Information Security Roles and Responsibilities Policy

Objective

This policy and associated guidance establish the roles and responsibilities within Sourcegraph, which is critical for effective communication of information security policies and standards. Roles are required within the organization to provide clearly defined responsibilities and an understanding of how the protection of information is to be accomplished. Their purpose is to clarify, coordinate activity, and actions necessary to disseminate security policy, standards, and implementation.

Applicability

This policy is applicable to all Sourcegraph employees and contractors who are involved with the Information Security Program. This policy applies to all other agents of Sourcegraph with access to Sourcegraph information and network. This includes, but not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers. The titles will be referred to collectively hereafter as the “Sourcegraph community”.

Roles & Responsibilities

Roles Responsibilities
Board of Directors
  • Oversight/understanding of cyber security risks and matters across Sourcegraph
  • Consults with Exec team to understand risk appetite and security maturity
Executive Leadership
  • Solid understand of security risks and potential weak points
  • Continuously evaluate Sourcegraph’s risk appetite against potential threats
  • Incorporate security into the company strategy
  • Communication path of security matters to Sourcegraph Board of Directors
Head of Security
  • Aligns Information Security policies and practises based on Sourcegraph’s mission, strategic objectives and risk appetite
  • Serves as security ambassador across Sourcegraph and external engagements (i.e. liaison to the exec team, Board of Directors, client facing engagements for security matters)
  • Defines and runs the security program across the organization
  • Create a in-depth risk and maturity profile for Sourcegraph and utilize it to plan initiatives
  • Responsible for oversight of security policies
  • Responsible for monitoring security risks and creating remediation plans
  • Communicates information security risks to executive leadership
Compliance Manager
  • Works with applicable executive leadership to establish an information security framework and awareness program
  • Builds and maintains an Information Security & Enterprise Risk Management Framework
  • Risk assessment and management: Identify and assess potential risks and vulnerabilities to the organization’s information systems and assets. Develop and implement risk mitigation strategies and controls to minimize the impact of security incidents or breaches.
  • Policy development and enforcement: Establish information security policies, standards, and procedures that align with industry best practices and regulatory requirements.
  • Security awareness and training: Develop and deliver information security awareness programs to educate employees about potential security risks, best practices, and their roles and responsibilities in safeguarding information.
  • Security audits and assessments: Conduct periodic security audits and assessments to evaluate the effectiveness of security controls and identify areas for improvement. Collaborate with internal and external auditors to ensure compliance with regulatory requirements and industry standards.
  • Vendor and third-party risk management: Evaluate the security posture of third-party vendors and partners to assess potential risks to the organization. Establish guidelines and processes for assessing, selecting, and monitoring vendors based on their security capabilities and compliance with information security standards.
  • Security governance and compliance monitoring: Monitor and measure compliance with security policies, controls, and regulatory requirements. Conduct regular internal assessments and audits to ensure adherence to established security frameworks and standards.
  • Continuous improvement and industry trends: Stay informed about the latest security threats, trends, and regulatory changes. Continuously improve information security practices and processes based on industry advancements and lessons learned from security incidents.
Control Owners
  • Control design in collaboration with the compliance and security team
  • Control evidence gathering and submission for review
  • Control maintenance (i.e. as company processes change any dependable controls need to be adjusted)
  • Control representation for any internal and external audits
System Owners
  • Manage the confidentiality, integrity and availability of the information systems for which they are responsible in compliance with Sourcegraph policies on information security and privacy.
  • Approval of technical access and change requests for non-standard access (annual reviews)
Sourcegraph Employees, Contractors, temporary workers, etc.
  • Acting at all times in a manner which does not place at risk Sourcegraph’s assets
  • Helping to identify risk as part of the risk management process and implement remediations
  • Adhering to company policies and standards of conduct
  • Reporting incidents and observed anomalies or weaknesses

Policy Compliance

Sourcegraph will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.

Violations & Enforcement

Any known violations of this policy should be reported to report-policy-violation@sourcegraph.com. Failure to follow this policy can result in disciplinary action, up to and including termination.

History

Version Date Description Author Approved by
1.0 23-Sept-2021 First Version Nicky Van Maanen Diego Comas
1.1 27-JAN-2022 Minor updates Diego Comas Diego Comas
2.0 09-Jun-2022 Updated Roles & Resp matrix Dora Neumeier Diego Comas
2.1 18-May-2023 Updated Head of Security title & Compliance manager responsibilities + Annual Review Dora Neumeier Diego Comas