Information Security Roles and Responsibilities Policy


This policy and associated guidance establish the roles and responsibilities within Sourcegraph, which is critical for effective communication of information security policies and standards. Roles are required within the organization to provide clearly defined responsibilities and an understanding of how the protection of information is to be accomplished. Their purpose is to clarify, coordinate activity, and actions necessary to disseminate security policy, standards, and implementation.


This policy is applicable to all Sourcegraph employees and contractors who are involved with the Information Security Program. This policy applies to all other agents of Sourcegraph with access to Sourcegraph information and network. This includes, but not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers. The titles will be referred to collectively hereafter as the “Sourcegraph community”.

Roles & Responsibilities

Roles Responsibilities
Board of Directors
  • Oversight/understanding of cyber security risks and matters across Sourcegraph
  • Consults with Exec team to understand risk appetite and security maturity
Executive Leadership
  • Solid understand of security risks and potential weak points
  • Continuously evaluate Sourcegraph’s risk appetite against potential threats
  • Incorporate security into the company strategy
  • Communication path of security matters to Sourcegraph Board of Directors
Security Lead
  • Aligns Information Security policies and practises based on Sourcegraph’s mission, strategic objectives and risk appetite
  • Serves as security ambassador across Sourcegraph and external engagements (i.e. liaison to the exec team, Board of Directors, client facing engagements for security matters)
  • Defines and runs the security program across the organization
  • Create a in-depth risk and maturity profile for Sourcegraph and utilize it to plan initiatives
  • Responsible for oversight of security policies
  • Responsible for monitoring security risks and creating remediation plans
  • Communicates information security risks to executive leadership
Compliance Manager
  • Works with applicable executive leadership to establish an information security framework and awareness program
  • Builds and maintains an Information Security & Enterprise Risk Management Framework
  • Responsible for compliance to policies and internal controls.
Control Owners
  • Control design in collaboration with the compliance and security team
  • Control evidence gathering and submission for review
  • Control maintenance (i.e. as company processes change any dependable controls need to be adjusted)
  • Control representation for any internal and external audits
System Owners
  • Manage the confidentiality, integrity and availability of the information systems for which they are responsible in compliance with Sourcegraph policies on information security and privacy.
  • Approval of technical access and change requests for non-standard access (annual reviews)
Sourcegraph Employees, Contractors, temporary workers, etc.
  • Acting at all times in a manner which does not place at risk Sourcegraph’s assets
  • Helping to identify risk as part of the risk management process and implement remediations
  • Adhering to company policies and standards of conduct
  • Reporting incidents and observed anomalies or weaknesses

Policy Compliance

Sourcegraph will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.

Violations & Enforcement

Any known violations of this policy should be reported to Failure to follow this policy can result in disciplinary action, up to and including termination.


Version Date Description Author Approved by
1.0 23-Sept-2021 First Version Nicky Van Maanen Diego Comas
1.1 27-JAN-2022 Minor updates Diego Comas Diego Comas
2.0 09-Jun-2022 Updated Roles & Resp matrix Dora Neumeier Diego Comas