From d11589595e967fd3e40466388357404412006b4b Mon Sep 17 00:00:00 2001
From: pritchyspritch <47423802+pritchyspritch@users.noreply.github.com>
Date: Fri, 20 Dec 2024 11:38:07 +0000
Subject: [PATCH] Adjust RACI

---
 .../vulnerability_management_policy.md        | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/docs/policies/vulnerability_management_policy.md b/docs/policies/vulnerability_management_policy.md
index df82ff3..f424036 100644
--- a/docs/policies/vulnerability_management_policy.md
+++ b/docs/policies/vulnerability_management_policy.md
@@ -38,18 +38,18 @@ The digital service teams and portfolios are responsible for ensuring they mitig
 
 ### Responsibile Accountable Consulted Informed (RACI) matrix
 
-| Tasks                               | CISO  | SROs  | Developers/DevOps | Vulnerability Management team |
-| ----------------------------------- | ------| ----- | ----------------- | ----------------------------- |
-| Patching Azure servers              | A     | A     | R                 | C                             |
-| Patching software dependencies      | A     | A     | R                 | C                             |
-| Patching container images           | A     | A     | R                 | C                             |
-| Fixing SAST vulnerabilities         | A     | A     | R                 | C                             |
-| Fixing DAST vulnerabilities         | A     | A     | R                 | C                             |
-| Fixing VDP reported vulnerabilities | A     | A     | R                 | I                             |
-| Risk management and appetite        | A     | R     | C                 | C                             |
-| Prioritisation of remediation       | A     | R     | C                 | C                             |
-| Monitoring for vulnerabilities      | A     | A     | R                 | R                             |
-| Organisation penetration tests      | A     | R/A   | C                 | I                             |
+| Tasks                               | CISO  | SROs  | Developers/DevOps | Vulnerability management team | Delivery managers (portfolio) | Architects |
+| ----------------------------------- | ----- | ----- | ----------------- | ----------------------------- | ----------------------------- | ---------- |
+| Patching Azure servers              | A     | A     | R                 | C                             | I                             | C          |
+| Patching software dependencies      | A     | A     | R                 | C                             | I                             | C          |
+| Patching container images           | A     | A     | R                 | C                             | I                             | C          |
+| Fixing SAST vulnerabilities         | A     | A     | R                 | C                             | I                             | C          |
+| Fixing DAST vulnerabilities         | A     | A     | R                 | C                             | I                             | C          |
+| Fixing VDP reported vulnerabilities | A     | A     | R                 | I                             | I                             | C          |
+| Risk management and appetite        | A     | R     | C                 | C                             | I                             | C          |
+| Prioritisation of remediation       | A     | R     | C                 | C                             | I                             | C          |
+| Monitoring for vulnerabilities      | A     | A     | R                 | R                             | I                             | C          |
+| Organisation penetration tests      | A     | A     | C                 | I                             | I                             | C          |
 
 ## Other responsible owners