DefectDojo DefectDojo
Trust Center

Exceptions Policy

Purpose

The purpose of this document is to inform all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations regarding requesting exceptions to DefectDojo corporate policies, standards, and procedures.

Scope

This policy applies to exceptions to DefectDojo corporate policies, standards, and procedures as related to information security and the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.

Compliance

Compliance Measurement

The Information Security Management team will verify compliance to this document through various methods, including business tool reports, internal and external audits, and feedback to the document owner.

Exceptions

This is the formal Exceptions Policy for requesting and receiving approval for any exceptions to existing DefectDojo policies, standards, and procedures. All DefectDojo Staff must follow this policy when there is a legitimate reason to request an exception to a corporate standard.

Non-Compliance

Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.

Continual Improvement

This document is updated and reviewed as part of the continual improvement process.

Requirements

DefectDojo Staff Responsibilities

Any DefectDojo Staff requiring an exception to an existing policy, standard, or procedure must officially request this exception from the Security Operations team via a JIRA ticket in the Security Operations Ticket Portal by selecting Risk & Compliance → Request an Exception. The submitted ticket must include:

  • A valid business requirement for the exception
  • The requested duration of the exception (limited to 6 months or less)

Exception Review Process

  • The Security Operations team will review the request and provide approval or rejection within 14 days of submission.
  • Each approved exception will be documented in the JIRA Security Operations ticket portal.
  • Any risk arising from the approved exception will be documented and periodically reviewed according to the DefectDojo Risk Management Procedure.
  • The Security Operations team will review the DefectDojo Exceptions List at least annually.

Relevant Documents

  • Exception Request and Review Procedure
  • Risk Management Procedure
Prev
Employee Training and Development Policy
Next
Fraud Prevention Checklist