HomeGuidesGovernance & Leadership › GL-03
GL-03 Governance & Leadership 10% of OML score

Are basic security and data protection responsibilities defined for employees or vendors?

Do your employees and anyone you hire from outside (like IT contractors or vendors) know what they are supposed to do to keep your company's data safe and secure? This means having clear written rules about who can access what information, how to handle customer data, what passwords should look like, and what happens if someone breaks these rules.

Why This Matters to Your Business

Without clear rules, your team will guess what they should do, and they will guess wrong. A junior accountant might email sensitive GST files to the wrong person, or a vendor's employee might take photos of your customer database because nobody told them not to. If your customer data gets stolen or exposed because someone didn't know the rules, you could face fines under the Digital Personal Data Protection Act 2023, lose major customers (especially if they are exporters who need you to follow their security standards), or face business interruption while you notify affected people. One manufacturing unit in Bangalore lost a ₹2 crore contract when their buyer discovered customer payment data was left unprotected on a shared server—the buyer's legal team found that the company had no documented security policy at all.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no written security rules or responsibilities document. Your team does security work based on what they remember from informal conversations or what they think is common sense.

Level 1
Initial

You have written down some basic security rules in a Word document or email, but they are vague (like 'keep passwords safe') and are not distributed to all staff or vendors. New hires do not read them during onboarding.

Level 2
Developing

You have a simple security policy document that covers key areas like password rules, data handling, and reporting breaches. All employees sign a one-page acknowledgment when they join, and vendors sign a basic clause. You do not regularly update or remind people of these rules.

Level 3
Defined

You have a documented security policy that applies to both employees and vendors, with specific rules for different roles (e.g., reception staff, IT, finance). You conduct a brief training during onboarding and include security responsibilities in employment contracts. You review and update the policy annually.

Level 4
Managed

You have detailed role-based security responsibilities built into job descriptions and vendor contracts, with clear consequences for non-compliance. You conduct annual security awareness training for all staff, maintain training records, and add new security requirements as your business evolves. Vendors must certify compliance in writing.

Level 5
Optimised

Security and data protection responsibilities are integrated into your performance management system, vendor SLAs, and regular compliance audits. You conduct quarterly security awareness refreshers, test employee understanding through simulations (like fake phishing emails), and continuously improve rules based on lessons learned and industry updates. All stakeholders actively reinforce a security-first culture.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Create a one-page 'Security Do's and Don'ts' document in simple Hindi/English covering: password rules (minimum 8 characters, no birthdays), how to handle customer data (do not email unencrypted), reporting suspected breaches (tell your manager immediately), and basic physical security (lock your computer when you leave). Have your manager or owner review it. Owner or designated manager 2-3 hours
1 → 2 Expand the document into a simple Security Policy (2-3 pages) with sections for data handling, access control, password management, incident reporting, and consequences. Get all current employees to sign an acknowledgment. Share the same policy with all active vendors and contractors in writing (email counts). Owner with HR or office manager 1 week
2 → 3 Rewrite the security policy to define role-specific responsibilities: what reception can do, what IT can do, what finance can do, what vendors can do. Include this in employment contracts for new hires and in vendor agreements. Conduct a 30-minute onboarding briefing for all new staff in the first week, with a simple one-page handout in their local language. Owner, HR lead, and IT manager 2-3 weeks
3 → 4 Conduct formal annual security awareness training (can be a 1-hour workshop or online video) for all employees and ensure vendors attend or confirm receipt of training materials. Document attendance and maintain records. Review and update the policy annually to reflect new risks (e.g., new software, new data types) and include a brief written test or acknowledgment after training. Owner or IT manager, with external trainer if budget allows 4-6 weeks (including preparation and rollout)
4 → 5 Integrate security responsibilities into performance reviews and employee goal-setting. Conduct quarterly security reminders via email or team meetings. Run one simulated phishing email per quarter to test awareness and provide feedback. Update vendor contracts to include specific compliance clauses and require annual security certifications. Capture and act on security lessons learned from incidents or near-misses. Owner, HR lead, IT manager, and all team leads Ongoing (2-3 hours per month)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • A written Security Policy or Information Security Policy document, dated and signed off by the owner or a senior leader, that covers at least: password standards, acceptable use of company data, confidentiality obligations, incident reporting process, and consequences for violations
  • A list of all current employees and contractors with their signed acknowledgment (printout, email confirmation, or signature on contract) that they have read and understood the security policy, with dates of signature
  • Updated employment contracts and vendor agreements that include a clause about security and data protection responsibilities, with signature or signed purchase order confirmation
  • Records of security awareness training (if any), including: attendee names, dates, topics covered, and (if applicable) test results or post-training acknowledgments
  • Evidence of policy review or updates (e.g., dated version history of the policy document or email minutes from a policy review meeting) at least annually, showing changes made or confirmation that no changes were needed
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Show me your written security policy or code of conduct. Who has access to it, and how do you ensure all employees and vendors read it?"
  • "How do you confirm that a new employee or vendor has understood their security responsibilities? Do you have signed acknowledgments or training records?"
  • "What specific security tasks or rules apply to different roles in your company? For example, what can the finance team do that the sales team cannot do with customer data?"
  • "What happens if an employee or vendor breaks a security rule? Can you give me an example of how you have handled a breach of policy in the past?"
  • "When was your security policy last reviewed and updated? Has it changed since you first wrote it, and if so, why?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create and store your security policy document with version control and shared access for employees Google Docs (free with Google account) or LibreOffice Writer. Share via Google Drive with comment access so employees can acknowledge receipt. Microsoft 365 (₹3,500–5,000/year per user for small team versions) or Notion (₹1,500–3,000/year for team plans)
Track employee and vendor acknowledgments and training records in a simple database or spreadsheet Google Sheets or LibreOffice Calc. Create a simple table with columns for name, role, date of policy receipt, and signature/acknowledgment date. Airtable (₹500–1,500/month for small team) or Microsoft Forms linked to Excel (included in Microsoft 365)
Deliver security awareness training content or create a simple quiz to test understanding YouTube videos on security basics (search 'cybersecurity awareness for employees'), Google Forms for a simple quiz, or PowerPoint slides presented in-person Coursera or Udemy (₹500–3,000 per course, one-time) for structured training modules, or hire a security consultant for a custom 1-hour workshop (₹5,000–15,000)
🛡
How This Makes You More Resilient
When employees and vendors understand their security responsibilities, mistakes drop sharply—fewer accidental data leaks, fewer phishing attacks that succeed, and faster reporting of incidents when things do go wrong. Your team becomes your first line of defense instead of your biggest liability. If an incident does happen, you can show regulators and customers that you tried to prevent it through clear training and rules, which often reduces fines and reputational damage.
⚠️
Common Pitfalls in India
  • Writing a lengthy, complex security policy in English that most of your non-technical staff or vendors cannot understand. They sign it but do not follow it. Always provide key rules in simple language and in your team's preferred local language (Hindi, Tamil, Telugu, Marathi, etc.).
  • Creating a policy once and never updating it. After a year or two, it becomes irrelevant to your actual business (e.g., it does not mention your new cloud accounting software or remote work rules). Review and update at least once a year or when your business changes significantly.
  • Assigning security responsibilities only to IT staff, thinking 'it is not my job.' Every person who touches data—finance, sales, HR, even cleaning staff—has a security responsibility. Make this clear in role-specific terms, not just a blanket IT rule.
  • Not holding vendors accountable to the same standards as employees. A contractor with access to your server or customer list must follow the same rules. Include security clauses in all vendor contracts and follow up on compliance, especially before giving access to sensitive systems.
  • Assuming that signing a policy document means people will follow it. Without occasional reminders, training, or a visible leadership example (e.g., your owner also uses strong passwords), the policy will be ignored. Make security part of your regular communication and culture.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (privacy by design) and Schedule 1 (contract requirements for processors and data fiduciaries) require documented responsibilities for handling personal data
CERT-In Directions 2022 Direction 5 requires documented information security policies and procedures; Direction 7 requires employee security awareness and training
ISO 27001:2022 Clause 6.2 (competence and training), Clause 8.2 (competence), and Annex A.6.1 (policies for information security) and A.6.2 (information security roles and responsibilities)
NIST CSF 2.0 Govern Function GV.RO-01 (organizational context and roles) and GV.RM-03 (roles and responsibilities defined); Protect Function PR.AC-01 (access policy and role-based responsibilities defined)

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →