Adjust RACI

DFE-Digital · Dec 20, 2024 · d115895 · d115895
1 parent 5aae05a
commit d115895
Showing 1 changed file with 12 additions and 12 deletions.
diff --git a/docs/policies/vulnerability_management_policy.md b/docs/policies/vulnerability_management_policy.md
@@ -38,18 +38,18 @@ The digital service teams and portfolios are responsible for ensuring they mitig
 
 ### Responsibile Accountable Consulted Informed (RACI) matrix
 
-| Tasks                               | CISO  | SROs  | Developers/DevOps | Vulnerability Management team |
-| ----------------------------------- | ------| ----- | ----------------- | ----------------------------- |
-| Patching Azure servers              | A     | A     | R                 | C                             |
-| Patching software dependencies      | A     | A     | R                 | C                             |
-| Patching container images           | A     | A     | R                 | C                             |
-| Fixing SAST vulnerabilities         | A     | A     | R                 | C                             |
-| Fixing DAST vulnerabilities         | A     | A     | R                 | C                             |
-| Fixing VDP reported vulnerabilities | A     | A     | R                 | I                             |
-| Risk management and appetite        | A     | R     | C                 | C                             |
-| Prioritisation of remediation       | A     | R     | C                 | C                             |
-| Monitoring for vulnerabilities      | A     | A     | R                 | R                             |
-| Organisation penetration tests      | A     | R/A   | C                 | I                             |
+| Tasks                               | CISO  | SROs  | Developers/DevOps | Vulnerability management team | Delivery managers (portfolio) | Architects |
+| ----------------------------------- | ----- | ----- | ----------------- | ----------------------------- | ----------------------------- | ---------- |
+| Patching Azure servers              | A     | A     | R                 | C                             | I                             | C          |
+| Patching software dependencies      | A     | A     | R                 | C                             | I                             | C          |
+| Patching container images           | A     | A     | R                 | C                             | I                             | C          |
+| Fixing SAST vulnerabilities         | A     | A     | R                 | C                             | I                             | C          |
+| Fixing DAST vulnerabilities         | A     | A     | R                 | C                             | I                             | C          |
+| Fixing VDP reported vulnerabilities | A     | A     | R                 | I                             | I                             | C          |
+| Risk management and appetite        | A     | R     | C                 | C                             | I                             | C          |
+| Prioritisation of remediation       | A     | R     | C                 | C                             | I                             | C          |
+| Monitoring for vulnerabilities      | A     | A     | R                 | R                             | I                             | C          |
+| Organisation penetration tests      | A     | A     | C                 | I                             | I                             | C          |
 
 ## Other responsible owners