Which group must have information security responsibilities clearly defined in the security policy and procedures?

All personnel must have information security responsibilities clearly defined in the security policy and procedures. This ensures accountability and consistent security behavior for anyone who could affect the cardholder data environment, not just IT staff. When the policy covers everyone—employees, contractors, temporary workers, and vendors—it clarifies who is responsible for what: who handles access requests and revocations, who reports incidents, who conducts training, who manages data handling and device security, and who enforces requirements. Without this broad definition, gaps can occur where individuals or groups assume someone else will handle security tasks, leading to potential risks. Including external contractors and vendors under the same policy ensures their actions align with the organization’s security expectations, with clear responsibilities and contractual obligations. This holistic approach supports effective accountability, enforcement, and consistent adherence to security practices across the organization.