anDREa roles

1. CEO
2. CTO
3. Employee/Contractor
1. IT Architect
2. Developers
3. Testers
4. Scrum Master
5. Product Owner
4. Support
1. Core Support Team
2. Support Team
3. Service Provider
   

1. Top Management
2. Information Security Officer
3. Data Protection Officer
4. IT Administrator
5. Internal Auditor

Description of Responsibilities per Role

CEO

1. Screening: VOG or equivalent is required.
   

1. Clause 5 Leadership
2. See Top Management

CTO

1. VOG or equivalent is required
   

1. Clause 5 Leadership
2. See Top Management
3. See: Data Protection Officer
   
4. See: IT Administrator

Employee/Contractor

1. Security Manifesto
2. Information Security Objectives & Policy
3. Information Classification Policy
4. Acceptable Use of Assets Policy
5. Access Control Policy
6. Data Handling Policy

IT Architect

1. Analyze existing systems to ensure that these systems
1. provide the necessary security
2. meet the needs of the organization
2. Make certain that overall system performance meets expectations
3. Introduce alternative technologies to improve or enhance the systems to support organizational goals
4. Design, review and implement process of new systems
5. Technical direction and support to add new systems/functionalities to the existing core infrastructure
6. Document and communicate the proposals and designs

Developers

1. Produce clean, efficient code based on specifications
2. Integrate software components and third-party programs
3. Verify and deploy programs and systems
4. Troubleshoot, debug and upgrade existing software
5. Recommend and execute improvements
6. Create technical documentation for reference and reporting

Testers

1. Analyzing users stories and/use cases/requirements
2. Execute all levels of testing (System, Integration, and Regression)
3. Design and develop automation scripts when needed
4. Detect and track software defects and inconsistencies
5. Document test findings

Scrum Master

1. Ensuring the team lives agile values and principles
2. Ensuring the team follows the anDREa processes and practices
3. Clearing obstacles
4. Establishing an environment where the team can be effective
5. Addressing team dynamics
6. Ensuring a good relationship between the team and product owner as well as others outside the team
7. Protecting the team from outside interruptions and distractions

Product Owner

1. Ensures user stories are “ready” for development to start work.
2. Ensures each story has the correct acceptance criteria.
3. Gathers, manages, and prioritizes the product backlog.
4. Ensures close collaboration with the development team.
5. Works closely with engineering and quality assurance to ensure the right customer problem is solved.
6. Tracks progress towards the release of a product.
7. Create the product vision and roadmap which accomplishes the goal of the vision.
8. Develops positioning for the product.
9. Work with a cross-functional team in planning a product release.
10. Develops personas either alone or in conjunction with a team including user experience experts.
11. Define customer needs and the associated features to meet those needs.
12. Advocates on behalf of the customer for the development team.
13. Prioritizes defect or bug resolution.

Support

1. Security Manifesto
2. Information Security Objectives & Policy
3. Information Classification Policy
4. Data Handling Policy
5. Data Breach Procedure
6. Access Control Policy
7. Terms of Service

Core Support Team

1. Maintain support.mydre.org
   
2. Actively assist users compliant to the SLA
1. Primarily responsible is the own Tenant
2. Backup for other Tenants who make use of CST
3. Log and document progress on user requests and assistance
4. Escalate issues that cannot be resolved by CST to Service Provider
5. Directly escalate any suspected attacks, risks, or data leaks to CTO
6. Provide feedback on Shared Tenant experience, improvements, suggestions during CST meetings
7. Giving demos

Support Team

1. Assist users compliant to the SLA
2. Log and document progress on user requests and assistance
3. Escalate issues, in accordance with Tenant Agreement, that cannot be resolved by ST to Service Provider
4. Directly escalate any suspected attacks, risks, or data leaks to CTO
5. Provide feedback on Shared Tenant experience, improvements, suggestions to anDREa CTO

Service Provider

1. Log all outside-office hours user reports
2. Monitor 24/7/365 all the systems and contracted for Subscriptions
3. Triage the reports and monitored threats and problems
1. Everything that needs immediate action will be processed expeditiously
1. Attacks on a Workspace, Subscription or Core systems
2. Platform wide disruption of services
3. VIPs
4. Update and patch tagged for update/patch Windows VMs
5. Report performance of anDREa Core Systems
6. Report status per Subscription

Top Management

1. Definition of the organisation’s strategy.
2. Definition of information security context, requirements and scope in accordance with Clause 4 Context of the organisation.
3. Leadership and involvement with regard to the Information Security Management System in accordance with Clause 5 Leadership. 
4. Definition of the organisation’s operating strategy in the context of data protection through policies.
5. Definition of Roles, assignment of responsibilities and rights in the organisation.
6. Provision of resources and budget approval.
7. Management and supervision of the organization’s external communication.
8. Participation in Management Reviews and ISMS improvement

Information Security Officer

1. Definition and supervision of the Information Security Management System (ISMS).
2. Coordination of all activities related to the ISMS.
   
3. Coordination of risk assessment in accordance with Clause 6 Planning.
4. Communication of information relating to ISMS in the organisation.
5. Contacting authorities and groups of interest in the area of ISMS.
6. Keeping anDREa CIA-classification up to date.
   
7. Publishing awareness articles and drafting incident reports.

Data Protection Officer

1. Data Breach Procedure.
2. Keeping anDREa GDPR compliant.
3. Ensure anDREa’s DPIA is up-to-date.

IT Administrator

1. Definition and implementation of technical safety measures in the Organization
2. Participation in the Risk Assessment & Risk Treatment Methodology in the role of a technical expert
3. Maintenance of ICT infrastructure and resources based
4. Supervision of access rights to the Organization’s resources
5. Monitoring and maintenance of ICT networks and resources of the Organization
6. Management of availability, executive potential, and events
7. Responding to threats and security incidents in the Organization
8. Support and implementation of components constituting a part of operation continuity plans in the Organization
9. Raising awareness of users in technological areas.

Internal Auditor

1. Participation in the Internal Audit Program
2. Preparation and distribution of the Audit Report
3. Assessment of Organization’s compliance with approved security measures in Statement of Applicability
4. Preparation of audit criteria to increase its quality
5. Development of technical expert skills in the areas required in the Organization
6. Improvement and development of management systems in the Organization