Information Security Policy

Purpose#

The purpose of this policy is to set out the information security policies that apply to DefectDojo to protect the confidentiality, integrity, and availability of data. Additionally, it informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations regarding the Information Security Policy of all systems, networks, IT assets, and licensed software owned, operated, or used by DefectDojo.

Scope#

Risk and risk management as applied to information security and the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.

Compliance#

Compliance Measurement#

The Information Security Management team will verify compliance to this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.

Exceptions#

Any exception to this document must be reviewed and approved in advance by the Management Review Team.

Non-Compliance#

Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.

Continual Improvement#

This document is updated and reviewed as part of the continual improvement process.

Requirements#

Principle#

Information security is managed based on risk, legal and regulatory requirements, and business needs.

Chief Executive’s Statement of Commitment#

DefectDojo’s information processing is fundamental to the company’s success, and the protection and security of that information is a board-level priority. We take our obligations under regulatory (e.g., GDPR, Data Protection Act 2018) and industry best practice bodies (e.g., NIST, CSA, OWASP) seriously, whether employee information or customer information. Resources are provided to develop, implement, and continually improve the information security management system appropriate to our business.

Introduction#

Information security protects the information entrusted to us. Errors in information security can have significant adverse impacts on employees, customers, reputation, and finances.

By maintaining an effective information security management system, DefectDojo can:

• Provide assurances for legal, regulatory, and contractual obligations.
• Ensure the right people have proper access to the correct data at the right time.
• Protect personal data as defined by GDPR and other privacy regulations.
• Be responsible data citizens and custodians.

Information Security Defined#

• Confidentiality: Access to information is limited to those with appropriate authority.
• Integrity: Information is complete and accurate.
• Availability: Information is available when it is needed.

Information Security Objectives#

• Ensure the confidentiality, integrity, and availability of DefectDojo information, including all personal data defined by GDPR, based on risk management, legal, regulatory, contractual obligations, and business needs.
• Provide resources to develop, implement, and continually improve the information security management system.
• Effectively manage third-party suppliers who process, store, or transmit information to reduce and manage information security risks.
• Implement a culture of information security and data protection through effective training and awareness.

Information Security Policy Framework#

The information security management system is built upon a policy framework that includes the following policies:

• Acceptable Use Policy
• Access Control Policy
• Asset Management Policy
• Audit Policy
• Bring Your Own Device (BYOD), Mobile, and Remote Working Policy
• Business Continuity Policy
• Change Management Policy
• Cloud and Infrastructure Security Policy
• Cryptographic Controls Policy
• Data Classification Policy
• Data Retention Policy
• Exceptions Policy
• Incident Management Policy
• Information Security Policy (this policy)
• Key Management Policy
• Logging and Monitoring Policy
• Password Policy
• Physical and Environmental Security Policy
• Risk Management Policy
• Secure Development Policy
• Vendor Security Policy
• Vulnerability Management Policy

Information Security Roles and Responsibilities#

Information security is the responsibility of everyone. All staff must understand and adhere to policies, follow processes, and report suspected or actual breaches. Specific roles and responsibilities for managing the information security system are documented in the Security Operations wiki on Confluence.

Monitoring#

Compliance with information security policies and procedures is monitored via the Management Review Team, together with independent reviews by both internal and external audits periodically.

Legal and Regulatory Obligations#

DefectDojo maintains legal and regulatory obligations through:

• The CRM system for customer contracts.
• OneTrust DataGuidance Regulatory Research Platform.

Training and Awareness#

• A training and communication plan corresponds to information security policies, processes, and concepts.
• Training needs are identified and assigned via Learning Management Systems, simulated attack scenarios, and exercises.
• Policies are made readily available to all employees and third-party users.
• All employees and contractors must complete a Security Awareness module annually.

Relevant Documents#

• All policies listed in the Information Security Policy Framework (section 4.6)