GV.SC-08.104

Has your organization formally documented the incident response roles and responsibilities for both internal teams and external suppliers?

Explanation

This question assesses whether your organization has clearly defined who is responsible for what actions during security incidents, both within your organization and among your suppliers or vendors. Clear role definition prevents confusion during incidents, ensures proper coordination, and establishes accountability for incident response activities across organizational boundaries. Evidence could include an Incident Response Plan document that contains a RACI matrix (Responsible, Accountable, Consulted, Informed) or similar responsibility chart that maps specific incident response activities to roles within your organization and to relevant supplier organizations. The document should clearly indicate which party is responsible for incident detection, analysis, containment, eradication, and recovery activities.

Implementation Example

Identify and document the roles and responsibilities of the organization and its suppliers for incident response

ID: GV.SC-08.104

Context

Function: GV: GOVERN
Category: GV.SC: Cybersecurity Supply Chain Risk Management
Sub-Category: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub