Policy Owner: Principal Engineer
Effective Date: 2023-05-01
Statement of Policy
CloudCard is committed to conducting business in compliance with all applicable laws, regulations, and company policies. CloudCard has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
Objective
This policy and associated guidance establish the roles and responsibilities within CloudCard, which is critical for effective communication of information security policies and standards. Roles are required within the organization to provide clearly defined responsibilities and an understanding of how the protection of information is to be accomplished. Their purpose is to clarify, coordinate activity, and actions necessary to disseminate security policy, standards, and implementation.
Applicability
This policy is applicable to all CloudCard infrastructure, network segments, systems, and employees and contractors who provide security and IT functions.
Audience
The audience for this policy includes all CloudCard employees and contractors who are involved with the Information Security Program. Awareness of this policy applies for all other agents of CloudCard with access to CloudCard information and infrastructure. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers. The titles will be referred collectively hereafter as “CloudCard community”.
Future Expansion
Currently, CloudCard is a very small company and the executive team is very small. Therefore many roles and responsibilities are currently aligned to a single job title. In the table below, multiple rows refer to a single job title, but define a specific sub-role in which that job title is acting. The table is structured in this way so that in future we can more easily realign roles that apply to a given function to a new executive job title when such title is established.
Roles and Responsibilities
Roles | Responsibilities |
Investors | Oversight of Cyber-Risk and internal control for information security, privacy and compliance Consults with Executive Leadership to understand CloudCard IT mission and risks and provides guidance to align business, IT, and security objectives |
Managing Director | Approves Capital Expenditures for Information Security and Privacy programs and initiatives Oversight over the execution of the information security and Privacy risk management program and risk treatments Communication Path to CloudCard Investors Aligns Information Security and Privacy Policy and Posture based on CloudCard’s mission, strategic objectives and risk appetite |
Managing Director (Financial Oversight Role) | Responsible for oversight over third-party risk management process Responsible for review of vendor service contracts |
Managing Director (Human Resources Role) | Ensuring employees and contractors are qualified and competent for their roles Ensuring appropriate testing and background checks are completed Ensuring that employees and relevant contractors are presented with company policies and the Code of Conduct (CoC) Ensuring that employee performance and adherence the CoC is periodically evaluated Ensuring that employees receive appropriate security training Employee correction and review when the policy is not followed. |
Managing Director (Compliance Management Role) | Responsible for compliance with the company’s contractual commitments Responsible for maintaining compliance with relevant data privacy and information security laws and regulations (e.g. GDPR, CCPA) Responsible for adherence to company adopted information security and data privacy standards and frameworks including SOC 2. Responsible for implementation of the Information Security Policy Responsible for annual review of all policies |
Principal Engineer | Provide guidance and advice on Information Security Policy design and implementation. Oversight of information security in the software development process Responsible for the design, development, implementation, operation, maintenance and monitoring of development and commercial cloud hosting security controls Responsible for oversight over policy development related to systems and software under their control Responsible for implementing risk management in the development process aligned with company goals |
Principal Engineer (IT Management Role) | Maintain the confidentiality, integrity and availability of the information systems for which they are responsible in compliance with CloudCard policies on information security and privacy Oversight over the implementation of information security controls for infrastructure and IT processes Responsible for the design, development, implementation, operation, maintenance and monitoring of IT security controls Ensures IT puts into practice the Information Security Framework Responsible for conducting IT risk assessments, documenting identified threats and maintaining risk register Communicates information security risks to executive leadership Reports information security risks annually to CloudCard’s leadership and gains approvals to bring risks to acceptable levels Coordinates the development and maintenance of information security policies and standards Works with applicable executive leadership to establish an information security framework and awareness program Serve as liaison to the Investors, Law Enforcement, Internal Audit and General Counsel Oversight over Identity Management and Access Control processes Oversight, implementation, operation and monitoring of information security tools and processes in production environments Execution of customer data retention and deletion processes in accordance with company policy and customer requirements |
Principal Engineer (System Ownership Role) | Approval of technical access and change requests for non-standard access to all systems used and managed by CloudCard |
CloudCard Employees, Contractors, temporary workers, etc. | Acting at all times in a manner which does not place at risk the health and safety of themselves, other persons in the workplace, and the information and resources they have use of Helping to identify areas where risk management practices should be adopted Taking all practical steps to minimize CloudCard’s exposure to contractual and regulatory liability Adhering to company policies and standards of conduct Reporting incidents and observed anomalies or weaknesses Participate in Annual review of relevant policies |
Policy Compliance
The Principal Engineer will measure the compliance to this policy through various methods, including, but not limited to—reports, internal/external audits, and feedback to the policy owner. Exceptions to the policy must be approved by the Principal Engineer in advance. Non-compliance will be addressed with management and Human Resources and can result in disciplinary action in accordance with company procedures up to and including termination of employment.
Version | Date | Description | Author | Approved by |
1.0 | 2023-03-16 | First Version (incorporating roles and responsibilities from legacy Information Security Policy into SOC 2 Template) | Ryan Heathcote | Luke Rettstatt |