Title here
Summary here
Data Classification Policy
1. Purpose
The purpose of this policy is to inform all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations with regards to the data classification of all systems, networks, IT assets, and licensed software owned, operated, or used by DefectDojo.
2. Scope
This policy applies to data classification as it relates to information security and the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.
3. Compliance
3.1 Compliance Measurement
The Information Security Management team will verify compliance with this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.
3.2 Exceptions
Any exception to this policy must be reviewed and approved in advance by the Management Review Team.
3.3 Non-Compliance
Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment. In addition, systems and documents that violate this policy may be removed from the DefectDojo network, disabled, or reclassified as appropriate until compliance is achieved.
3.4 Continual Improvement
This document is updated and reviewed as part of the continual improvement process.
4. Requirements
4.1 Roles and Responsibilities
4.1.1 Data Owners
DefectDojo Staff assigned ownership of company data must follow the data classification principles outlined below.
4.1.2 Custodians
The Security Operations team is responsible for:
- Setting the Data Classification Policy and Data Classification Standard.
- Defining audit processes for compliance with both the Data Classification Policy and Standard.
All Data Custodians, including the Security Operations team, are responsible for providing necessary security controls to protect the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.
4.2 Data Classification Principles
- By default, data ownership is assigned to the creator unless decided otherwise by DefectDojo Management.
- All DefectDojo-owned or processed data must be classified, stored, transmitted, and disposed of in accordance with the Data Classification Standard.
- All DefectDojo-owned or processed data must be retained according to the Data Retention Policy and Data Retention Schedule.
4.2.1 Data Classification Summary
- All data stored in internal DefectDojo tools and systems such as Atlassian JIRA, Confluence Wiki, Google Drive, and others are automatically considered Internal, unless documented otherwise.
- Access control, storage, disposal, transmission, retention, backup, and recovery practices must be followed for each classification level—Confidential, Internal, and Public—as outlined in the Data Classification Standard.
4.2.2 Data Classification Overview Table
| Classification | Description | Example |
|---|---|---|
| Confidential | Data which is legally regulated, including special categories of personal data, customer data, or DefectDojo internal data of critical value or sensitivity. Exposure or compromise may lead to contract breach, regulatory fines, business loss, or reputational damage. | Customer Data, Financial Data, Research Information for Product and R&D, see Data Classification Standard for more examples |
| Internal | All internal data that does not meet Confidential definition but whose exposure or compromise may lead to reputational damage, minor disruption, or possible business loss. | HR Data, Research Information, Management Data, see Data Classification Standard for more examples |
| Public | Data for which there is no expectation of privacy or confidentiality. Data of no commercial value or sensitivity whose exposure or compromise will not lead to negative outcomes. | Press Releases, Job Postings, see Data Classification Standard for more examples |
5. Relevant Documents
- Access Control Policy
- Data Classification Standard
- Data Retention Policy
- Data Retention Schedule