Roles and Responsibilities Guidance
Here are the questions to ask when determining the roles and responsibilities for each policy template within Drata. You do not have to have a role for each one of these questions; you can determine which ones are most appropriate for the said policy. The same person can fulfill many roles. You should only document job titles and should not document specific names of personnel.
Asset Management
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for conducting and maintaining different inventories?
Who is responsible for labeling data and assets?
Who is responsible for System Hardening, Capacity Management, Media Management, etc.?
Who is responsible for retiring/destroying information or media?
Business Continuity Policy
The template includes specific details on the roles and responsibilities. You can update this section of the policy as needed.
Business Associate Policy (HIPAA Only)
Who is responsible for reviewing, negotiating, and executing BAAs in customer contracts?
Who is responsible for ensuring security and/or privacy commitments in BAAs are met?
Who is responsible for ensuring data is properly managed when a BAA is terminated?
Who is responsible for creating, updating, maintaining, and reviewing this policy?
Breach Notification Policy (HIPAA Only)
Who is responsible for investigating any potential breach?
Who is responsible for communicating any confirmed breaches?
Who is responsible for creating, updating, maintaining, and reviewing this policy?
Who is responsible for reporting potential breaches? (Note: This is likely applicable to everyone in the company)
Change Management Policy
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for overseeing the change management process and approving change requests?
Who is responsible for communicating changes to stakeholders?
Data Classification Policy
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for classifying data?
Who is responsible for labeling data and assets?
Data Protection Policy
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for the implementation of data safeguards?
Who is responsible for log management?
Who is responsible for enforcing the requirements of this policy?
Data Retention/Data Deletion
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for determining the appropriate retention period for different types of data?
Who is responsible for maintaining records of data retention and deletion activities?
Who is responsible for enforcing data deletion methods?
Encryption Policy
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for implementing cryptographic controls?
Who is responsible for key management?
Global Network Firewall Policy (Cyber Essentials)
Who is responsible for creating, updating, maintaining, and reviewing this policy?
Who is responsible for overseeing implementation and enforcement of the Global Network Firewall Policy?
Who is responsible for administering firewall and system configurations?
Who is responsible for receiving, logging, and addressing Policy Violations?
Who is responsible for reporting suspected Policy Violations?
Incident Response Plan
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for reporting incidents?
Who is responsible for receiving, managing and triaging incident reports?
Who is responsible for resolving incidents?
Who is responsible for determining if incidents need to be reported to outside entities and outside personnel (including customers)?
Who is responsible for performing a post-mortem after an incident is resolved?
Who is responsible for testing the incident response plan?
Information Security Policy
The template includes specific details on the roles and responsibilities. You can update this section of the policy as needed.
Logging and Monitoring Policy
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for implementing logging and monitoring systems?
Who is responsible for managing and reviewing logs?
Who is responsible for responding to and investigating suspicious activities? identified through logging and monitoring?
Who is responsible for ensuring compliance with the policy?
Who is responsible for reporting potential security incidents or policy violations?
Maintenance Management Policy (NIST Only)
Who is responsible for creating, updating, maintaining, and reviewing this policy?
Who is responsible for overseeing the scheduling and prioritization of maintenance tasks?
Who is responsible for approving and monitoring remote/on-site maintenance and diagnostic activities?
Who is responsible for maintaining maintenance records?
Network Security Policy
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for implementing network security controls?
Who is responsible for managing and reviewing network security logs?
Who is responsible for responding to and investigating suspicious network activities?
Who is responsible for ensuring compliance with the network security policy?
Who is responsible for reporting potential network security incidents or policy violations?
Password Policy
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for ensuring password protection requirements are in place?
Who is responsible for enforcing these requirements?
Personal Data Management Policy
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for overseeing implementation and enforcement of the Personal Data Management Policy when collecting personal data?
Who is responsible for receiving, responding, and ensuring proper communication of personal data requests?
Physical Security Policy
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for facility protection at each location?
Who is responsible for monitoring and managing physical access to each location or entry?
Privacy, Use, and Disclosure (HIPAA Only)
Who is responsible for reviewing BAAs?
Who is responsible for managing the relationship you have with Covered Entities or Business Associates?
Who is responsible for ensuring that any required technical safeguards have been implemented for protecting PHI?
Who is responsible for developing, updating, maintaining, and reviewing this policy
Responsible Disclosure Policy
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for receiving and managing responsible disclosures?
Who is responsible for receiving and managing whistleblower reports?
Software Development Life Cycle Policy
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for development, testing and implementing changes in production?
Who is responsible for ensuring vulnerabilities do not exist in code?
Who is responsible for change management?
System and Information Integrity Policy (NIST Only)
Who is responsible for creating, updating, maintaining, and reviewing this policy?
Who is responsible for implementing and configuring system integrity monitoring tools?
Who is responsible for monitoring and responding to integrity alerts?
System and Services Acquisition Policy (NIST Only)
Who is responsible for creating, updating, maintaining, and reviewing this policy?
Who is responsible for overseeing the procurement process for acquiring new systems and services?
Who is responsible for developing contingency plans for information systems?
Who is responsible for ensuring acquisition agreements are in place?
Who is responsible for maintaining proper documentation of information system specifications and configurations?
System Security Planning Policy (NIST Only)
Who is responsible for creating, updating, maintaining, and reviewing this policy?
Who is responsible for developing and maintaining information system security plan?
Vendor Management Policy
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for managing contracts?
Who is responsible for maintaining vendor inventory?
Who is responsible for conducting a vendor risk assessment?
Who is responsible for monitoring vendors compliance with security controls on an ongoing basis?
Vulnerability Management Policy
Who is responsible for updating, reviewing, and maintaining this policy?
Who is responsible for conducting testing?
Who is responsible for remediating vulnerabilities?