldid=519911"