Canada Luggage Depot - Secure SDLC
Roles and Accountability

4. Roles and Accountability #

Executive Sponsor

  • Provides executive backing for this policy and SDLC gates, resolves risk/cost/schedule conflicts, and approves high‑impact exceptions. Final approver at Go‑Live when residual risk remains.

Information Security Officer (ISO) — Policy Owner

  • Owns this policy and related standards, sets security baselines, reviews designs, approves/denies exceptions (with compensating controls and expiry), and signs security readiness at Pre‑Production and Go‑Live. Leads coordination for security issues post‑release.

    Product/Process Owner (per solution)

  • Owns business requirements, acceptance criteria, and UAT; confirms data classification and retention needs; signs Design, Pre‑Production, and Go‑Live gates for business readiness and acceptance.

Vendor Manager

  • Single point of accountability for vendor performance, evidence cadence (e.g., SBOMs, security test summaries), escalations, and contract levers. Ensures subprocessor disclosures/approvals are completed before use and tracks remediation POA&Ms to closure.

Security Architecture (function)

  • Reviews design choices affecting identity, crypto, WAF/API posture, file‑upload controls, logging, and residency; confirms technical bounds and time limits for exceptions. (Fulfilled by ISO or delegate.)

IT Operations

  • Confirms deployability, observability, backups/restore, and alert routing; verifies logs reach the SIEM (vendor and/or CLD) and that runbooks/rollback steps are tested; signs operational readiness at Pre‑Production and Go‑Live.

Legal/Privacy

  • Advises on PIPEDA and Quebec Law 25, triggers and reviews DPIAs when needed (e.g., cross‑border, new data uses), validates contractual privacy/security terms, and signs Design gate when data use, retention, and residency are addressed.

Vendors

  • Deliver secure SDLC outcomes aligned to this policy; integrate with CLD identity and logging; meet vulnerability remediation SLAs; provide evidence at gates (SBOM, SAST/SCA/DAST results, pentest summary, change/rollback plans); disclose and obtain approval for subprocessors; flow down obligations contractually; operate a SIEM and complete annual pentest/code scans with 30‑day action plans.

Subprocessors

  • Engaged by vendors only after CLD approval; must meet equivalent security/privacy obligations and provide annual compliance artifacts (e.g., SOC 2 Type 2).

All CLD Personnel involved in SDLC

  • Complete required training; follow policy, standards, and gate checklists; report suspected security issues immediately. Residual risk may not be accepted without ISO and Executive Sponsor approval.

Gate Decision Rights (summary)

  • Intake: Product/Process Owner + ISO confirm data classification, residency, and privacy triggers.

  • Design: Product/Process Owner (business fit) + ISO (security/privacy) + Legal/Privacy (when applicable).

  • Pre‑Production: Product/Process Owner (UAT) + ISO (security evidence) + IT Operations (operational readiness).

  • Go‑Live: ISO + Product/Process Owner; Executive Sponsor when residual risk or exceptions exist.

  • Post‑Go‑Live: ISO coordinates 30‑day stability/security review; findings tracked via POA&M.

Exception Approval

  • Exceptions require a written request with scope, rationale, risk assessment, compensating controls, owner, and expiry; ISO recommends, Executive Sponsor approves; Legal/Privacy reviews when privacy risk is involved.