Title here
Summary here
Bring Your Own Device (BYOD), Mobile and Remote Working Policy
1. Purpose
The purpose of this policy is to address the use of mobile devices, personal devices, and remote working practices at DefectDojo.
Additionally, it informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations with regards to BYOD and Remote Working for accessing all systems, networks, IT assets, and licensed software, owned, operated, or used by DefectDojo.
2. Scope
Device management and remote working as applied to information security, including the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.
3. Compliance
3.1 Compliance Measurement
The Information Security Management team will verify compliance to this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.
3.2 Exceptions
Any exception to this document must be reviewed and approved in advance by the Management Review Team.
3.3 Non-Compliance
Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.
3.4 Continual Improvement
This document is updated and reviewed as part of the continual improvement process.
4. Requirements
4.1 Principle
- DefectDojo operates a zero-trust security model where every device is considered compromised.
- Multiple security controls are in place to reduce risks to exposure or damage to confidential data and internal systems.
- DefectDojo does not manage mobile devices or corporate devices and relies on the zero-trust model and assistance of DefectDojo Staff to ensure proper security controls are implemented.
- DefectDojo allows remote working for most staff to promote a diverse and productive workforce and provide business resiliency where staff are not dependent on a given location or equipment to perform their duties.
4.2 Roles and Responsibilities
4.2.1 DefectDojo Staff
All DefectDojo Staff are responsible to comply with the requirements described in the following subsections for BYOD and Mobile devices used to access DefectDojo systems and resources, and when working outside of a DefectDojo office.
4.2.1.1 BYOD and Mobile Device Responsibilities
- BYOD and Mobile devices are kept up to date with the latest vendor-provided OS and application versions.
- Devices are configured with automatic lockout after a period of inactivity of at most 10 minutes.
- Devices are protected with a password, biometric, or another authentication method.
- Devices are fully encrypted with hardware or software encryption provided by the vendor.
- Confidential and internal data is never copied or stored on BYOD and Mobile devices.
- Any loss or compromise of such devices is immediately reported in accordance with the Incident Management Policy.
4.2.1.2 Remote Working Responsibilities
- Protect all BYOD and Mobile devices from theft and compromise when working remotely.
- Never leave BYOD and Mobile devices unattended in readily accessible or unprotected areas, such as public places.
- Protect the privacy of what is displayed on the screen of BYOD and Mobile devices via privacy screens or sitting in locations where others cannot see the screen.
- Use DefectDojo VPN technology when connecting to the Internet from public open networks.
- Install DefectDojo Zero Trust Network Access software, when available.
- Use Multi-Factor Authentication (MFA) whenever possible.
- Deploy industry-standard anti-virus/anti-malware (e.g., Windows Defender, BitDefender) and run regular scans and updates.
4.2.2 Security and Technology Services Team
The Security Operations team is responsible for ensuring a proper zero-trust model security is implemented to allow all DefectDojo Staff to use their BYOD and Mobile devices and to work remotely when needed.
5. Relevant Documents
- Acceptable Use Policy
- Access Control Policy
- Data Classification Policy
- Data Classification Standard
- Incident Management Policy