GV.RM-04.023

Has your organization documented the conditions under which shared responsibility models with third parties are acceptable for cybersecurity functions, financial transactions, and cloud services?

Explanation

Shared responsibility models define which security controls are managed by your organization versus those managed by vendors or partners. Clear documentation helps prevent security gaps where each party assumes the other is responsible for a particular control. This is especially important for outsourced cybersecurity functions, financial transaction processing, and cloud service usage where responsibilities often overlap. Evidence could include a formal document outlining shared responsibility acceptance criteria, vendor management policies that define security requirements for different types of third-party relationships, or cloud service provider agreements with clearly marked security responsibility matrices.

Implementation Example

Document conditions under which shared responsibility models are acceptable (e.g., outsourcing certain cybersecurity functions, having a third party perform financial transactions on behalf of the organization, using public cloud-based services)

ID: GV.RM-04.023

Context

Function
GV: GOVERN
Category
GV.RM: Risk Management Strategy
Sub-Category
Strategic direction that describes appropriate risk response options is established and communicated

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron