Physical and Environmental Security Policy

Purpose#

This policy aims to prevent unauthorized physical access, damage, and interference to DefectDojo’s information and information processing facilities. It also informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations regarding physical and environmental security.

Scope#

Covers physical and environmental security as applied to information security and the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.

Compliance#

Compliance Measurement#

The Information Security Management team verifies compliance through business tool reports, internal and external audits, and feedback to the document owner.

Exceptions#

Exceptions must be reviewed and approved in advance by the Management Review Team.

Non-Compliance#

Violation of this policy may result in disciplinary action, up to and including termination.

Continual Improvement#

The document is updated and reviewed as part of continual improvement.

Requirements#

Principle#

Physical and environmental security aims to exceed Health and Safety regulations while protecting sensitive physical assets based on risk.

Roles and Responsibilities#

DefectDojo Staff#

General Physical Security Requirements#

• Use DefectDojo badges for office access; do not share them.
• Prevent tailgating; ensure one person enters at a time.
• Carry and visibly display badges on-site.
• Lock doors and windows when leaving the building, where applicable.
• Sign all visitors in/out and escort them during their visit.

Clear Desk/Clear Screen Requirements#

• Lock screens when leaving computers/laptops.
• Secure Internal and Confidential documents when away from desk.
• Shred unnecessary internal documents using office secure shredders.

Security and Technology Services#

General Physical Security#

• Buildings and information processing facilities must have physically sound perimeters and protection against unauthorized access.
• Fire doors must be alarmed and compliant with local codes.
• Intruder detection systems installed per standards.
• DefectDojo facilities are physically separated from external party facilities.

Employee Access#

• Access restricted to authorized personnel.
• Staffed reception maintains access records.
• Access granted on least privilege principle.
• Access tokens/badges must be worn, not shared, and revoked upon termination.

Secure Areas#

• Access rights regularly reviewed and revoked when necessary.
• Default to deny access.
• Secure areas must implement controlled access (badge, PIN).
• Cameras for entry/exit, retention ≥30 days.
• Access logs maintained ≥90 days.
• Third-party personnel access restricted and monitored.
• Recording equipment prohibited unless authorized.

Visitor Access#

• Public area access allowed with instructions and emergency procedures.
• Visitors logged and given passes expiring end of day.
• Access to secure areas requires Security Operations approval and escort.

Delivery and Loading Areas#

• Access restricted to authorized personnel.
• Materials loaded/unloaded without access to other areas.
• Inspect and register incoming material; segregate shipments.
• Report tampering immediately.

Network Access Control#

• Restrict physical access to networking equipment.
• Public network jacks prevent internal network access.
• Network jacks granting internal access require physical access control.
• Visitors prohibited from connecting devices unless authorized and escorted.

Cabling Security#

• Protect power/telecommunication cables from interception, interference, or damage.
• Underground cabling preferred; segregate power and communication lines.
• Cable room access restricted.

Equipment Security#

• Minimize unnecessary access to equipment.
• Use UPS where applicable.
• Utilities conform to specifications and local regulations; regularly tested.
• Implement controls against theft, fire, water, dust, vibration, chemical effects, electrical or communication interference, vandalism.
• Off-site use of office equipment requires Security Operations approval.
• Equipment handling confidential data must be secured to prevent information leakage.
• Ensure secure disposal or reuse of equipment containing storage media.

Relevant Documents#

• Acceptable Use Policy
• Access Control Policy
• Data Classification Policy
• Data Classification Standard
• Data Retention Policy