This document defines roles and responsibilities for key operational processes using the RACI framework (Responsible, Accountable, Consulted, Informed).
RACI Definitions
R (Responsible): Person(s) who do the work to complete the task
A (Accountable): Person who is ultimately answerable for the correct completion
C (Consulted): Person(s) who are consulted prior to a decision or action
I (Informed): Person(s) who are kept informed of progress and outcomes
Incident Response (IR) Roles
| Activity | Founder | CTO | Security Lead | DevOps Lead | Legal Counsel | All Staff |
|---|
| Incident Detection | I | I | A | C | I | I |
| Initial Response | I | C | A | R | I | I |
| Severity Assessment | I | C | A | R | I | I |
| Incident Containment | I | C | A | R | I | I |
| Communication (Internal) | A | C | R | R | C | I |
| Communication (External) | A | I | C | I | R | I |
| Forensic Analysis | I | I | A | R | I | I |
| Documentation | I | I | A | R | C | I |
| Post-Incident Review | A | C | R | R | C | I |
| Process Improvement | A | R | R | R | C | I |
Disaster Recovery/Business Continuity (DR/BCP) Roles
| Activity | Founder | CTO | DevOps Lead | Security Lead | HR/Operations | Key Contractors |
|---|
| DR Planning | A | R | R | C | I | C |
| BCP Testing | A | R | R | C | C | I |
| Backup Verification | I | C | A | R | I | I |
| Failover Execution | I | C | A | R | I | I |
| Recovery Procedures | A | R | R | C | I | I |
| Business Impact Assessment | A | C | I | I | R | I |
| Vendor Communication | A | C | I | I | R | C |
| Staff Communication | A | C | I | I | R | C |
| Post-Recovery Review | A | R | R | R | C | I |
| Plan Updates | A | R | R | R | C | I |
Access Review Responsibilities
| Activity | Founder | CTO | Security Lead | DevOps Lead | All Managers | HR |
|---|
| User Access Reviews | I | I | A | R | C | C |
| Privileged Access Reviews | I | C | A | R | I | I |
| System Access Certification | I | C | A | R | I | I |
| Role-Based Access Control | I | C | A | R | I | I |
| Access Request Processing | I | C | C | R | A | R |
| Quarterly Access Reports | I | I | A | R | C | I |
| Access Violation Investigation | I | I | A | R | C | I |
| Access Removal Procedures | I | I | A | R | C | R |
| Compliance Reporting | A | C | R | R | I | I |
Vendor Reviews and Due Diligence
| Activity | Founder | CTO | Security Lead | Legal Counsel | Finance Lead | Procurement |
|---|
| Vendor Risk Assessment | C | C | A | C | I | R |
| Security Due Diligence | I | C | A | C | I | I |
| Contract Review | A | C | C | R | C | I |
| Financial Assessment | C | I | I | I | A | R |
| Performance Monitoring | I | R | C | I | I | A |
| Annual Vendor Reviews | A | C | R | C | C | R |
| Vendor Incident Response | I | C | A | C | I | I |
| Contract Renewals | A | C | C | R | C | R |
| Vendor Termination | A | C | C | R | C | R |
Change Management Processes
| Activity | Founder | CTO | Dev Lead | Security Lead | QA Lead | Release Manager |
|---|
| Change Approval (Major) | A | C | R | C | C | I |
| Change Approval (Minor) | I | C | A | C | C | R |
| Change Documentation | I | I | A | C | C | R |
| Security Review | I | I | C | A | C | I |
| Testing Requirements | I | C | A | C | R | C |
| Deployment Approval | I | A | R | C | C | R |
| Rollback Procedures | I | C | A | C | C | R |
| Change Communication | I | I | C | I | C | A |
| Post-Deployment Review | I | C | A | C | R | R |
Secure SDLC Implementation
| Activity | Founder | CTO | Dev Lead | Security Lead | QA Lead | All Developers |
|---|
| Security Requirements | I | C | A | R | C | I |
| Code Review Standards | I | C | A | R | C | R |
| Vulnerability Scanning | I | I | C | A | C | I |
| Penetration Testing | I | C | I | A | C | I |
| Security Training | I | C | I | A | I | R |
| Incident Response | I | C | I | A | I | C |
| Compliance Validation | I | C | I | A | I | I |
| Security Tool Integration | I | C | A | R | C | I |
Security Training Coordination
| Activity | Founder | CTO | Security Lead | HR | All Staff | External Trainers |
|---|
| Training Requirements | A | C | R | C | I | I |
| Annual Security Awareness | A | C | R | R | I | C |
| Phishing Simulations | I | I | A | C | R | C |
| Role-Based Training | I | C | A | C | R | C |
| Compliance Training | A | I | R | R | I | C |
| Training Effectiveness | I | I | A | C | I | C |
| Training Records | I | I | A | R | I | I |
Privacy/DSAR Handling
| Activity | Founder | CTO | Privacy Officer | Legal Counsel | All Staff | External Counsel |
|---|
| Privacy Policy Updates | A | C | R | R | I | C |
| DSAR Processing | I | C | A | R | C | I |
| Data Subject Rights | I | C | A | R | C | I |
| Privacy Impact Assessments | I | I | A | R | I | I |
| Regulatory Compliance | A | C | R | R | I | C |
| Data Breach Response | I | I | A | R | C | C |
| Privacy Training | I | I | A | C | R | I |
| Vendor Privacy Reviews | I | C | A | C | I | I |
Key Role Definitions
Founder
- Authority: Ultimate decision-making authority for all critical matters
- Responsibilities: Strategic oversight, final approvals, resource allocation
- Involvement: High-level approval for major changes, incident communication
CTO (Chief Technology Officer)
- Authority: Technical decisions and architecture oversight
- Responsibilities: Technical strategy, system architecture, technology decisions
- Involvement: All technical changes, security implementations, system updates
Security Lead
- Authority: Security policy and incident response authority
- Responsibilities: Security operations, incident response, security training
- Involvement: All security-related activities, compliance, risk assessments
DevOps Lead
- Authority: Infrastructure and deployment authority
- Responsibilities: System operations, deployments, monitoring, infrastructure
- Involvement: All operational changes, infrastructure updates, system maintenance
Legal Counsel
- Authority: Legal and compliance decisions
- Responsibilities: Legal compliance, contract management, regulatory requirements
- Involvement: Legal reviews, compliance matters, contractual obligations
HR/Operations
- Authority: Personnel and operational decisions
- Responsibilities: Employee management, operational procedures, vendor management
- Involvement: Personnel changes, operational procedures, staff communications
Escalation Procedures
Critical Incidents (Severity 1)
- Immediate Response: Security Lead + DevOps Lead
- Escalation: CTO + Founder (within 1 hour)
- External: Legal Counsel + External communications (as needed)
Major Changes (High Impact)
- Approval: CTO + Security Lead
- Final Approval: Founder (for major changes)
- Communication: All affected stakeholders
Routine Operations
- Standard Process: Follow established RACI assignments
- Exception Handling: Department lead escalation
- Review: Monthly operational review meetings
Document Classification: Internal Governance Document
Access Level: Management/Leadership
Last Updated: November 26, 2025
Next Review: February 26, 2026