Have you defined and documented all security-related roles and responsibilities in your organisation?