GV.SC-02.072

Has your organization established a responsibility matrix that clearly defines roles for cybersecurity supply chain risk management activities?

Explanation

A responsibility matrix (such as RACI - Responsible, Accountable, Consulted, Informed) documents which teams or individuals are responsible for specific supply chain security activities, ensuring clear ownership and communication channels. This prevents critical security tasks from falling through the cracks and establishes accountability for supply chain risk management across the organization. Evidence could include a formal RACI chart or responsibility matrix document that maps supply chain security activities to specific roles, teams or individuals, with clear designation of who is responsible, accountable, consulted, and informed for each activity.

Implementation Example

Create responsibility matrixes to document who will be responsible and accountable for cybersecurity supply chain risk management activities and how those teams and individuals will be consulted and informed

ID: GV.SC-02.072

Context

Function: GV: GOVERN
Category: GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub