Information Security Roles and Responsibilities Policy

Objective

This policy and associated guidance establish the roles and responsibilities within Sourcegraph, which is critical for effective communication of information security policies and standards. Roles are required within the organization to provide clearly defined responsibilities and an understanding of how the protection of information is to be accomplished. Their purpose is to clarify, coordinate activity, and actions necessary to disseminate security policy, standards, and implementation.

Applicability

This policy is applicable to all Sourcegraph employees and contractors who are involved with the Information Security Program. This policy applies to all other agents of Sourcegraph with access to Sourcegraph information and network. This includes, but not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers. The titles will be referred to collectively hereafter as the “Sourcegraph community”.

Roles & Responsibilities

Roles	Responsibilities
Board of Directors	Oversight/understanding of cyber security risks and matters across Sourcegraph Consults with Exec team to understand risk appetite and security maturity
Executive Leadership	Solid understand of security risks and potential weak points Continuously evaluate Sourcegraph’s risk appetite against potential threats Incorporate security into the company strategy Communication path of security matters to Sourcegraph Board of Directors
Security Lead	Aligns Information Security policies and practises based on Sourcegraph’s mission, strategic objectives and risk appetite Serves as security ambassador across Sourcegraph and external engagements (i.e. liaison to the exec team, Board of Directors, client facing engagements for security matters) Defines and runs the security program across the organization Create a in-depth risk and maturity profile for Sourcegraph and utilize it to plan initiatives Responsible for oversight of security policies Responsible for monitoring security risks and creating remediation plans Communicates information security risks to executive leadership
Compliance Manager	Works with applicable executive leadership to establish an information security framework and awareness program Builds and maintains an Information Security & Enterprise Risk Management Framework Responsible for compliance to policies and internal controls.
Control Owners	Control design in collaboration with the compliance and security team Control evidence gathering and submission for review Control maintenance (i.e. as company processes change any dependable controls need to be adjusted) Control representation for any internal and external audits
System Owners	Manage the confidentiality, integrity and availability of the information systems for which they are responsible in compliance with Sourcegraph policies on information security and privacy. Approval of technical access and change requests for non-standard access (annual reviews)
Sourcegraph Employees, Contractors, temporary workers, etc.	Acting at all times in a manner which does not place at risk Sourcegraph’s assets Helping to identify risk as part of the risk management process and implement remediations Adhering to company policies and standards of conduct Reporting incidents and observed anomalies or weaknesses

Policy Compliance

Sourcegraph will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.

Violations & Enforcement

Any known violations of this policy should be reported to report-policy-violation@sourcegraph.com. Failure to follow this policy can result in disciplinary action, up to and including termination.

History

Version	Date	Description	Author	Approved by
1.0	23-Sept-2021	First Version	Nicky Van Maanen	Diego Comas
1.1	27-JAN-2022	Minor updates	Diego Comas	Diego Comas
2.0	09-Jun-2022	Updated Roles & Resp matrix	Dora Grgic	Diego Comas