ID.AM-06

Has your organization formally documented and communicated cybersecurity roles and responsibilities for all employees and third-party stakeholders?

Explanation

This question assesses whether your organization has clearly defined who is responsible for various cybersecurity functions across your workforce and external partners. Without clearly defined roles and responsibilities, critical security tasks may be overlooked, creating vulnerabilities in your security posture. This includes defining who is responsible for activities like incident response, access management, security monitoring, and compliance across internal teams and external parties like vendors and service providers. Evidence could include a RACI matrix or similar document that outlines cybersecurity responsibilities, job descriptions that include security duties, security clauses in third-party contracts, or a formal security organization chart with defined roles.

Context

Function: ID: IDENTIFY
Category: ID.AM: Asset Management
Sub-Category: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub