Skip to content

Roles, Responsibilities and Training

2025.2

Security and compliance is everyone’s responsibility. CAP Index is committed to ensuring all workforce members actively address security and compliance in their roles. Statistically, cybersecurity breaches typically start with compromise of end-user computing devices, social engineering, human error or insider threat. Therefore, users are the first line of defense and yet usually the weakest link. As such, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

In this and all related policy documents, the term “employees” and “workforce members” may be used interchangeably to include all full-time and part-time employees in all job roles, contractors and subcontractors, volunteers, interns, managers and executives at CAP Index.

The Security Officer is responsible for facilitating the development, testing, implementation, training, and oversight of all activities pertaining to CAP Index’s efforts to be compliant with the applicable security and compliance regulations and industry best practices. The intent of the Security Officer Responsibilities is to maintain the confidentiality, integrity, and availability of critical and sensitive data. The Security Officer is appointed by and reports to the CEO.

CAP Index has appointed Brian Cunningham as the Security Officer.

CAP Index has appointed Brian Cunningham as the Data Protection Officer responsible for all GDPR-related affairs.

An official Security Committee has been formed, chaired by the Security Officer, and represented by the select members of the senior leadership team (Executive Management).

Policy Statements

CAP Index policy requires that:

(a) A Security Officer must be appointed to assist in maintaining and enforcing safeguards towards security, compliance, and privacy.

Additionally, the Security Officer is appointed the Data Protection Officer, which fulfills the tasks and responsibilities specified in GDPR.

(b) Security and compliance is the responsibility of all workforce members (including employees, contractors, interns, and managers/executives). All workforce members are required to:

  • Complete all required security trainings, including annual regulatory compliance training, security awareness, and any additional role-based security training as part of the ongoing security awareness program and as required by job role.

  • Follow all security requirements set forth in CAP Index security policy and procedures, including but is not limited to access control policies and procedures and acceptable use policy for end-user computing.

  • See something, say something: follow the incident reporting procedure to report all suspicious activities to the security team.

(c) All workforce members are required to report non-compliance of CAP Index’s policies and procedures to the Security Officer or designee. Individuals that report violations in good faith may not be subjected to intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence.

(d) All workforce members are required to cooperate with federal, state and local law enforcement activities and legal investigations. It is strictly prohibited to interfere with investigations through willful misrepresentation, omission of facts, or by the use of threats against any person.

(e) Workforce members found to be in violation of this policy will be subject to sanctions.

(f) Segregation of Duties shall be maintained when applicable to ensure proper checks and balances and minimize conflict of interests. This helps reduces the possibility of fraud and insider threat considerably, and eliminates single points of compromise to critical systems.

Controls and Procedures

Assignment of Roles and the Security Committee

CAP Index has appointed Brian Cunningham as the Security Officer.

The security committee is chaired by the Security Officer, and represented by the select members of the Executive Management.

General Responsibilities of the Security

The authority and accountability for CAP Index’s information security program and privacy program is delegated to the Security Officer. The Security Officer and the security team are required to perform or delegate the following responsibilities:

  • Build and maintain security and privacy program to satisfy regulatory and contractual requirements.
  • Establish, document, distribute and update security policies, standards and procedures.
  • Oversee, enforce and document all activities necessary to maintain compliance and verifies the activities are in alignment with the requirements;
  • Monitor, analyze, distribute and escalate security alerts and information.
  • Develop and maintain security incident response and escalation procedures to ensure timely and effective handling of all situations.
  • Administer user accounts, including additions, deletions, and modifications.
  • Monitor and control all access to critical systems and data.
  • Perform risk assessment, remediation, and ongoing risk management.
  • Provide regular security awareness and compliance training, as well as periodic security updates and reminder communications for all workforce members.
  • Maintains a program that incentivizes right behaviors, supports timely and proper reporting and investigation of violations, implements effective and practical mitigation, and applies fair sanctions when necessary.
  • Assist in the administration and oversight of business associate agreements.
  • Facilitate audits to validate compliance efforts throughout the organization.
  • Work with the CEO and Executive Management Team to ensure that any security objectives have appropriate consideration during the budgeting process.

Workforce Supervision Responsibilities

Although the Security Officer is responsible for implementing and overseeing all activities related to maintaining compliance, it is everyone’s responsibility (i.e. team leaders, supervisors, managers, co-workers, etc.) to supervise all workforce members and any other user of CAP Index’s systems, applications, servers, workstations, etc. that contain sensitive data.

  1. Monitor workstations and applications for unauthorized use, tampering, and theft and report non-compliance according to the Security Incident Response policy.
  2. Assist the Security Officers to ensure appropriate role-based access is provided to all users.
  3. Take all reasonable steps to hire, retain, and promote workforce members and provide access to users who comply with the Security regulation and CAP Index’s security policies and procedures.

Segregation of Duties

CAP Index has dedicated team/personnel assigned the job function of security and compliance. Segregation of duties are achieved via a combination of assignment of roles and responsibilities to different personnel, and automation enforcement for software-defined processes.

Checks and balances are ensured via such segregation of duties and related review/approval processes. When applicable, reviews and approvals must be obtained from designated personnel separate from the individual performing the work.

Policy and Compliance Training

  1. The Security Officer facilitates the training of all workforce members as follows:

    1. New workforce members within their first month of employment;
    2. Existing workforce members annually;
    3. Existing workforce members whose functions are affected by a material change in the policies and procedures, within a month after the material change becomes effective;
    4. Existing workforce members as needed due to changes in security and risk posture of CAP Index.

  2. Documentation of the training session materials and attendees is retained for a minimum of seven years.

  3. The training session focuses on, but is not limited to, the following subjects defined in CAP Index’s security policies and procedures:

    1. SOC 2 Security Principals and Controls;
    2. NIST Security Rules;
    3. PCI DSS requirements;
    4. Risk Management procedures and documentation;
    5. Auditing. CAP Index may monitor access and activities of all users;
    6. Workstations may only be used to perform assigned job responsibilities;
    7. Users may not download software onto CAP Index’s workstations and/or systems without prior approval from the Security Officer;
    8. Users are required to report malicious software to the Security Officer immediately;
    9. Users are required to report unauthorized attempts, uses of, and theft of CAP Index’s systems and/or workstations;
    10. Users are required to report unauthorized access to facilities
    11. Users are required to report noted log-in discrepancies (i.e. application states users last log-in was on a date user was on vacation);
    12. Users may not alter sensitive data maintained in a database, unless authorized to do so by a CAP Index Customer;
    13. Users are required to understand their role in CAP Index’s contingency plan;
    14. Users may not share their user names nor passwords with anyone;
    15. Requirements for users to create and change passwords;
    16. Users must set all applications that contain or transmit sensitive data to automatically log off after 15 minutes of inactivity;
    17. Supervisors are required to report terminations of workforce members and other outside users;
    18. Supervisors are required to report a change in a users title, role, department, and/or location;
    19. Procedures to backup sensitive data;
    20. Procedures to move and record movement of hardware and electronic media containing sensitive data;
    21. Procedures to dispose of discs, CDs, hard drives, and other media containing sensitive data;
    22. Procedures to re-use electronic media containing sensitive data;
    23. Secrets management (such as SSH key) and sensitive document encryption procedures.

Customer Policy Requirements and Training

CAP Index takes the integration of customer policy requirements into our training program very seriously. We understand the importance of adhering to these policies, especially concerning customer personal account dealing and data handling requirements. Our approach can be summarized in the following steps:

  1. Policy Documentation and Review: - We begin by thoroughly reviewing all customer policies related to data handling and personal account dealing. This ensures that we have a comprehensive understanding of the requirements and expectations.

  2. Customized Training Modules: - Based on the reviewed policies, we develop customized training modules that address the specific needs and requirements of our customers. These modules are designed to be comprehensive, covering all aspects of the policies.

  3. Mandatory Training Sessions: - All relevant employees are required to attend mandatory training sessions that cover these customized modules. We ensure that these sessions are interactive and provide real-life scenarios to better illustrate the importance and application of these policies.

  4. Regular Updates and Refreshers: - Customer policies and regulatory requirements can change over time. To ensure continuous compliance, we conduct regular update sessions and refresher courses to keep our employees informed about any changes or new policies.

  5. Assessment and Certification: - After completing the training, employees must pass an assessment to demonstrate their understanding and ability to apply the customer policies. Those who pass receive certification, reinforcing the importance of these requirements.

  6. Ongoing Monitoring and Support: - We have an ongoing monitoring system to ensure that the training is effectively applied in daily operations. Additionally, we provide continuous support and resources for employees to reference when needed.

  7. Feedback Mechanism: - We encourage feedback from employees about the training program to identify areas for improvement. This helps us refine and enhance the training experience to better meet customer policy requirements.

By implementing these steps, our organization ensures that all customer policy requirements are seamlessly integrated into our training program, maintaining our commitment to high security and data handling standards.

Ongoing Awareness Training

CAP Index leverages Microsoft 365 Defender to deliver innovative, fun and engaging security awareness contents to all employees monthly. This security awareness training shall include modules on

  • phishing,
  • social engineering,
  • proper internet use (social media, email, clicking, etc),
  • access control (proper passwords, 2FA, screen locking, etc),
  • mobile device security,
  • data protection, and
  • system security (anti-malware, patches, secure configuration, etc).

Progress is tracked individually for each employee and reported on Microsoft 365 Defender’s cloud-managed learning platform.

Internal Business Communications

Company-wide updates

CAP Index holds a company-wide roundtable at least quarterly to communicate updates across all aspects of business operations, performance and objectives.

Executive management sends out additional company-wide announcements as appropriate through pre-established internal communication channels such as email or messaging (e.g. Teams #general channel).

Departmental, team and/or project status updates

Regular performance and status updates are communicated by each department, functional team, and/or designated individuals through pre-established channels.

Additionally, each project team maintains team updates at their own committed cadence and channel – for example, daily development standups/scrum or weekly team meetings.