Incident Management Policy

Purpose#

The purpose of this document is to inform all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations with regards to the Incident Management and Response practices.

Scope#

Incident response as applied to information security and the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.

Compliance#

Compliance Measurement#

The Information Security Management team will verify compliance to this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.

Exceptions#

Any exception to the policy must be reviewed and approved in advance by the Management Review Team.

Non-Compliance#

Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.

Continual Improvement#

This document is updated and reviewed as part of the continual improvement and process.

Requirements#

DefectDojo Staff Responsibilities#

Every DefectDojo Staff member must immediately notify the Security Operations team if they suspect that a security incident is taking place by sending an email to CSIRT@DefectDojo.com, including their contact information so a member of the Security Operations team can quickly reach out with any follow-up questions.

Emailing CSIRT@DefectDojo.com must be done at least for the following events:

1. Unauthorized or unexplained access to Confidential and Internal data, including Production environment(s).
2. Unauthorized or unexplained changes to system or security files.
3. Unexplained Production system failure(s).
4. Denial of Service (DoS) attacks against Production environment(s).
5. Accidental or intentional sharing of Confidential or Internal data with parties outside of DefectDojo without prior authorized approval.
6. Known or suspected compromise of or shared knowledge of user’s credentials.
7. Suspected presence of any malware or ransomware on any system.
8. Suspected presence of an emergency-rated vulnerability (for instance, Log4J) on any system.
9. Clicking on a suspected phishing link.

Security Operations Team Responsibilities#

Incident Management#

• Implement procedures for the management of security-related incidents, including escalation paths, management structure, and stakeholder reporting.
• Investigate identified security incidents and provide an appropriate and proportionate response in a timely manner.
• Implement escalation paths for incidents involving data breaches.
• Handle forensic evidence to maintain adequate chain of custody throughout the investigation process.

Outside Assistance where Required#

• Bring in external subject matter experts such as forensic investigators as needed to support the review of a security incident.
• Experts assist in determining breach details, affected data and individuals, and root cause analysis.

Incident Response Service Level Agreements (SLAs)#

Incident Documentation#

• Document all security-related incidents for future reference within 7 days of incident closure.
• Share relevant information with affected business units and teams, including:
  • Identified attack vector(s)
  • Implemented remediations and mitigations
  • Lessons learned and preventative measures

Breach Communication Plan#

• For incidents resulting in Customer or personal data breaches, coordinate internally with Legal, Privacy, HR, and Marketing to implement a communication plan.
• Communication will cover:
  • Internal employees
  • The public
  • Those directly affected

Training for DefectDojo Staff#

• Instruct all DefectDojo Staff on incident reporting as part of the annual Security Awareness Training.

Incident Response Procedure Testing Schedule#

• Test the Incident Response Procedure at least once a year using table-top exercises that simulate real events impacting normal operations.

Relevant Documents#

• Incident Response Procedure