DDactic
Find What Defenses Miss
DDactic Safety Policy
This Safety Policy outlines DDactic's commitment to conducting security assessments in a safe, ethical, and responsible manner. All DDactic personnel and contractors are required to adhere to these policies.
Policy Statement
DDactic is committed to:
- Conducting security assessments that minimize risk to client systems and operations
- Following industry best practices and ethical guidelines
- Maintaining the highest standards of professionalism and safety
- Protecting client data and infrastructure throughout engagements
- Complying with all applicable laws and regulations
Scope
This policy applies to:
- All DDactic employees and contractors
- All security assessment engagements
- All testing methodologies and tools
- All client interactions and communications
Safety Principles
1. Authorization First
- No Testing Without Authorization: All testing requires explicit written authorization
- Scope Adherence: Testing is limited to authorized systems and methods only
- Change Management: Any scope changes require new authorization
2. Minimize Impact
- Non-Destructive Testing: Prefer passive and non-intrusive methods
- Business Continuity: Avoid testing during business-critical periods when possible
- Resource Conservation: Use efficient scanning to minimize resource consumption
- Service Availability: Monitor for service disruptions and pause if detected
3. Responsible Disclosure
- Immediate Notification: Critical vulnerabilities reported immediately
- Coordinated Disclosure: Work with clients on disclosure timelines
- No Public Disclosure: Never disclose findings without client consent
- Responsible Handling: Protect vulnerability information from unauthorized access
4. Data Protection
- Data Minimization: Collect only necessary data for assessment
- Secure Storage: Encrypt and secure all client data
- Access Control: Limit access to authorized personnel only
- Data Retention: Retain data only as long as necessary
- Secure Disposal: Properly dispose of data after retention period
Testing Safety Guidelines
Pre-Testing Safety Checks
Before beginning any testing:
- Verify Authorization: Confirm written authorization is in place
- Review Scope: Ensure understanding of authorized targets and methods
- Check Contacts: Verify emergency contact information
- Review Schedule: Confirm testing window and blackout periods
- System Status: Verify target systems are operational and ready
During Testing Safety Measures
During active testing:
- Monitor Impact: Continuously monitor for service disruptions
- Rate Limiting: Implement appropriate rate limiting to avoid overload
- Error Handling: Stop testing if unexpected errors or disruptions occur
- Communication: Maintain open communication with client contacts
- Documentation: Document all testing activities and any issues
Post-Testing Safety Procedures
After testing completion:
- Verification: Verify all testing activities have ceased
- Cleanup: Remove any temporary files or test artifacts
- Reporting: Report any incidents or unexpected impacts immediately
- Documentation: Document all findings and activities
Prohibited Activities
The following activities are strictly prohibited without explicit written consent:
- Denial of Service (DoS) Attacks: Any activity that could cause service disruption
- Data Modification: Altering, deleting, or modifying client data
- Data Exfiltration: Copying or removing client data beyond assessment needs
- Privilege Escalation: Attempting to gain unauthorized access levels
- Destructive Testing: Any testing that could cause permanent damage
- Out-of-Scope Testing: Testing systems or methods not explicitly authorized
Incident Response
Incident Classification
Critical Incident: Service disruption, data breach, or system compromise
Major Incident: Significant impact on operations or security
Minor Incident: Limited impact, easily remediated
Incident Response Procedures
- Immediate Action: Stop all testing activities immediately
- Notification: Notify client emergency contact within 15 minutes
- Assessment: Assess the nature and impact of the incident
- Containment: Take steps to contain and mitigate impact
- Documentation: Document incident details and response actions
- Resolution: Work with client to resolve incident
- Post-Incident Review: Conduct review to prevent recurrence
Incident Reporting
All incidents must be:
- Reported immediately to client and DDactic management
- Documented in incident report
- Included in final assessment report
- Reviewed for lessons learned
Emergency Contacts
DDactic Emergency Contact
Email: [email protected]
Response Time: Within 30 minutes
Escalation Path
- Project Manager
- Technical Lead
- Management
- Legal/Compliance (if required)
Compliance and Legal
Legal Compliance
- All activities comply with applicable laws and regulations
- No testing activities violate computer fraud or abuse laws
- Client authorization provides legal protection for authorized activities
- Unauthorized activities are strictly prohibited
Regulatory Requirements
- Comply with industry-specific regulations (HIPAA, PCI-DSS, etc.)
- Respect data protection regulations (GDPR, CCPA, etc.)
- Follow export control regulations for tools and technologies
- Maintain necessary licenses and certifications
Training and Awareness
Required Training
All DDactic personnel must complete:
- Security assessment safety training
- Ethical hacking and responsible disclosure training
- Client data protection training
- Incident response procedures training
Ongoing Education
- Regular updates on new threats and methodologies
- Industry best practices and standards
- Legal and regulatory updates
- Tool and technology training
Policy Enforcement
Violations
Violations of this policy may result in:
- Immediate suspension from project
- Disciplinary action up to and including termination
- Legal action if violations result in damages
- Loss of certifications or credentials
Reporting Violations
Personnel are required to report policy violations to:
- Project Manager
- Management
- Compliance Officer
Policy Review and Updates
Review Schedule
This policy is reviewed:
- Annually, or
- When regulations change, or
- When incidents reveal gaps, or
- When methodologies evolve
Update Process
- Identify need for update
- Draft proposed changes
- Review with management and legal
- Approve and publish updates
- Communicate changes to all personnel
- Update training materials
Acknowledgment
All DDactic personnel must:
- Read and understand this policy
- Acknowledge receipt and understanding
- Comply with all policy requirements
- Report violations or concerns
Contact Information
Policy Questions:
Email: [email protected]
Incident Reporting:
Email: [email protected]