Cybersecurity responsibilities are assigned to specific roles, including external service providers
Context and Guidance: Clearly assigning cybersecurity responsibilities to roles establishes expectations for the tasks that personnel in those roles will perform. These roles may be explicitly cybersecurity-focused (network administrator, help desk, CISO, etc.) or may be other roles that contribute to cybersecurity activities. These responsibilities should also be specified in formal agreements with external entities, such as Internet service providers, security as service providers, cloud service providers, and IT/OT service providers.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: WORKFORCE-3b, WORKFORCE-3c, WORKFORCE-3f.