cc1-5 Medium priority Security / Control Environment

Accountability for security performance is enforced

Controls only work when people are held responsible for executing them. This means performance measures for security responsibilities are defined, deviations are addressed, and there are real consequences for ignoring security obligations — not just informal pressure. Auditors look for evidence that security is treated as a job requirement, not an optional extra.

4h estimated effort

accountability performance hr enforcement

Complete first: cc1-3 , cc1-4

Implementation steps

1

Include security responsibilities in performance reviews

For roles with meaningful security duties, include security performance as a formal component of the performance review. Examples: did the team complete security training? Was the patch management process followed? Were access reviews completed on time? Documented reviews create accountability records.

rippling workday bamboohr lattice culture-amp
2

Define and enforce consequences for policy violations

Document what happens when security policies are violated. This should be proportional: accidental minor violations may result in additional training; intentional or negligent violations may result in disciplinary action. Coordinate with HR. The key is that consequences exist and are consistently applied.

bamboohr workday rippling
3

Track and report on security performance metrics

Measure security posture over time with concrete metrics: training completion rates, open vulnerability counts by age, patch compliance, access review completion, phishing simulation results. Report these metrics to management. Trend data shows whether accountability is working.

jira linear notion google-sheets