Definition of (Security) Roles and Responsibilities

Definition of (Security) Roles and Responsibilities

Version 1: 2022-07-13
Update: 2023-01-02

Introduction

anDREa is committed to be GDPR Compliant and protect the data and privacy of all stakeholders.

The purpose of this document is to describe anDREa’s Definition of (Security) Roles and Responsibilities. This document describes all roles and responsibilities at anDREa.

This document will be updated at least annually and when a significant change happens to the relevant areas covered.

For the user roles in myDRE, see Roles in a DRE workspace

Overview (Security) Roles and Responsibilities

anDREa is a lean start-up and this has implications for how much segregation of duties can effectively take place. anDREa is aware that segregations of duties is good practice to mitigate the risk of insider threat or accidental employee mistakes and will take this into account as anDREa grows.

Mapping key security responsibilities & standard security roles

Key / standard roles
CEO
CTO
Developers
Contact with Authorities
All other
GDPR-related

Contact with special interest groups
All other
Security and features related

Top Management
X: principal
X

Information Security Officer

X

Data Protection Officer

X

IT Administrator

X
X: operational
Internal Auditor

X
X: security

anDREa roles

Each of the following roles is described in the next chapter:
  1. CEO
  2. CTO
  3. Employee/Contractor
    1. IT Architect
    2. Developers
    3. Testers
    4. Scrum Master
    5. Product Owner
  4. Support
    1. Core Support Team
    2. Support Team
    3. Service Provider
In addition to the above roles, the following roles are also described in the next chapter:
  1. Top Management
  2. Information Security Officer
  3. Data Protection Officer
  4. IT Administrator
  5. Internal Auditor

Description of Responsibilities per Role

CEO

  1. Screening: VOG or equivalent is required.
Key responsibilities are:
  1. Clause 5 Leadership
  2. See Top Management

CTO

  1. VOG or equivalent is required
Key responsibilities are:
  1. Clause 5 Leadership
  2. See Top Management
  3. See: Data Protection Officer
  4. See: IT Administrator

Employee/Contractor

The most important policies applicable to this Role include:
  1. Security Manifesto
  2. Information Security Objectives & Policy
  3. Information Classification Policy
  4. Acceptable Use of Assets Policy
  5. Access Control Policy
  6. Data Handling Policy

IT Architect

Key responsibilities are:
  1. Analyze existing systems to ensure that these systems
    1. provide the necessary security
    2. meet the needs of the organization
  2. Make certain that overall system performance meets expectations
  3. Introduce alternative technologies to improve or enhance the systems to support organizational goals
  4. Design, review and implement process of new systems
  5. Technical direction and support to add new systems/functionalities to the existing core infrastructure
  6. Document and communicate the proposals and designs

Developers

Key responsibilities are:
  1. Produce clean, efficient code based on specifications
  2. Integrate software components and third-party programs
  3. Verify and deploy programs and systems
  4. Troubleshoot, debug and upgrade existing software
  5. Recommend and execute improvements
  6. Create technical documentation for reference and reporting

Testers

Key responsibilities are:
  1. Analyzing users stories and/use cases/requirements
  2. Execute all levels of testing (System, Integration, and Regression)
  3. Design and develop automation scripts when needed
  4. Detect and track software defects and inconsistencies
  5. Document test findings

Scrum Master

Key responsibilities are:
  1. Ensuring the team lives agile values and principles
  2. Ensuring the team follows the anDREa processes and practices
  3. Clearing obstacles
  4. Establishing an environment where the team can be effective
  5. Addressing team dynamics
  6. Ensuring a good relationship between the team and product owner as well as others outside the team
  7. Protecting the team from outside interruptions and distractions

Product Owner

Key responsibilities are:
  1. Ensures user stories are “ready” for development to start work.
  2. Ensures each story has the correct acceptance criteria.
  3. Gathers, manages, and prioritizes the product backlog.
  4. Ensures close collaboration with the development team.
  5. Works closely with engineering and quality assurance to ensure the right customer problem is solved.
  6. Tracks progress towards the release of a product.
  7. Create the product vision and roadmap which accomplishes the goal of the vision.
  8. Develops positioning for the product.
  9. Work with a cross-functional team in planning a product release.
  10. Develops personas either alone or in conjunction with a team including user experience experts.
  11. Define customer needs and the associated features to meet those needs.
  12. Advocates on behalf of the customer for the development team.
  13. Prioritizes defect or bug resolution.

Support

The support roles are integrated with the anDREa offering. However, Core Support Team and Support Team are people directly employed by a tenant. The Service Provider is an external party to ensure 24/7/365 Support.

The most important policies applicable to this Role include:
  1. Security Manifesto
  2. Information Security Objectives & Policy
  3. Information Classification Policy
  4. Data Handling Policy
  5. Data Breach Procedure
  6. Access Control Policy
  7. Terms of Service

Core Support Team

A member of the Core Support Team (CST) is employed by one Tenant and mandated by that Tenant. Work for another Tenant serviced by the CST requires explicit instructions of a mandated person of that Tenant.
Key responsibilities are:
  1. Maintain support.mydre.org
  2. Actively assist users compliant to the SLA
    1. Primarily responsible is the own Tenant
    2. Backup for other Tenants who make use of CST
  3. Log and document progress on user requests and assistance
  4. Escalate issues that cannot be resolved by CST to Service Provider
  5. Directly escalate any suspected attacks, risks, or data leaks to CTO
  6. Provide feedback on Shared Tenant experience, improvements, suggestions during CST meetings
  7. Giving demos

Support Team

A member of  the Support Team is employed by a Tenant and mandated by that and only that Tenant to act upon their instructions.
Key responsibilities are:
  1. Assist users compliant to the SLA
  2. Log and document progress on user requests and assistance
  3. Escalate issues, in accordance with Tenant Agreement, that cannot be resolved by ST to Service Provider
  4. Directly escalate any suspected attacks, risks, or data leaks to CTO
  5. Provide feedback on Shared Tenant experience, improvements, suggestions to anDREa CTO

Service Provider

Key responsibilities are:
  1. Log all outside-office hours user reports
  2. Monitor 24/7/365 all the systems and contracted for Subscriptions
  3. Triage the reports and monitored threats and problems
    1. Everything that needs immediate action will be processed expeditiously
      1. Attacks on a Workspace, Subscription or Core systems
      2. Platform wide disruption of services
      3. VIPs
  4. Update and patch tagged for update/patch Windows VMs
  5. Report performance of anDREa Core Systems
  6. Report status per Subscription

Top Management

Key responsibilities are:
  1. Definition of the organisation’s strategy.
  2. Definition of information security context, requirements and scope in accordance with Clause 4 Context of the organisation.
  3. Leadership and involvement with regard to the Information Security Management System in accordance with Clause 5 Leadership
  4. Definition of the organisation’s operating strategy in the context of data protection through policies.
  5. Definition of Roles, assignment of responsibilities and rights in the organisation.
  6. Provision of resources and budget approval.
  7. Management and supervision of the organization’s external communication.
  8. Participation in Management Reviews and ISMS improvement

Information Security Officer

Key responsibilities are:
  1. Definition and supervision of the Information Security Management System (ISMS).
  2. Coordination of all activities related to the ISMS.
  3. Coordination of risk assessment in accordance with Clause 6 Planning.
  4. Communication of information relating to ISMS in the organisation.
  5. Contacting authorities and groups of interest in the area of ISMS.
  6. Keeping anDREa CIA-classification up to date.
  7. Publishing awareness articles and drafting incident reports.

Data Protection Officer

Key responsibilities are:
  1. Data Breach Procedure.
  2. Keeping anDREa GDPR compliant.
  3. Ensure anDREa’s DPIA is up-to-date.

IT Administrator

Key responsibilities are:
  1. Definition and implementation of technical safety measures in the Organization
  2. Participation in the Risk Assessment & Risk Treatment Methodology in the role of a technical expert
  3. Maintenance of ICT infrastructure and resources based
  4. Supervision of access rights to the Organization’s resources
  5. Monitoring and maintenance of ICT networks and resources of the Organization
  6. Management of availability, executive potential, and events
  7. Responding to threats and security incidents in the Organization
  8. Support and implementation of components constituting a part of operation continuity plans in the Organization
  9. Raising awareness of users in technological areas.

Internal Auditor

Key responsibilities are:
  1. Participation in the Internal Audit Program
  2. Preparation and distribution of the Audit Report
  3. Assessment of Organization’s compliance with approved security measures in Statement of Applicability
  4. Preparation of audit criteria to increase its quality
  5. Development of technical expert skills in the areas required in the Organization
  6. Improvement and development of management systems in the Organization

    • Related Articles

    • 20220714 Security Management Report Addendum

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...
    • 20220607 Security Management Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.
    • 20220713 Report Azure White Box Security Audit

      Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...
    • 20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

      In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...
    • A.7 Human resource security

      Version: 3.0 Valid until: 2024-04-12 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Theo Koster Edward Robinson Initiation document. 2022-07-04 1.1 Edward Robinson Additions/changes as part of ...