1 Policy Statement

To meet the objectives of our users and ensure continuity of operations, Dendri operates under the following policy. All IT systems contain inherent weaknesses that are termed as vulnerabilities. Threats exploit vulnerabilities to cause harm to IT systems. Hence, it is imperative to regularly identify and plug those vulnerabilities and prevent occurrence of security incidents.

2 Purpose

The purpose of this Policy is to establish rules and principles for identifying and managing vulnerabilities in IT systems.

3 Scope

3.1 IT Assets

This policy applies to all hardware, software, and network assets controlled by Dendri. Any Third Party hosting providers or services utilized by Dendri will be informed of any vulnerabilities that are beyond the capabilities of Dendri to cure.

3.2 Documentation

This policy and all other referenced documents may be updated from time-to-time to reflect the current best practices as identified by Dendri. Any new version will control and any prior version will be considered void upon issuance of the new version.

3.3 Distribution and Maintenance

This Policy shall be made available to all users of Dendri and to all employees and agents of Dendri covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the document shall be with the CISO and website administrator.

4 Privacy

This Policy document shall be considered as public knowledge and is available to any website visitor interested in learning how Dendri handles vulnerabilities.

5 Responsibility

The CISO / designated personnel and system administrator are responsible for proper implementation of this Policy.

6 Policy

It is the stated goal of Dendri to provide secure IT systems and services in order to protect organizational information assets, as well as the privacy of users, employees, contractors, and third party employees. The timely and consistent application of vendor-supplied security patches or mitigation of a reported vulnerability are critical components in protecting the network, systems, and data from damage or loss due to threats such as worms, viruses, data loss, or other types of external or internal attacks. Dendri  shall conduct routine scans of its website, servers under its control, and devices connected to its networks to identify operating system and application vulnerabilities on those devices. Dendri requires its system administrators to routinely review the results of vulnerability scans and evaluate, test and mitigate operating system and application vulnerabilities appropriately. Our policy is to respond to high risk vulnerabilities ASAP. Medium risk vulnerabilities will be reviewed with potential mitigation with two weeks, and low risk vulnerabilities will be addressed during regular maintenance and updates as reasonably practicable. No identified vulnerability will be addressed any later than 60 days after report absent impossibility or unavailability to cure.

7 Notice

In the event of any malicious exploit impacting user data, the notified users will be notified ASAP following Dendri’s notification of the exploit as well as a timeline for mitigation. Dendri will prioritize the protection of user data over immediate access. In other words, in the event of an ongoing and dangerous attack, Dendri may, at its discretion disable access to its databases to prevent malicious access to user data, even if that temporarily disrupts service to our users.