Title here
Summary here
Cloud and Infrastructure Security Policy
1. Purpose
The purpose of this document is to ensure the security of DefectDojo cloud and infrastructure resources. In addition, it informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations with regards to the cloud and infrastructure security of all systems, networks, IT assets, and licensed software, owned, operated, or used by DefectDojo.
2. Scope
Risk management of cloud and infrastructure as applied to information security, including the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.
3. Compliance
3.1 Compliance Measurement
The Information Security Management team will verify compliance to this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.
3.2 Exceptions
Any exception to this document must be reviewed and approved in advance by the Management Review Team.
3.3 Non-Compliance
Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.
3.4 Continual Improvement
This document is updated and reviewed as part of the continual improvement process.
4. Requirements
4.1 Roles and Responsibilities
All DefectDojo technical teams responsible for managing Cloud or on-premise infrastructure, including the Security Operations Team, must follow the requirements outlined below.
4.2 Change Detection
Higher levels of assurance are required for protection, retention, and lifecycle management of audit logs, adhering to applicable legal, statutory, and regulatory compliance obligations. This ensures unique user access accountability to detect potentially suspicious network behaviors and/or file integrity anomalies, and supports forensic investigative capabilities in the event of a security breach. All relevant cloud and infrastructure security logs will be retained in accordance with the Logging and Monitoring Policy.
4.3 Clock Synchronization
A reliable and mutually agreed upon external time source must be used to synchronize the system clocks of all relevant information processing systems to facilitate the tracing and reconstitution of activity timelines.
4.4 System Documentation and Resource Scaling
The availability, quality, and adequate capacity of resources must be planned, prepared, and measured to deliver required system performance in line with legal, statutory, and regulatory obligations. Projections of future capacity requirements must be made to mitigate the risk of system overload. When using cloud resources, elasticity must be built in to allow auto-scaling where needed.
4.5 Vulnerability Management
Security vulnerability assessment tools and services must accommodate the virtualization technologies used, in accordance with the Vulnerability Management Policy.
4.6 Network Security
Network environments and virtual instances must be designed and configured to restrict and monitor traffic between trusted and untrusted connections. Configurations must be reviewed at least annually and supported by documented justification for use of all allowed services, protocols, ports, and/or compensating controls.
4.7 Security OS Hardening and Base Controls
Each operating system must be hardened to provide only necessary ports, protocols, and services to meet business needs and support technical security controls as part of the baseline operating build standard or template.
4.8 Production / Non-Production Environments
Production and non-production environments must be separated to prevent unauthorized access or changes to information assets. Separation may include firewalls, domain/realm authentication sources, and clear segregation of duties for personnel accessing these environments.
4.9 Segmentation
Multi-tenant organizationally owned or managed (physical and virtual) applications, and infrastructure system and network components must be designed, developed, deployed, and configured such that provider and customer (tenant) user access is appropriately segmented. Considerations include:
- Established policies and procedures.
- Isolation of business-critical assets and sensitive user data.
- Compliance with legal, statutory, and regulatory obligations.
4.10 VM Security Data Protection
When migrating physical servers, applications, or data to virtualized servers, secure and encrypted communication channels must be used. Where possible, a network segregated from production-level networks for such migrations should be used.
4.11 Hypervisor Hardening
Access to all hypervisor management functions or administrative consoles for systems hosting virtualized systems must be restricted based on the principle of least privilege and supported through technical controls in accordance with the Access Control Policy and Cryptographic Controls Policy.
4.12 Wireless Security
Policies and procedures must be established to protect wireless network environments, including:
- Perimeter firewalls to restrict unauthorized traffic.
- Security settings enabled with strong encryption for authentication and transmission, replacing vendor defaults in accordance with the Cryptographic Controls Policy.
- User access restricted to authorized personnel.
- Capability to detect unauthorized (rogue) wireless network devices for timely disconnect.
4.13 Network Architecture
Network architecture diagrams must clearly identify high-risk environments and data flows with legal compliance impacts. Technical measures must apply defense-in-depth techniques for detection and timely response to network-based attacks, including anomalous traffic patterns or distributed denial-of-service (DDoS) attacks.
4.14 Anti-Virus / Malicious Software
Policies, procedures, and technical measures must be implemented to prevent execution of malware on organizationally owned IT infrastructure, networks, and system components.
5. Relevant Documents
- Access Control Policy
- Cryptographic Controls Policy
- Logging and Monitoring Policy
- Vulnerability Management Policy