Security Program Management & Oversight

Governance, risk, and compliance. Six objectives covering security governance (policies, standards, procedures, frameworks like NISTNational Institute of Standards and Technology — US standards body, publishes CSF and SP 800 series CSFCybersecurity Framework — NIST framework: Identify, Protect, Detect, Respond, Recover and ISOInternational Organization for Standardization — Publishes ISO 27001/27002 security standards 27001), risk management (quantitative and qualitative assessment, SLESingle Loss Expectancy — Dollar loss per incident (AV x EF)/ALEAnnualized Loss Expectancy — Expected yearly financial loss (SLE x ARO) calculations, risk response strategies, BIABusiness Impact Analysis — Identifies critical functions and disruption impact), third-party risk (vendor assessment, supply chain security, agreements), compliance frameworks (GDPRGeneral Data Protection Regulation — EU data privacy regulation, HIPAAHealth Insurance Portability and Accountability Act — US healthcare data protection law, PCI-DSSPayment Card Industry Data Security Standard — Credit card data protection standard, SOXSarbanes-Oxley Act — US financial reporting controls law), audits and assessments (vulnerability scanning, penetration testing, internal/external audits), and security awareness practices.

Objective 5.6 (“Given a scenario, implement security awareness practices”) is the PBQ target — phishing campaign design, anomalous behavior recognition, user training program development, and security awareness metrics.

The offensive angle: social engineering awareness runs deeper when you understand how pretexting and manipulation work from the attacker’s side. Compliance and vendor evaluation are more effective when informed by actual threat modeling rather than checkbox exercises. Risk management from the attacker’s perspective is target selection — making your org an expensive target with low payoff is the goal.