Governance and Organization Policy

Document Info

Version: 2026.4 · Last Reviewed: 2026-02-19 · Classification: Internal · Owner: CISO View Source · Download PDF

1. Purpose

Defines the governance structure, authority, oversight mechanisms, and accountability framework for Meridian Seven’s information security program. Satisfies Trust Services Criteria CC1.1–CC1.5 (Control Environment).

2. Scope

• Organizational structure governing security decisions
• All personnel involved in designing, implementing, operating, and overseeing security controls
• All systems, processes, and data in scope per the Information Security Policy
• Relationships with external parties regarding security governance

3. Organizational Structure (CC1.1)

3.1 Security Governance Hierarchy

CEO
 |
 +-- CTO (Executive Sponsor — Information Security Program)
      |
      +-- CISO (Program Owner — Security Operations & Compliance)
      |    |
      |    +-- Security awareness and training
      |    +-- Risk assessment and risk register
      |    +-- Incident response coordination
      |    +-- SOC 2 audit evidence and readiness
      |    +-- Policy development and maintenance
      |    +-- Vendor security assessments
      |
      +-- Engineering Lead (Technical Implementation)
           |
           +-- Secure development practices
           +-- Infrastructure security controls
           +-- Access provisioning and deprovisioning
           +-- Change management execution
           +-- Monitoring and alerting operations

3.2 Independence and Objectivity

• CISO reports to CTO with direct CEO escalation access where CTO involvement creates a conflict
• CISO has authority to halt production deployments or revoke access when an active security threat is identified
• Security audit findings reported independently of the engineering function being audited
• External SOC 2 auditors have unrestricted access to evidence, logs, and personnel during the audit period

4. Board and Executive Oversight (CC1.2)

4.1 Executive Security Responsibilities

Role	Security Oversight Responsibilities
CEO	Ultimate accountability; approves security budget; receives quarterly risk briefings
CTO	Executive sponsor; approves policies, risk appetite, and strategic initiatives; accountable to CEO for program effectiveness
CISO	Day-to-day program ownership; risk assessments; incident management; reports metrics and compliance status to CTO

4.2 Executive Reporting Cadence

Report	Frequency	Author	Audience	Content
Security Metrics Dashboard	Monthly	CISO	CTO	Control pass rate, open risks, incident count, evidence status
Risk Posture Briefing	Quarterly	CISO	CTO, CEO	Risk register review, trend analysis, treatment progress
SOC 2 Readiness Assessment	Quarterly	CISO	CTO	Gap remediation progress, audit timeline
Annual Security Review	Annually	CISO	CTO, CEO	Year-in-review, policy changes, program maturity, strategic plan

4.3 Executive Decision Authority

Decision	Authority	Escalation
Accept Low or Medium risk	CISO	N/A
Accept High risk	CTO (with CISO recommendation)	CEO if CTO disagrees
Accept Critical risk	CTO + CEO jointly	N/A — both must approve
Approve new security policy	CTO	N/A
Approve policy exception	CTO (max 90 days)	CEO for extensions beyond 90 days
Approve emergency access	CTO or CISO	Documented within 24 hours
Halt production deployment	CISO (unilateral)	Post-action review with CTO

5. Authority and Responsibility (CC1.3)

5.1 Delegation of Authority

• CTO delegates day-to-day security program management to the CISO
• CISO delegates technical implementation to the Engineering Lead and team
• Delegation does not transfer accountability — the delegator remains accountable for outcomes
• All delegations documented in role descriptions and acknowledged by the delegate

5.2 Segregation of Duties

Function A	Function B	Rationale
Code author	Code reviewer/approver	No self-approval (enforced via GitHub branch protection)
Access requester	Access approver	No self-provisioning (CISO or delegate approves)
Change implementer	Change approver	Production deployments require separate approval
Incident responder	Incident reviewer	Post-incident reviews conducted by uninvolved party
Risk assessor	Risk acceptor	CISO assesses; CTO accepts High/Critical
Policy author	Policy approver	CISO drafts; CTO approves

SoD violations flagged during Monthly Access Reviews and resolved within 5 business days.

5.3 Authority Boundaries

• No individual may approve their own access elevation, expense, or policy exception
• Production database access requires approval from both CTO and CISO
• API keys with production write access provisioned only through Doppler with audit logging
• Emergency “break glass” procedures require post-action review within 24 hours

6. Competence and Development (CC1.4)

6.1 Security Competence Requirements

Role	Required Competencies	Validation
CISO	Risk management, incident response, SOC 2 / ISO 27001 frameworks, vendor assessment	CISSP, CISM, or demonstrated equivalent experience
Engineering Lead	Secure coding, infrastructure security, cloud security, identity management	Code review quality and architecture decisions
Engineers	OWASP Top 10, secure SDLC, dependency management, secret handling	Security awareness training; code review participation
All Personnel	Phishing identification, password hygiene, data classification, incident reporting	Security awareness training completion

6.2 Training Program

Training	Audience	Frequency	Deadline
Security awareness onboarding	New hires	Within 30 days of start	Mandatory
Annual security awareness refresher	All personnel	Annually	End of Q1
Secure development training	Engineering team	Annually	End of Q1
Incident response tabletop exercise	CISO, Engineering Lead, on-call	Annually	Per Incident Response Plan
Policy review acknowledgment	All personnel	Upon policy update	Within 14 days

Non-completion escalated to CTO after deadline.

6.3 Performance and Accountability

• Security responsibilities included in all role descriptions
• Incident handling quality considered in engineering performance reviews
• Repeated failure to complete training or follow security procedures addressed per the Information Security Policy

7. External Requirements (CC1.5)

7.1 Regulatory and Contractual Obligations

Requirement	Applicability	Monitoring Mechanism
SOC 2 Type II	Customer contractual requirement	Annual audit; continuous compliance automation
GDPR	EU customer data processing	Data Classification Policy; DPA with sub-processors
CCPA/CPRA	California resident data	Data Classification Policy; privacy notice; data subject request procedures
Customer contracts	Security requirements in MSAs and DPAs	Vendor Management Policy; contract review by CISO
PCI DSS	Not applicable — Stripe handles all payment processing (PCI Level 1 certified)	N/A

7.2 Regulatory Change Monitoring

• CISO monitors regulatory changes via legal counsel advisories, industry associations, and customer notifications
• Material changes trigger a targeted risk assessment within 30 days
• Required policy updates implemented within 90 days

7.3 External Communication

• Customer security inquiries directed to the CISO
• SOC 2 reports provided to customers under NDA upon request
• Security incidents affecting customers communicated per Incident Response Plan notification procedures
• Regulatory notifications managed by CISO with legal counsel

8. Control Environment Integrity

8.1 Policy Framework

Policy	Primary CC Coverage
Governance and Organization Policy (this document)	CC1.1–CC1.5, CC2.1–CC2.3
Information Security Policy	CC1.1–CC1.3, CC4.1
Risk Management Policy	CC3.1–CC3.4, CC9.1–CC9.2
Access Control Policy	CC6.1–CC6.3, CC6.5
Change Management Policy	CC8.1
Incident Response Plan	CC7.2–CC7.4
Backup and Recovery Policy	CC7.1, CC7.5
Data Classification Policy	CC6.7
Vendor Management Policy	CC9.1–CC9.2
Acceptable Use Policy	CC5.3, CC6.1, CC6.4
Segregation of Duties Matrix	CC5.1–CC5.2

8.2 Policy Lifecycle

1. Draft — CISO drafts or revises based on risk assessment, regulatory requirements, or operational needs
2. Review — Reviewer evaluates for completeness, accuracy, and alignment
3. Approval — CTO approves via pull request review in m7-security repository
4. Publication — Merged to main and published via Git release with generated PDF
5. Communication — Personnel notified and acknowledge receipt
6. Review — Annual review; ad-hoc review upon triggering events

8.3 Exception Management

• Exceptions requested in writing (GitHub issue in m7-security)
• CTO approval required with documented business justification
• All exceptions time-limited (maximum 90 days) with a defined remediation plan
• Active exceptions reviewed at each quarterly risk posture briefing
• Expired, unremediated exceptions treated as policy violations

9. Policy Review

Annual review or upon significant organizational, business, or regulatory changes. CISO initiates; CTO approves all substantive changes.

10. Related Policies

• Information Security Policy
• Risk Management Policy
• Access Control Policy
• Change Management Policy
• Incident Response Plan
• Data Classification Policy
• Vendor Management Policy
• Acceptable Use Policy
• Backup and Recovery Policy

---

Meridian Seven — Confidential