DefectDojo DefectDojo
Trust Center

Access Control Policy

1. Purpose

The purpose of this policy is to ensure the appropriate access to the correct information and resources is granted only for authorized users. In addition, to inform all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations with regards to the User Access of all systems, networks, and IT assets, and licensed software owned, operated, or used by DefectDojo.

2. Scope

Access management to resources and information as applied to information security and the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.

3. Compliance

3.1 Compliance Measurement

The Information Security Management team will verify compliance to this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.

3.2 Exceptions

Any exception to this document must be reviewed and approved in advance by the Management Review Team.

3.3 Non-Compliance

Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment. In addition, systems and accounts that are found to violate this policy may be removed from the DefectDojo network, disabled, or suspended as appropriate, until such systems and accounts can comply with this policy.

3.4 Continual Improvement

This document is updated and reviewed as part of the continual improvement and process.

4. Requirements

4.1 Principle

Access control is granted on the principle of least privilege. Users are only provided access to the information they require to perform their tasks and role.

4.2 Confidentiality Agreements

All DefectDojo Staff who are given access to confidential information should sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities.

4.3 Role-Based Access

Access to systems is based on specific roles. Access is granted automatically based on the DefectDojo Staff member’s position in a particular department when a defined System for Cross-domain Identity Management (SCIM) is available and implemented. Manual access is granted by the System Owner or Data Custodian, and formally approved.

4.4 Unique Identifier

All users are assigned a unique username or identifier on the principle of one user ID to ensure individual accountability. Usernames and identifiers are not shared between users. If there is a valid and DefectDojo-approved need for a shared account, individual attribution to a specific user must be possible when a shared account is in use.

4.5 Authentication Before Access

Users are identified and authenticated before gaining access to systems, services, or information.

4.6 Access Rights Review

  • User access to systems is reviewed at least annually to ensure it is still appropriate and relevant. Quarterly access reviews are recommended.
  • Inactive and dormant accounts are investigated, and appropriate action is taken, including updating required documentation.

4.7 Privileged and Administrative Accounts

  • Administrative accounts are provided strictly on the principle of ‘need to know’.
  • Privileged and administrative users are assigned specific privileged and/or administrator accounts to go along with their regular account. Only tasks requiring privileged roles are performed using these special accounts.
  • Privileged and administrative accounts are not shared accounts and do not share passwords.
  • Privileged and administrative accounts are clearly identifiable.
  • A register of privileged and administrative accounts is maintained in each system or tool where these accounts exist.
  • Privileged and administrative accounts are logged and monitored.
  • Where applicable, privileged and administrative accounts are provided for a set period of time.

4.8 Multi-Factor Authentication

  • Multi-factor Authentication (MFA) should be deployed wherever possible for access to every system.
  • MFA must be deployed for any system hosting confidential data.

4.9 User Account Provisioning

  • Account creation, modification, and deletion are documented and performed by authorized personnel.
  • Individual line managers approve account creation, modification, and deletion, unless the role is provisioned automatically with default permissions.
  • Data Owners and Data Custodians approve access to systems and information.
  • Users requesting password resets or changes to authentication credentials have their identity verified via the Identity Verification Standard.

4.10 Leavers

  • User termination and change of role is automated whenever possible by HR, integrated with the DefectDojo identity management system.
  • When a user leaves DefectDojo, all access is revoked as a minimum to main authentication technology and relevant systems.
  • User identifiers, passwords, and authentication credentials of leavers are not reused.

4.11 Authentication

  • Does not display system or application identifiers until the logon process has been successfully completed.
  • Displays a general notice warning that only authorized users should access the system.
  • Does not provide help messages during logon that would aid an unauthorized user.
  • Validates the logon information only on completion of all input data.
  • Protects against brute force logon attempts.
  • Logs unsuccessful and successful attempts.
  • Raises a security event if a potential attempted or successful breach of logon controls is detected.
  • Does not display a password being entered.
  • Does not transmit passwords in clear-text over a network.
  • Terminates inactive sessions after a defined period of inactivity.

4.12 Remote Access

  • Remote access to DefectDojo networks and cloud-based services follows the same rules as covered by this policy.
  • Remote connections are set to disconnect after a set period.

4.13 Third-Party Remote Access

  • Access is only granted to third parties under a current contract with a non-disclosure agreement.
  • Access is granted for a specific time, system, and individual, on receipt of a formal, valid, authorized access request.
  • Access is removed immediately on completion of the requirement.
  • A record of third parties and individuals with active access is maintained in the identity management system.

4.14 Account Suspension and Deletion after Termination

All accounts are suspended for 30 days after termination and then deleted, unless there is a legal hold requirement. This includes suspending and then deleting all regular, privileged, and third-party access accounts.

4.15 Monitoring and Reporting

Access to systems is monitored and reported, and actions that directly or indirectly affect or could affect the confidentiality, integrity, or availability of data are managed via the Incident Management process.

5. Relevant Documents

  • Data Classification Policy
  • Data Classification Standard
  • Identity Verification Standard
  • Password Policy
Prev
Acceptable Use Policy
Next
Anti Virus Policy