HRS-010 Personnel Roles and Security Responsibilities
Description
Information security roles and responsibilities for all positions are defined, documented, and communicated to personnel. Role definitions specify what data each position can access, what security obligations apply to the role, and who is accountable for information assets under that role.
Rationale
Personnel cannot be held accountable for security responsibilities that are not clearly defined for their role. Role-specific responsibility definitions provide the foundation for targeted training, access provisioning, and disciplinary enforcement.
Framework Mappings (3)
| HRS-09 | Personnel Roles and Responsibilities | full |
| 5.2 | Information security roles and responsibilities | partial |
| PS-2 | Position Risk Designation | partial |
Evidence (2)
Role definitions document or job description set specifying information security responsibilities, data access entitlements, and accountability obligations for each position.
Example: Job description library (Workday / BambooHR / Confluence), with a security responsibilities section for each role — specifying: systems and data the role can access, security obligations specific to the role, and the named information asset(s) the role is accountable for.
Test: Request job descriptions or role definitions for at least five roles spanning different access tiers (e.g. software engineer, data analyst, sysadmin, HR manager, executive). For each, verify: (1) a security responsibilities section exists, (2) data access entitlements or systems in scope are described, (3) accountability for at least one information asset is stated for roles with elevated access, (4) the role definition is current (reviewed within the last 12 months or updated on last role change).
HR or security policy requiring that security responsibilities are defined and maintained in all role definitions, with a process for updating them when roles change.
Example: HR Policy on Role Definitions or Security Roles and Responsibilities Procedure (Confluence), stating: all job descriptions must include a security responsibilities section, the team responsible for maintaining them, the trigger for updating them (role change, new system access), and the review cadence.
Test: Request the policy or procedure governing role definition maintenance. Verify: (1) a requirement to include security responsibilities in all job descriptions is stated, (2) a process for updating role definitions when access or responsibilities change is described, (3) ownership of the process is assigned to a named team, (4) the policy is approved and dated within the last 12 months.
Questions (2)
Are information security roles and responsibilities formally defined for all positions, specifying data access entitlements and accountability obligations, and communicated to personnel?
Job descriptions or role definition documents should include a security responsibilities section covering systems in scope, data access entitlements, and asset accountability for elevated-access roles.
Does your organization have a process for updating role security responsibilities when a role changes, and for ensuring personnel are informed of the updated obligations?
The process should define who owns role definition maintenance, what triggers an update (role change, new system access), and how updated responsibilities are communicated to affected personnel.