DefectDojo DefectDojo
Trust Center

Business Continuity Policy

1. Purpose

The purpose of this policy is business continuity management and information security continuity. It addresses threats, risks, and incidents that impact the continuity of operations.

Additionally, it informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations with regards to the business continuity of all systems, networks, IT assets, and licensed software, owned, operated, or used by DefectDojo.

2. Scope

Business continuity as applied to information security, including the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.

3. Compliance

3.1 Compliance Measurement

The Information Security Management team will verify compliance to this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.

3.2 Exceptions

Any exception to this document must be reviewed and approved in advance by the Management Review Team.

3.3 Non-Compliance

Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.

3.4 Continual Improvement

This document is updated and reviewed as part of the continual improvement process.

4. Requirements

4.1 Principle

The Business Continuity Policy requires people’s safety to be the number one priority. The framework is based on industry best practice and the ISO 22301 Business Continuity Management standard.

4.2 Commitment and Continual Improvement

DefectDojo is committed to developing and continually improving the business continuity process, plans, and system.

4.3 Business Impact Analysis

Business continuity is based on a documented business impact analysis and risk assessment.

4.4 Business Continuity Plans

DefectDojo has documented procedures for responding to a disruptive event and continuing or recovering its activities within a predetermined time frame. Such procedures address the requirements of those who will use them.

4.4.1 Business Continuity Plan Details

Each plan must define the following:

  • Purpose and scope
  • Objectives
  • Activation criteria and procedures
    • A process for activating the BC Plan
  • Implementation procedures
    • Business priority of recovery
    • How the organization will continue or recover its prioritized activities within predetermined time frames
  • Roles, responsibilities, and authorities
    • Defined roles and responsibilities for people and teams having authority during and following a disruptive event
  • Communication requirements and procedures
    • Details on how and under what circumstances the organization will communicate with employees, their relatives, key interested parties, and emergency contacts
    • Details to manage the immediate consequences of a disruptive event, giving due regard to:
      • The welfare of individuals
      • Strategic, tactical, and operational options for responding to the disruption
      • Prevention of further loss or unavailability of prioritized activities
  • Internal and external interdependencies and interactions
    • Details of the organization’s media response following a disruptive event, including:
      • A communications strategy
      • Preferred interface with the media
      • Guideline or template for drafting a statement for the media
      • Appropriate spokespeople
  • Resource requirements
  • Information flow and documentation processes
    • A process for standing down once the disruptive event is over
    • Information and system backup processes

4.5 Recovery

DefectDojo has documented procedures to restore and return business activities from the temporary measures adopted to support normal business requirements after a disruptive event.

4.6 Business Continuity Testing

Business continuity plans will be tested at least annually and whenever a significant change occurs.

4.7 Incident and Business Continuity Reporting and Escalation

  • An incident management process is in place and is being followed.
  • Business continuity incidents are additionally recorded and tracked in a register.
  • Business continuity incidents are reported to the Management Review Team.

4.8 Disaster Recovery Plans

Technical recovery plans for disaster recovery are in place and tested.

5. Relevant Documents

  • Business Impact Assessment Template
  • Risk Management Procedure
Prev
Bring Your Own Device (BYOD), Mobile and Remote Working Policy
Next
Change Management Policy