Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

<consolidate roles between those imported and those in the original template>

Information Security Roles and Responsibilities Policy

Policy Owner: Principal Engineer

...

The audience for this policy includes all CloudCard employees and contractors who are involved with the Information Security Program. Awareness of this policy applies for all other agents of CloudCard with access to CloudCard information and infrastructure. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers. The titles will be referred collectively hereafter as “CloudCard community”.

Future Expansion

Currently, CloudCard is a very small company and the executive team is very small. Therefore many roles and responsibilities are currently aligned to a single job title. In the table below, multiple rows refer to a single job title, but define a specific sub-role in which that job title is acting. The table is structured in this way so that in future we can more easily realign roles that apply to a given function to a new executive job title when such title is established.

Roles and Responsibilities

Responsible for implementation of the Information Security Policy

Annual review of the Information Security Policy

Annual review of the Business Continuity Plan

Annual review of the Disaster Recovery Plan

Annual review of the Data Breach Response Plan

Employee correction and review when the policy is not followed.

Roles

Responsibilities

Board of DirectorsInvestors

Oversightof Cyber-Risk and internal control for information security, privacy and compliance

Consults with Executive Leadership to understand CloudCard IT mission and risks and provides guidance to align business, IT, and security objectivesExecutive Leadership

Managing Director

Approves Capital Expenditures for Information Security and Privacy programs and initiatives

Oversight over the execution of the information security and Privacy risk management program and risk treatments

Communication Path to CloudCard Board of DirectorsInvestors

Aligns Information Security and Privacy Policy and Posture based on CloudCard’s mission, strategic objectives and risk appetite

Managing Director (Financial Oversight Role)

Responsible for oversight over third-party risk management process

Responsible for review of vendor service contracts

Managing Director (Human Resources Role)

Ensuring employees and contractors are qualified and competent for their roles

Ensuring appropriate testing and background checks are completed

Ensuring that employees and relevant contractors are presented with company policies and the Code of Conduct (CoC)

Ensuring that employee performance and adherence the CoC is periodically evaluated

Ensuring that employees receive appropriate security training

Employee correction and review when the policy is not followed.

Managing Director

(Compliance Management Role)

Responsible for compliance with the company’s contractual commitments

Responsible for maintaining compliance with relevant data privacy and information security laws and regulations (e.g. GDPR, CCPA)

Responsible for adherence to company adopted information security and data privacy standards and frameworks including SOC 2.

Responsible for implementation of the Information Security Policy

Responsible for annual review of all policies

Principal Engineer

Provide guidance and advice on Information Security Policy design and implementation.

Oversight of information security in the software development process

Responsible for the design, development, implementation, operation, maintenance and monitoring of development and commercial cloud hosting security controls

Responsible for oversight over policy development related to systems and software under their control

Responsible for implementing risk management in the development process aligned with company goals

Principal Engineer

(IT ManagerManagement Role)

Maintain the confidentiality, integrity and availability of the information systems for which they are responsible in compliance with CloudCard policies on information security and privacy

Oversight over the implementation of information security controls for infrastructure and IT processes

Responsible for the design, development, implementation, operation, maintenance and monitoring of IT security controls

Ensures IT puts into practice the Information Security Framework

Responsible for conducting IT risk assessments, documenting identified threats and maintaining risk register

Communicates information security risks to executive leadership

Reports information security risks annually to CloudCard’s leadership and gains approvals to bring risks to acceptable levels

Coordinates the development and maintenance of information security policies and standards

Works with applicable executive leadership to establish an information security framework and awareness program

Serve as liaison to the Board of DirectorsInvestors, Law Enforcement, Internal Audit and General Counsel

Oversight over Identity Management and Access Control processes

VP of Engineering

Oversight over information security in the software development processResponsible for the design, development, implementation, operation , maintenance and monitoring of development and commercial cloud hosting security controls

Responsible for oversight over policy development related to systems and software under their control

Responsible for implementing risk management in the development process aligned with company goals

Compliance Manager3

Responsible for compliance with the company’s contractual commitments

Responsible for maintaining compliance with relevant data privacy and information security laws and regulations (e.g. GDPR, CCPA)

Responsible for adherence to company adopted information security and data privacy standards and frameworks including SOC 2, ISO 27001 and Microsoft Supplier Data Protection Requirements (DPR)

VP of Global Customer Support

Oversight and implementation, operation and monitoring of information security tools and processes in customer production environments

Execution of customer data retention and deletion processes in accordance accordance with company policy and customer requirements

Systems Owners

Maintain the confidentiality, integrity and availability of the information systems for which they are responsible in compliance with CloudCard policies on information security and privacyPrincipal Engineer

(System Ownership Role)

Approval of technical access and change requests for non-standard access to systems under their controlall systems used and managed by CloudCard

CloudCard Employees, Contractors, temporary workers, etc.

Acting at all times in a manner which does not place at risk the health and safety of themselves, other person persons in the workplace, and the information and resources they have use of

Helping to identify areas where risk management practices should be adopted

Taking all practical steps to minimize CloudCard’s exposure to contractual and regulatory liability

Adhering to company policies and standards of conduct

Reporting incidents and observed anomalies or weaknesses

Chief Human Resources Officer

Ensuring employees and contractors are qualified and competent for their roles

Ensuring appropriate testing and background checks are completed

Ensuring that employees and relevant contractors are presented with company policies and the Code of Conduct (CoC)

Ensuring that employee performance and adherence the CoC is periodically evaluated

Ensuring that employees receive appropriate security training

CFO

Responsible for oversight over third-party risk management process

Responsible for review of vendor service contracts

(legacy) Employees

Participation in the Annual review of the Information Security Policy

Participation in the Annual review of the Business Continuity Plan

Participation in the Annual review of the Disaster Recovery Plan

Participation in the Annual review of the Data Breach Response Plan

Reporting all information vulnerabilities or threats to Managing Director

(legacy) Managing Director

(legacy) Product Owner

Oversee maintenance of the Information Security Policy - direct reposnibility for providing guidance and advice on its implementation.

Systems are adequately protected from unauthorised access.

Systems are secured against theft and damage to a level that is cost-effective.

Adequate steps are taken to ensure the availability of the information system, commensurate with its importance (Business Continuity).

Electronic data can be recovered in the event of loss of the primary source. I.e. failure or loss of a computer system. It is incumbent on all system owners to backup data and to be able to restore data to a level commensurate with its importance (see Disaster Recovery Plan).

Data is maintained with a high degree of accuracy.

Systems are used for their intended purpose and that procedures are in place to rectify discovered or notified misuse.

Any electronic access logs are only retained for a justifiable period to ensure compliance with the data protection, investigatory powers and freedom of information acts.

Any third parties entrusted with CloudCard data understand their responsibilities with respect to maintaining its security.

Perform and document risk assessments on an annual basis.

Web server access and error logs are reviewed for anomalies that could indicate a compromise.Participate in Annual review of relevant policies

Policy Compliance

The Principal Engineer will measure the compliance to this policy through various methods, including, but not limited to—reports, internal/external audits, and feedback to the policy owner. Exceptions to the policy must be approved by the Principal Engineer in advance. Non-compliance will be addressed with management and Human Resources and can result in disciplinary action in accordance with company procedures up to and including termination of employment.

...