DefectDojo DefectDojo
Trust Center

Asset Management Policy

1. Purpose

The purpose of this document is the identification and management of assets. In addition, it informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations regarding the Asset Management of all systems, networks, IT assets, and licensed software owned, operated, or used by DefectDojo.

2. Scope

Management of assets as applied to information security and the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.

3. Compliance

3.1 Compliance Measurement

The Information Security Management team will verify compliance to this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.

3.2 Exceptions

Any exception to this document must be reviewed and approved in advance by the Management Review Team.

3.3 Non-Compliance

Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.

3.4 Continual Improvement

This document is updated and reviewed as part of the continual improvement and process.

4. Requirements

4.1 Principle

DefectDojo assets are known, identified, and managed with appropriate protection in place.

4.2 Inventory of Assets

Information assets storing Confidential or Internal data or used to provide critical services are identified, and an inventory of these assets is drawn up and maintained. For each asset, at least the following is recorded:

  • Asset name
  • Asset owner
  • Asset function or importance
  • Asset classification

For physical assets, additionally record:

  • Asset number
  • Serial number
  • Whether in use
  • Last checked by and date
  • Description of the information processed, stored, or transmitted

4.2.1 Cloud Asset Tagging

All cloud assets must be tagged in accordance with the Cloud Asset Tagging Standard.

4.3 Ownership of Assets

  • Individuals, roles, or teams are assigned ownership and responsibility of assets.
  • Asset Owners ensure assets are inventoried.
  • Asset Owners ensure assets are appropriately classified and protected.
  • Asset Owners ensure proper handling when the asset is deleted or destroyed, in line with the Data Classification Policy and Data Classification Standard.
  • Asset Owners may delegate tasks outlined above.

4.4 Acceptable Use of Assets

Acceptable use of assets is in line with the Acceptable Use Policy.

4.5 Return of Assets

All DefectDojo Staff return all DefectDojo assets in their possession upon termination of their employment, contract, or agreement.

4.6 Management of Media

4.6.1 Removable Media

  • Authorization is required for removing media from DefectDojo facilities or assets, when necessary and practical.
  • A record of the removal will be kept for an audit trail.
  • Contents of any reusable media being retired or replaced will be made unrecoverable.
  • All media will be stored and secured according to manufacturers’ specifications.
  • Cryptographic techniques should protect data on removable media to maintain integrity and confidentiality.
  • Media degradation will be mitigated by transferring stored data to fresh media before it becomes unreadable.
  • Coincidental data damage or loss will be mitigated by making multiple copies of valuable data on separate media.
  • Removable media drives will only be enabled if there is a business reason.
  • Transfer of information to removable media will be monitored.

4.6.2 Physical Media Transfer

  • Use reliable transport/couriers.
  • Maintain a management-approved list of authorized couriers.
  • Verify identification of couriers.
  • Package media to protect against physical damage and according to manufacturers’ specifications.
  • Log transfers with information including:
    • Content of the media
    • Type of protection applied
    • Time of transfer to transport custodian
    • Time of receipt at destination

4.6.3 Return of Assets Upon Termination

  • The termination process includes returning all issued physical and electronic assets, per BYOD, Mobile and Remote Working Policy, and Asset Management Policy.
  • If personal equipment was used, all relevant information must be transferred to DefectDojo and securely erased from the equipment.
  • Unauthorized copying of information by employees and contractors will be monitored and controlled during termination.

4.6.4 Disposal of Media

  • Secure disposal of media containing confidential information will be proportional to the sensitivity of that information, as outlined in the Data Classification Policy.
  • Guidelines include:
    • Identification of items requiring disposal
    • Use of third-party collection and disposal services per Vendor Management Policy
    • Secure disposal by incineration, shredding, or data erasure for reuse
    • Risk assessment of damaged media to determine disposal or repair
    • Whole-disk encryption to mitigate disclosure risks
    • Logging each disposal to maintain an audit trail

5. Relevant Documents

  • Acceptable Use Policy
  • Cloud Asset Tagging Standard
  • Data Classification Policy
  • Data Classification Standard
Prev
API Security Policy
Next
Audit Policy