...

This Vanta policy template represents a complete, compliance-ready policy with placeholders for company specific text. Each policy section represents a policy-specific topic that you should consider and/or modify to match your company’s practices.

For each policy section

Consider if this section and its corresponding risks applies to you. If it does not, remove it and/or replace it with your organization’s corresponding practices.
Replace any highlighted text in angled brackets < >¹ with your own language
Rewrite the policy language such that it reflects the practices of your organization

Policy completion checklist

Use Find to make sure that all text in angled brackets is replaced
Proofread your policy for spelling and grammar mistakes
Confirm that the policy’s content reflects your organizations practices
Add any company-specific letterhead, branding, and formatting
Remove this instructions page
Export this document as PDF — File > Save As > Change “File Format” to PDF
Upload the PDF to Vanta at https://app.vanta.com/policies

More questions?

A good rule-of-thumb is to keep your language high enough level such that it stays representative for at least a year. If you have more questions about how to use this template, please reach out to support@vanta.com or your auditor for additional guidance.<import the original text>

Information Security Roles and Responsibilities Policy

Policy Owner: <Policy owner>Principal Engineer

Effective Date: <Effective date>2023-05-01

Statement of Policy

<Company Name> CloudCard is committed to conducting business in compliance with all applicable laws, regulations, and company policies. <Company Name> CloudCard has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.

...

This policy and associated guidance establish the roles and responsibilities within <Company Name>CloudCard, which is critical for effective communication of information security policies and standards. Roles are required within the organization to provide clearly defined responsibilities and an understanding of how the protection of information is to be accomplished. Their purpose is to clarify, coordinate activity, and actions necessary to disseminate security policy, standards, and implementation.

...

This policy is applicable to all <Company Name> CloudCard infrastructure, network segments, systems, and employees and contractors who provide security and IT functions.

Audience

...

The audience for this policy includes all <Company Name> CloudCard employees and contractors who are involved with the Information Security Program. Awareness of this policy applies for all other agents of <Company Name> CloudCard with access to <Company Name> CloudCard information and infrastructure. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers. The titles will be referred collectively hereafter as “<Company Name> “CloudCard community”.
...

Roles and Responsibilities

...

Roles
Responsibilities
Board of Directors
Oversightof Cyber-Risk and internal control for information security, privacy and compliance
Consults with Executive Leadership to understand
<Company Name>
CloudCard IT mission and risks and provides guidance to align business, IT, and security objectives
Executive Leadership
Approves Capital Expenditures for Information Security and Privacy programs and initiatives
Oversight over the execution of the information security and Privacy risk management program and risk treatments
Communication Path to
<Company Name>
CloudCard Board of Directors
Aligns Information Security and Privacy Policy and Posture based on
<Company Name>’s
CloudCard’s mission, strategic objectives and risk appetite
IT
Manager
Oversight over the implementation of information security controls for infrastructure and IT processes
Responsible for the design, development, implementation, operation, maintenance and monitoring of IT security controls
Ensures IT puts into practice the Information Security Framework
Responsible for conducting IT risk assessments, documenting identified threats and maintaining risk register
Communicates information security risks to executive leadership
Reports information security risks annually to
<Company Name>’s
CloudCard’s leadership and gains approvals to bring risks to acceptable levels
Coordinates the development and maintenance of information security policies and standards
Works with applicable executive leadership to establish an information security framework and awareness program
Serve as liaison to the Board of Directors, Law Enforcement, Internal Audit and General Counsel
Oversight over Identity Management and Access Control processes
VP of Engineering
Oversight over information security in the software development process
Responsible for the design, development, implementation, operation, maintenance and monitoring of development and commercial cloud hosting security controls
Responsible for oversight over policy development related to systems and software under their control
Responsible for implementing risk management in the development process aligned with company goals
Compliance Manager³
Responsible for compliance with the company’s contractual commitments
Responsible for maintaining compliance with relevant data privacy and information security laws and regulations (e.g. GDPR, CCPA)
Responsible for adherence to company adopted information security and data privacy standards and frameworks including SOC 2, ISO 27001 and Microsoft Supplier Data Protection Requirements (DPR)
VP of Global Customer Support
Oversight and implementation, operation and monitoring of information security tools and processes in customer production environments
Execution of customer data retention and deletion processes in accordance with company policy and customer requirements
Systems Owners
Maintain the confidentiality, integrity and availability of the information systems for which they are responsible in compliance with
<Company Name>
CloudCard policies on information security and privacy
Approval of technical access and change requests for non-standard access to systems under their control
<Company Name>
CloudCard Employees, Contractors, temporary workers, etc.
Acting at all times in a manner which does not place at risk the health and safety of themselves, other person in the workplace, and the information and resources they have use of
Helping to identify areas where risk management practices should be adopted
Taking all practical steps to minimize
<Company Name>’s
CloudCard’s exposure to contractual and regulatory liability
Adhering to company policies and standards of conduct
Reporting incidents and observed anomalies or weaknesses
Chief Human Resources Officer
Ensuring employees and contractors are qualified and competent for their roles
Ensuring appropriate testing and background checks are completed
Ensuring that employees and relevant contractors are presented with company policies and the Code of Conduct (CoC)
Ensuring that employee performance and adherence the CoC is periodically evaluated
Ensuring that employees receive appropriate security training
CFO
Responsible for oversight over third-party risk management process
Responsible for review of vendor service contracts
(legacy) Employees
Participation in the Annual review of the Information Security Policy
Participation in the Annual review of the Business Continuity Plan
Participation in the Annual review of the Disaster Recovery Plan
Participation in the Annual review of the Data Breach Response Plan
Reporting all information vulnerabilities or threats to Managing Director
(legacy) Managing Director

Policy Compliance

...

Responsible for implementation of the Information Security Policy

Annual review of the Information Security Policy

Annual review of the Business Continuity Plan

Annual review of the Disaster Recovery Plan

Annual review of the Data Breach Response Plan

Employee correction and review when the policy is not followed.

(legacy) Product Owner

Oversee maintenance of the Information Security Policy - direct reposnibility for providing guidance and advice on its implementation.

Systems are adequately protected from unauthorised access.

Systems are secured against theft and damage to a level that is cost-effective.

Adequate steps are taken to ensure the availability of the information system, commensurate with its importance (Business Continuity).

Electronic data can be recovered in the event of loss of the primary source. I.e. failure or loss of a computer system. It is incumbent on all system owners to backup data and to be able to restore data to a level commensurate with its importance (see Disaster Recovery Plan).

Data is maintained with a high degree of accuracy.

Systems are used for their intended purpose and that procedures are in place to rectify discovered or notified misuse.

Any electronic access logs are only retained for a justifiable period to ensure compliance with the data protection, investigatory powers and freedom of information acts.

Any third parties entrusted with CloudCard data understand their responsibilities with respect to maintaining its security.

Perform and document risk assessments on an annual basis.

Web server access and error logs are reviewed for anomalies that could indicate a compromise.

Policy Compliance

The Principal Engineer will measure the compliance to this policy through various methods, including, but not limited to—reports, internal/external audits, and feedback to the policy owner. Exceptions to the policy must be approved by the <approver of exceptions to this policy, e.g., IT Manager> Principal Engineer in advance. Non-compliance will be addressed with management and Human Resources and can result in disciplinary action in accordance with company procedures up to and including termination of employment.

Version

Date

Description

Author

Approved by

<1

1.

0>

0

<29

2023-

Apr

03-

2020>

<OWNER>

¹ All fields in this document marked by angled brackets < > and highlighted must be filled in.

² Customize for your organization. Roles and responsibilities can be assigned however it makes sense for your company.

...

16

First Version (incorporating roles and responsibilities from legacy Information Security Policy into SOC 2 Template)

Ryan Heathcote

Luke Rettstatt

Versions Compared

Old Version 1

New Version 2

Key

Information Security Roles and Responsibilities Policy

Statement of Policy

Audience

Roles and Responsibilities

Policy Compliance

Policy Compliance

CloudCard’s leadership and gains approvals to bring risks to acceptable levels Coordinates the development and maintenance of information security policies and standards Works with applicable executive leadership to establish an information security framework and awareness program Serve as liaison to the Board of Directors, Law Enforcement, Internal Audit and General Counsel Oversight over Identity Management and Access Control processes
VP of Engineering	Oversight over information security in the software development process Responsible for the design, development, implementation, operation, maintenance and monitoring of development and commercial cloud hosting security controls Responsible for oversight over policy development related to systems and software under their control Responsible for implementing risk management in the development process aligned with company goals
Compliance Manager³	Responsible for compliance with the company’s contractual commitments Responsible for maintaining compliance with relevant data privacy and information security laws and regulations (e.g. GDPR, CCPA) Responsible for adherence to company adopted information security and data privacy standards and frameworks including SOC 2, ISO 27001 and Microsoft Supplier Data Protection Requirements (DPR)
VP of Global Customer Support	Oversight and implementation, operation and monitoring of information security tools and processes in customer production environments Execution of customer data retention and deletion processes in accordance with company policy and customer requirements
Systems Owners	Maintain the confidentiality, integrity and availability of the information systems for which they are responsible in compliance with

CloudCard’s exposure to contractual and regulatory liability Adhering to company policies and standards of conduct Reporting incidents and observed anomalies or weaknesses
Chief Human Resources Officer	Ensuring employees and contractors are qualified and competent for their roles Ensuring appropriate testing and background checks are completed Ensuring that employees and relevant contractors are presented with company policies and the Code of Conduct (CoC) Ensuring that employee performance and adherence the CoC is periodically evaluated Ensuring that employees receive appropriate security training
CFO	Responsible for oversight over third-party risk management process Responsible for review of vendor service contracts
(legacy) Employees	Participation in the Annual review of the Information Security Policy Participation in the Annual review of the Business Continuity Plan Participation in the Annual review of the Disaster Recovery Plan Participation in the Annual review of the Data Breach Response Plan Reporting all information vulnerabilities or threats to Managing Director
(legacy) Managing Director

Page Comparison

Versions Compared

Old Version 1

New Version 2

Key

Information Security Roles and Responsibilities Policy

Statement of Policy

Audience

Roles and Responsibilities

Policy Compliance

Policy Compliance