Vendor Security Policy

Purpose#

The purpose of this policy is to inform all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations with regards to the security and privacy due diligence as part of the procurement of services for Third-Party Suppliers (Vendors).

Scope#

Risk management of Vendors as applied to information security and the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.

Compliance#

Compliance Measurement#

The Information Security Management team will verify compliance to this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.

Exceptions#

Any exception to this document must be reviewed and approved in advance by the Management Review Team.

Non-Compliance#

Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.

Continual Improvement#

This document is updated and reviewed as part of the continual improvement process.

Requirements#

DefectDojo Staff#

All DefectDojo Staff who procure Vendor services must notify the Security Operations Team and receive approval from Security Operations before signing new contracts and renewing existing contracts for all Vendors.

Security Operations Team#

The Security Operations Team must ensure that the Vendor Security Principles outlined below are followed for all applicable Vendors.

Vendor Security Principles#

Vendors must meet the company’s requirements, legislation, and regulation for data protection and security.

Vendor Register#

All Vendors with direct access to DefectDojo sensitive data and IT systems are registered and recorded in the Vendor Register. Vendors are classified based on the processed, stored, or transmitted data. Vendors are assessed for criticality to the business. The following information is captured as a minimum:

• Vendor Name and contact details
• What they do for DefectDojo
• What data they process, store, or transmit
• Whether a contract exists and a copy of the contract
• What assurance exists over their data security

Vendor Security Procedure#

Each Vendor is subject to audit and review of data security in line with the Vendor Security Procedure. The level of audit and review is based on risk.

Vendor Selection#

Vendors are selected based on their ability to meet the needs of the business. Before engaging a Vendor, data security due diligence is carried out, including:

• An acceptable level of data security, considering services performed, access type, and severity, with identified, recorded, and managed risks
• Appropriate certifications
• Vendor agreements and contracts that include data security requirements
• Legal and regulatory compliance

Vendor Contracts, Agreements, and Data Processing Agreements#

An appropriate contract, agreement, and/or Data Processing Agreement must be in place and enforceable before engaging a Vendor to process, store, or transmit confidential or personal information.

• Vendor contracts include the right to audit where feasible; independent security reports, certifications, or other evidence may substitute audits
• All company policies apply to Vendors where feasible
• Vendor sub-contractors are subject to the same terms and company policies as the Vendor
• Vendors are assessed for relevant privacy regulations, and privacy impact assessments or data processing agreements are in place when appropriate

Vendor Security Incident Management#

Vendors must have a Security Incident Management process in place.

• Incidents impacting confidential or personal information must be reported within 72 hours
• Vendor security incidents affecting DefectDojo will be managed according to DefectDojo’s standard Incident Management Procedure

Vendor End of Contract#

At the end of a contract, Vendors must confirm in writing that they have met contractual and legal obligations for the return or destruction of DefectDojo’s confidential and personal information.

• All access to systems and information is revoked
• All assets are returned to DefectDojo