|Board of Directors
- Oversight/understanding of cyber security risks and matters across Sourcegraph
- Consults with Exec team to understand risk appetite and security maturity
- Solid understand of security risks and potential weak points
- Continuously evaluate Sourcegraph’s risk appetite against potential threats
- Incorporate security into the company strategy
- Communication path of security matters to Sourcegraph Board of Directors
|Head of Security
- Aligns Information Security policies and practises based on Sourcegraph’s mission, strategic objectives and risk appetite
- Serves as security ambassador across Sourcegraph and external engagements (i.e. liaison to the exec team, Board of Directors, client facing engagements for security matters)
- Defines and runs the security program across the organization
- Create a in-depth risk and maturity profile for Sourcegraph and utilize it to plan initiatives
- Responsible for oversight of security policies
- Responsible for monitoring security risks and creating remediation plans
- Communicates information security risks to executive leadership
- Works with applicable executive leadership to establish an information security framework and awareness program
- Builds and maintains an Information Security & Enterprise Risk Management Framework
- Risk assessment and management: Identify and assess potential risks and vulnerabilities to the organization’s information systems and assets. Develop and implement risk mitigation strategies and controls to minimize the impact of security incidents or breaches.
- Policy development and enforcement: Establish information security policies, standards, and procedures that align with industry best practices and regulatory requirements.
- Security awareness and training: Develop and deliver information security awareness programs to educate employees about potential security risks, best practices, and their roles and responsibilities in safeguarding information.
- Security audits and assessments: Conduct periodic security audits and assessments to evaluate the effectiveness of security controls and identify areas for improvement. Collaborate with internal and external auditors to ensure compliance with regulatory requirements and industry standards.
- Vendor and third-party risk management: Evaluate the security posture of third-party vendors and partners to assess potential risks to the organization. Establish guidelines and processes for assessing, selecting, and monitoring vendors based on their security capabilities and compliance with information security standards.
- Security governance and compliance monitoring: Monitor and measure compliance with security policies, controls, and regulatory requirements. Conduct regular internal assessments and audits to ensure adherence to established security frameworks and standards.
- Continuous improvement and industry trends: Stay informed about the latest security threats, trends, and regulatory changes. Continuously improve information security practices and processes based on industry advancements and lessons learned from security incidents.
- Control design in collaboration with the compliance and security team
- Control evidence gathering and submission for review
- Control maintenance (i.e. as company processes change any dependable controls need to be adjusted)
- Control representation for any internal and external audits
- Manage the confidentiality, integrity and availability of the information systems for which they are responsible in compliance with Sourcegraph policies on information security and privacy.
- Approval of technical access and change requests for non-standard access (annual reviews)
|Sourcegraph Employees, Contractors, temporary workers, etc.
- Acting at all times in a manner which does not place at risk Sourcegraph’s assets
- Helping to identify risk as part of the risk management process and implement remediations
- Adhering to company policies and standards of conduct
- Reporting incidents and observed anomalies or weaknesses