/policies/security_it_controls/Recent content in Security & IT Controls on DefectDojo Trust CenterHugoen-USCopyright (c) 2020-2024 ThuliteThu, 08 Jan 2026 00:00:00 +0000/policies/security_it_controls/defectdojo-anti-virus-policy/Thu, 08 Jan 2026 00:00:00 +0000/policies/security_it_controls/defectdojo-anti-virus-policy/<h2 id="definitions">Definitions</h2> <ul> <li><strong>Virus:</strong> A program that attaches itself to an executable file or vulnerable application and delivers a payload ranging from annoying to extremely destructive. A file virus executes when an infected file is accessed. A macro virus infects executable code embedded in Microsoft Office programs that allow users to generate macros.</li> <li><strong>Trojan Horse:</strong> Destructive programs, usually viruses or worms, hidden in an attractive or innocent-looking piece of software, such as a game or graphics program. Victims may receive a Trojan horse via email, removable media, or downloads from websites.</li> <li><strong>Worm:</strong> A program that copies itself elsewhere in a computing system, either on the same computer or across networks. Worms may disrupt networks by overloading them. Unlike viruses, worms do not need to attach to files.</li> <li><strong>Spyware:</strong> Programs that install and gather information from a computer without permission, reporting it to the creator or third parties.</li> <li><strong>Malware:</strong> Short for malicious software; programs designed to damage or disrupt a system, including viruses, worms, and Trojan horses.</li> <li><strong>Adware:</strong> Programs installed without user consent or bundled with software to display ads, often causing system slowness or errors.</li> <li><strong>Keyloggers:</strong> Programs that capture keystrokes and may also record screen images, often sending data to a third party.</li> <li><strong>Ransomware:</strong> Malware that restricts user access to systems or files until a ransom is paid.</li> <li><strong>Server:</strong> A computer program that provides services to other programs or devices. A computer running a server program is referred to as a server.</li> <li><strong>Security Incident:</strong> An assessed event of unauthorized entry or attack on an automated information system, including disruption, destruction, or alteration of system functions.</li> <li><strong>E-mail:</strong> Electronic mail, consisting of messages sent over electronic media by a communications application.</li> </ul> <h2 id="overview">Overview</h2> <p>Malware threats must be managed to minimize downtime on DefectDojo, Inc. systems and protect critical systems and member data. This policy is established to:</p>/policies/security_it_controls/defectdojo-cloud-and-infrastructure-security-policy/Thu, 08 Jan 2026 00:00:00 +0000/policies/security_it_controls/defectdojo-cloud-and-infrastructure-security-policy/<h2 id="1-purpose">1. Purpose</h2> <p>The purpose of this document is to ensure the security of DefectDojo cloud and infrastructure resources. In addition, it informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations with regards to the cloud and infrastructure security of all systems, networks, IT assets, and licensed software, owned, operated, or used by DefectDojo.</p>/policies/security_it_controls/defectdojo-information-security-policy/Thu, 08 Jan 2026 00:00:00 +0000/policies/security_it_controls/defectdojo-information-security-policy/<h2 id="purpose">Purpose</h2> <p>The purpose of this policy is to set out the information security policies that apply to DefectDojo to protect the confidentiality, integrity, and availability of data. Additionally, it informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations regarding the Information Security Policy of all systems, networks, IT assets, and licensed software owned, operated, or used by DefectDojo.</p>/policies/security_it_controls/defectdojo-key-management-policy/Thu, 08 Jan 2026 00:00:00 +0000/policies/security_it_controls/defectdojo-key-management-policy/<h2 id="purpose">Purpose</h2> <p>The purpose of this policy is to ensure the proper lifecycle management of encryption keys to protect the confidentiality and integrity of confidential information. Additionally, it informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations regarding the management of encryption keys across all systems, networks, IT assets, and licensed software owned, operated, or used by DefectDojo.</p>/policies/security_it_controls/defectdojo-physical-and-environmental-security-policy/Thu, 08 Jan 2026 00:00:00 +0000/policies/security_it_controls/defectdojo-physical-and-environmental-security-policy/<h2 id="purpose">Purpose</h2> <p>This policy aims to prevent unauthorized physical access, damage, and interference to DefectDojo’s information and information processing facilities. It also informs all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations regarding physical and environmental security.</p>/policies/security_it_controls/defectdojo-vulnerability-management-policy/Thu, 08 Jan 2026 00:00:00 +0000/policies/security_it_controls/defectdojo-vulnerability-management-policy/<h2 id="purpose">Purpose</h2> <p>The purpose of this policy is to inform all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations with regards to the Vulnerability Management of all systems, networks, and IT assets for which they are assigned ownership and maintenance.</p>