Roles & Responsibilities Policy¶
Document ID: AUL-POL-02 Version: 1.0 Classification: Internal Owner: Chief Technology Officer / ISSM Effective: TBD-YYYY-MM-DD Next Review: TBD-YYYY-MM-DD
1. Purpose¶
This policy defines the cybersecurity roles, responsibilities, and accountability structure for Aulendur Labs, Inc. It assigns ownership of security functions to named roles, documents compensating controls where separation of duties is constrained by the organization's ~5-person scale, and establishes the authority chain for security decisions.
2. Scope¶
This policy applies to:
- Personnel: All employees, contractors, interns, advisors, and board members of Aulendur Labs.
- Systems: All information systems and services operated by or on behalf of Aulendur Labs, including production (Linode, Cloudflare, AWS), corporate IT (Google Workspace, GitHub, 1Password, Slack), and the planned CUI Enclave (AWS GovCloud).
- Data: All data classifications — Public, Internal, Confidential, CUI, and ITAR-controlled technical data.
3. Roles & Responsibilities¶
| Role | Responsibility |
|---|---|
| Chief Executive Officer (CEO) | Approves this policy; bears ultimate accountability for the security program; appoints the ISSM; allocates resources. |
| Chief Technology Officer (CTO) / ISSM | Owns this policy; defines and maintains the roles and responsibilities matrix; resolves role conflicts. |
| All Personnel | Know and execute their assigned security responsibilities; report gaps or conflicts to the CTO/ISSM. |
4. Policy Statements¶
4.1 Security Role Definitions¶
4.1.1 Aulendur Labs shall maintain the following security roles. Each role shall have a named individual assigned and documented in the System Security Plan (SSP) (forthcoming).
Chief Executive Officer (CEO) — Aaron Parker
4.1.2 The CEO shall: - (a) Approve all security policies and accept residual risk on behalf of the organization. - (b) Authorize the information security budget. - (c) Appoint the ISSM in writing. - (d) Receive quarterly security posture briefings from the CTO/ISSM.
Chief Technology Officer (CTO) / Information System Security Manager (ISSM) — Jorden Gershenson
4.1.3 The CTO/ISSM shall: - (a) Direct the information security program and all subordinate policies, standards, and procedures. - (b) Conduct or commission the annual risk assessment per the Risk Management Policy. - (c) Authorize system operation (Authorization to Operate) for all Aulendur systems. - (d) Serve as the primary point of contact for CMMC assessors, DoD cyber incident reporting (DFARS 252.204-7012), and regulatory inquiries. - (e) Maintain the POA&M and track remediation of security deficiencies. - (f) Review and approve access requests for privileged accounts. - (g) Serve as the Insider Threat Program Senior Official (ITPSO) at current scale.
Information System Security Officer (ISSO)
4.1.4 The ISSO shall: - (a) Execute day-to-day security monitoring, log review, and incident triage. - (b) Collect and maintain compliance evidence artifacts. - (c) Conduct quarterly access reviews and report findings to the CTO/ISSM. - (d) Administer security tooling (endpoint protection, vulnerability scanners, SIEM).
[!NOTE] DECISION POINT: At ~5 personnel, the CTO/ISSM serves as acting ISSO. This dual role is a compensating control documented here and in AUL-POL-01. To mitigate the lack of separation of duties, the CEO shall conduct or commission a quarterly independent review of the CTO/ISSM's security activities. When headcount exceeds 10 or CUI processing begins, a dedicated ISSO shall be appointed.
System Owner
4.1.5 System Owners shall: - (a) Maintain the security configuration and authorization documentation for their assigned systems. - (b) Implement security controls specified by the CTO/ISSM within their systems. - (c) Report security events affecting their systems to the ISSO within 1 hour of discovery. - (d) Authorize user access to their systems based on verified need-to-know and role assignment.
Data Owner
4.1.6 Data Owners shall: - (a) Classify data under their stewardship per the Information Classification & Handling Policy. - (b) Authorize access to their data based on verified need-to-know. - (c) Review and revalidate data access permissions quarterly. - (d) Specify retention and disposal requirements per the Data Retention & Disposal Policy (forthcoming).
All Personnel
4.1.7 All personnel shall: - (a) Complete security awareness training within 10 business days of onboarding and annually thereafter. - (b) Comply with all security policies, standards, and procedures. - (c) Use only authorized devices and software for Aulendur business. - (d) Report security incidents, suspected incidents, and policy violations to the CTO/ISSM within 1 hour of discovery. - (e) Protect authentication credentials; never share passwords or security tokens.
4.2 Role Assignment and Documentation¶
4.2.1 The CTO/ISSM shall maintain a role assignment matrix mapping each security role to a named individual. This matrix shall be stored in the SSP (forthcoming) and updated within 5 business days of any personnel change.
4.2.2 Each individual assigned a security role shall acknowledge their responsibilities in writing (electronic signature accepted) within 5 business days of assignment.
4.2.3 The CTO/ISSM shall brief each newly assigned role-holder on their responsibilities before they assume the role.
4.3 Separation of Duties¶
4.3.1 Aulendur Labs shall separate security-critical duties to the extent feasible at current scale. At minimum, the following separations shall be maintained:
| Function A | Function B | Separation Method |
|---|---|---|
| Policy approval (CEO) | Policy implementation (CTO/ISSM) | Role separation — different individuals |
| Access provisioning (CTO/ISSM) | Access review (CEO quarterly review) | Compensating control — independent review |
| Code commit (developer) | Code merge to main (reviewer) |
Technical control — GitHub branch protection requires at least 1 approving review |
| Incident declaration (any personnel) | Incident investigation (CTO/ISSM) | Role separation where possible; for CTO/ISSM-involved incidents, CEO oversees |
4.3.2 Where separation of duties cannot be achieved due to organizational size, the CTO/ISSM shall document the compensating control in the SSP (forthcoming) and the Exception Register. Compensating controls shall be reviewed quarterly.
4.4 Succession and Continuity¶
4.4.1 The CTO/ISSM shall designate a backup for each security role. At minimum, the CEO shall be designated as backup ISSM and shall receive sufficient cross-training to execute critical security functions (incident reporting, access revocation, system shutdown).
4.4.2 Contact information and escalation procedures for all security roles shall be documented and accessible to all personnel, including during off-hours.
4.4.3 The role assignment matrix and succession plan shall be reviewed during the annual policy review or within 5 business days of a personnel departure.
4.5 Third-Party and Contractor Responsibilities¶
4.5.1 Contractors and third parties with access to Aulendur systems or data shall be assigned security responsibilities commensurate with their access level. These responsibilities shall be documented in the applicable contract or statement of work.
4.5.2 Third parties shall not be assigned the ISSM, ISSO, or Data Owner role for Aulendur systems without CEO approval and documented compensating controls.
5. Standards & Procedures Referenced¶
The following companion documents implement this policy:
- Information Security Policy
- Risk Management Policy
- Information Classification & Handling Policy
- Onboarding & Offboarding Policy (forthcoming)
- System Security Plan (forthcoming)
6. Compliance & Enforcement¶
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, civil penalties, and criminal prosecution where applicable. Failure to execute assigned security responsibilities shall be documented and addressed through the performance management process. Suspected violations shall be reported to the CTO/ISSM.
7. Exceptions¶
Exceptions to this policy require written approval per the Policy Exception & Waiver Policy (forthcoming). Exceptions are time-bounded (maximum 180 calendar days), backed by compensating controls, and tracked in the Exception Register.
8. Definitions¶
| Term | Definition |
|---|---|
| ISSM | Information System Security Manager — the individual responsible for the organization's information security program. |
| ISSO | Information System Security Officer — the individual responsible for day-to-day security operations. |
| ITPSO | Insider Threat Program Senior Official — the individual responsible for the insider threat program. |
| SSP | System Security Plan — a formal document describing the security controls implemented for an information system. |
| Separation of Duties | The principle that no single individual should control all phases of a critical process. |
| Compensating Control | An alternative security measure employed when a primary control cannot be implemented, providing equivalent or comparable protection. |
| Data Owner | The individual or role accountable for the classification, protection requirements, and authorized use of a defined data set. |
| System Owner | The individual or role accountable for the operation and security of a specific information system. |
9. References¶
- NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
- CMMC 2.0 Level 2, Cybersecurity Maturity Model Certification
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
- NIST SP 800-171 R3 03.01.04, Separation of Duties
10. Control Mappings¶
| Framework | Control ID | Control Title | Coverage |
|---|---|---|---|
| NIST SP 800-171 R3 | 03.01.04 | Separation of Duties | Full |
| NIST SP 800-171 R3 | 03.15.01 | Policy and Procedures | Supports — primary coverage in AUL-POL-01 |
| CMMC 2.0 L2 | AC.L2-3.1.4 | Separation of Duties | Full |
| NIST SP 800-53 R5 | AC-5 | Separation of Duties | Full |
| NIST SP 800-53 R5 | PM-2 | Information Security Program Leadership Role | Full |
| NIST SP 800-53 R5 | PM-13 | Security and Privacy Workforce | Partial — training coverage in AUL-POL-10 |
11. Revision History¶
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | TBD-YYYY-MM-DD | J. Gershenson | Initial issue. |
© Aulendur Labs, Inc. 2026. Internal use only unless otherwise classified.