DefectDojo DefectDojo
Trust Center

Risk Management Policy

Purpose of Policy

This policy informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations regarding the risk management of all systems, networks, IT assets, and licensed software, owned, operated, or used by DefectDojo.

Scope

Applies to risk and risk management as it relates to information security and the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.

Policy Compliance

Compliance Measurement

The Information Security Management team will verify compliance through business tool reports, internal and external audits, and feedback to the document owner.

Exceptions

Any exceptions must be reviewed and approved in advance by the Management Review Team.

Non-Compliance

DefectDojo Staff found in violation of this policy may be subject to disciplinary action, up to and including termination of employment.

Continual Improvement

The policy is reviewed and updated as part of the continual improvement process.

Requirements

Principle

DefectDojo’s information security management is based on appropriate and adequate risk management practices.

What is Risk Management

  • Risk: The threat or possibility that an action or event will affect DefectDojo’s ability to achieve objectives.
  • Risk Management: Systematic application of principles and processes to identify, assess, and respond to risks associated with DefectDojo’s activities.

Risk Appetite

DefectDojo maintains a Moderate Risk Appetite, mitigating risks cost-effectively while allowing some acceptance based on business needs.

Low-Risk Appetite

Risks that shall not be accepted include:

  • Unauthorized access, use, or release of personally identifiable or sensitive data.
  • Noncompliance with contractual obligations, laws, regulations, policies, or procedures.
  • Lack of resiliency against cybersecurity threats.

Moderate Risk Appetite

Risks that may be mitigated proportionately and cost-effectively include:

  • Alignment of enterprise information systems, data, and business practices.
  • Ability to meet user demands and support a mobile workforce.
  • Technology infrastructure performance (stability, reliability, capacity, redundancy).
  • Business resiliency planning and execution.

Risk Identification and Assessment

  • Conducted at least every 12 months or following significant changes.
  • Assessed for:
    • Processing, storing, or transmitting confidential, personal, or cardholder information.
    • Third-party suppliers handling sensitive data.
    • New systems or significant changes.

Risk Register

All identified risks are recorded in the DefectDojo risk register.

Risk Reporting

  • Reviewed at Management Review Team meetings.
  • Significant risks (score > 8 or severe) reported to Senior Management.
  • Forms part of enterprise risk management reporting.

Risk Review

Regular review ensures:

  • Progress on risk actions.
  • Effectiveness of risk mitigation.
  • Management of residual risk.

Risk Treatment

Risk Acceptance

  • Decision by departmental manager and/or Senior Management.
  • Criteria for acceptance:
    • Low-risk and not cost-effective to treat.
    • Business opportunities outweigh threat/impact.
    • No feasible risk treatment exists.
    • Impact is acceptable to DefectDojo.

Risk Mitigation

  • Requires approval by the relevant manager, Management Review Team, or Senior Management.
  • Assign responsibility for implementation and management.
  • Document actions in the Risk Register and review at Management Review Team meetings.

Risk Evaluation

Evaluated on potential impact to:

  • Compliance and legal obligations.
  • Reputation.
  • Customers.
  • Business goals and objectives.
  • Financial performance.

Relevant Documents

  • Risk Management Procedure
Prev
Physical and Environmental Security Policy
Next
Risk Management Procedure