Home · Synthesis · cl-roles-responsibilities

Cyber security roles, responsibilities, and authority — Board through operational team

IRDAI 2026 ISO 27001 NIST CSF 2.0 RBI ITGRCA SEBI CSCRF SOC 2 DPDPA RBI CSF ISO 27701 MeitY CSP NIS2 NIST 800-53

Primary statement

Cyber roles and responsibilities operate as: (1) Board-level accountability for cyber risk; (2) CISO appointment with reporting line outside operational IT and direct Board IT Committee access (SEBI GV.3); (3) RACI matrix covering Board, IT Committee, CISO, CIO, business units, operational teams (SEBI GV.6); (4) cyber roles defined, documented, and communicated (NIST GV.RR-02); (5) adequate resources allocated commensurate with risk (NIST GV.RR-03); (6) cyber roles for suppliers / customers / partners established and communicated externally (NIST GV.SC-02); (7) post-termination security responsibilities (ISO A.6.5).

Audit-fatigue payoff

A single RACI matrix + CISO appointment letter + Board IT Committee charter + resource allocation documentation satisfies role-and-responsibility requirements across all 12 contributing frameworks. The RACI specification in SEBI CSCRF GV.6 (Board / IT Committee / CISO / CIO / business / operational) is the audit-defensible governance chart.

Strictness matrix

Scope

Scope: Board, IT Committee, CISO, CIO, business units, operational teams — RACI covers all governance levels. Cyber roles for suppliers, customers, and partners additionally (NIST GV.SC-02). Ceiling source: sebi_cscrf:CSCRF.GV.6 Rationale: SEBI CSCRF GV.6 specifies the broadest internal scope (six governance levels). NIST GV.SC-02 extends to external parties. The combined scope is the audit-defensible specification.

Threshold

CISO threshold: appropriate seniority + reporting line OUTSIDE operational IT (independence) + direct access to Board IT Committee. Authority covers cybersecurity policy, incident response, third-party cyber risk, compliance reporting. Independence is a binary qualification — embedded CISO under CIO/CTO fails. Ceiling source: sebi_cscrf:CSCRF.GV.3 Rationale: SEBI CSCRF GV.3 CISO independence is the binary threshold. Other frameworks require "appropriate" roles; SEBI specifies the reporting-line test.

Method

Method: (1) roles, responsibilities and authorities ESTABLISHED, (2) COMMUNICATED to stakeholders, (3) UNDERSTOOD by holders (training / attestation), (4) ENFORCED through performance management. Four verbs (NIST CSF 2.0 GV.RR-02). Documented in RACI matrix per SEBI GV.6. Ceiling source: nist_csf:GV.RR-02 Rationale: NIST CSF 2.0 GV.RR-02 four-verb method (establish/communicate/understand/enforce) is the most prescriptive. SEBI CSCRF GV.6 adds the RACI structural requirement.

Frequency

RACI review: annual minimum + on organisational change. Role attestation: annual. Resource adequacy review (NIST GV.RR-03): annual + post-incident. Post-termination security obligations communicated at departure (ISO A.6.5). Ceiling source: sebi_cscrf:CSCRF.GV.6 Rationale: Annual RACI review is the universal floor. SEBI CSCRF GV.6 makes the cadence explicit.

Evidence

Required evidence: (1) RACI matrix covering all governance levels; (2) CISO appointment letter with reporting line documented; (3) Board IT Committee charter and meeting calendar; (4) role attestation records; (5) resource allocation evidence (budget, headcount, tooling commensurate with risk per NIST GV.RR-03); (6) supplier cyber-role flow-down evidence (NIST GV.SC-02); (7) post-termination security obligations evidence per ISO A.6.5. Ceiling source: sebi_cscrf:CSCRF.GV.6 Rationale: SEBI CSCRF GV.6 evidence list with the RACI requirement is uniquely strict. Resource-adequacy evidence per NIST GV.RR-03 closes a common gap.

Auditor test pattern

Step 1: Inspect the RACI matrix; verify all six SEBI GV.6 levels covered. Step 2: Verify CISO reporting line is outside operational IT. Step 3: Sample 2 roles and verify the holders are aware (interview / attestation). Step 4: Inspect resource allocation evidence — is it commensurate with cyber risk? Step 5: Verify supplier cyber-role flow-down via sample critical-vendor contract. Step 6: For terminations / role changes, verify security obligations communicated.

Common findings

Common 2024–26 findings: (1) CISO reports to CTO/CIO (fails independence test); (2) RACI matrix exists but only covers IT roles, not Board / business unit; (3) Role-holders unaware of their cyber accountabilities (attestation absent); (4) Resource allocation does not match documented risk appetite — under-resourced cyber programme; (5) Supplier cyber-role flow-down absent or in legacy contracts only; (6) Post-termination obligations referenced but not communicated at departure.