cc1-3 Medium priority Security / Control Environment

Organizational structure and authority for security is defined

Employees need to know who is responsible for security decisions, who they report issues to, and who has authority to act. Without clear structure, security tasks fall through gaps between teams. This control requires a defined org structure showing security responsibilities, clear lines of authority, and documented roles so that accountability is unambiguous.

4h estimated effort

governance roles accountability structure

Complete first: cc1-1

Implementation steps

1

Define and document security roles and responsibilities

Create a RACI or roles matrix that maps security responsibilities to job titles or teams. At minimum define who owns: security policy, access provisioning, vulnerability management, incident response, and vendor risk. This does not require dedicated security staff — the roles can be owned by engineering, IT, or operations — but they must be explicitly assigned.

confluence notion google-docs
2

Include security responsibilities in job descriptions

For roles with significant security duties, include those responsibilities in the formal job description. This creates a direct link between the person's employment obligations and their security accountability.

rippling workday bamboohr lever greenhouse
3

Publish and communicate the security org structure

Make the structure accessible to all employees. An internal page that shows who to contact for access requests, security questions, or incident reporting is sufficient. Update it when roles change.

confluence notion slack