Are cybersecurity responsibilities and performance requirements explicitly included in job descriptions and personnel documentation?
Explanation
Accountability through documentation is what's assessed, meaning whether cybersecurity duties and performance expectations are written explicitly into job descriptions and personnel records. By embedding security responsibilities in job descriptions, organizations establish that cybersecurity is part of regular job functions rather than an optional activity, and create measurable performance criteria related to security practices.
Evidence could include sample job descriptions with highlighted cybersecurity components, HR documentation templates showing security responsibility sections, or performance evaluation forms that include security metrics for different roles. For technical roles, these might specify secure coding practices or system hardening responsibilities, while non-technical roles might include data handling protocols or incident reporting requirements.
Implementation Example
Include cybersecurity responsibilities and performance requirements in personnel descriptions
ID: GV.RR-02.039
Context
- Function
- GV: GOVERN
- Category
- GV.RR: Roles, Responsibilities, and Authorities
- Sub-Category
- Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
Related questions
- Have organizational leaders formally documented and agreed upon their specific roles and responsibilities for cybersecurity strategy development, implementation, and assessment?
- Does leadership actively communicate expectations for a secure and ethical culture, particularly leveraging current events as teaching opportunities?
- Does your organization have a comprehensive cybersecurity risk strategy that is reviewed and updated at least annually and after significant security events?
- Does your organization conduct regular reviews to verify that individuals responsible for managing cybersecurity risk have appropriate authority and coordination mechanisms?
- Has your organization documented risk management roles and responsibilities in a formal policy?
- Has your organization formally documented the roles and responsibilities for cybersecurity risk management, including RACI (Responsible, Accountable, Consulted, Informed) designations?

