GV.RR-02.039

Are cybersecurity responsibilities and performance requirements explicitly included in job descriptions and personnel documentation?

Explanation

This question assesses whether your organization has formally documented cybersecurity duties within employee role descriptions, ensuring accountability and clear expectations for security-related tasks. By embedding security responsibilities in job descriptions, organizations establish that cybersecurity is part of regular job functions rather than an optional activity, and create measurable performance criteria related to security practices. Evidence could include sample job descriptions with highlighted cybersecurity components, HR documentation templates showing security responsibility sections, or performance evaluation forms that include security metrics for different roles. For technical roles, these might specify secure coding practices or system hardening responsibilities, while non-technical roles might include data handling protocols or incident reporting requirements.

Implementation Example

Include cybersecurity responsibilities and performance requirements in personnel descriptions

ID: GV.RR-02.039

Context

Function
GV: GOVERN
Category
GV.RR: Roles, Responsibilities, and Authorities
Sub-Category
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron