WOLF//SEC
← Domain 5
OBJECTIVE 5.1 Summarize

Summarize elements of effective security governance

Governance is the framework that ensures security decisions are made deliberately, consistently, and in alignment with business objectives. Without governance, security is ad hoc — individuals making inconsistent decisions without accountability.

Governance Structures

Boards and Committees

  • Board of Directors: Ultimate accountability for organizational risk, including cybersecurity
  • Security Steering Committee: Cross-functional group (ITInformation Technology — Broad term for computing infrastructure and services, legal, HR, business units) that sets security priorities and resolves conflicts
  • Exam context: Know that security governance ultimately reports to executive leadership, not just ITInformation Technology — Broad term for computing infrastructure and services

Roles and Responsibilities

  • CISOChief Information Security Officer — Executive responsible for security program (Chief Information Security Officer): Owns the security program. Reports to CIOChief Information Officer — Executive responsible for information technology, CEO, or board depending on org maturity.
  • Data Owner: Business executive responsible for a data set. Decides classification and authorized access.
  • Data Custodian: ITInformation Technology — Broad term for computing infrastructure and services staff responsible for implementing the controls the data owner defines. Manages backups, encryption, access enforcement.
  • Data Processor: Entity that processes data on behalf of the data controller (often a third party).
  • Data Controller: Entity that determines the purposes and means of data processing.

Exam trap: Data owner ≠ data custodian. The owner makes policy decisions; the custodian implements them technically.

Policies, Standards, Procedures, and Guidelines

Policies

High-level statements of management intent. Mandatory. Define what the organization will do.

  • “All systems must use encrypted communications for sensitive data.”
  • Approved by senior management. Broad in scope. Changed infrequently.

Standards

Specific, mandatory requirements that implement policies. Define how.

  • “Encrypted communications must use TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit 1.2 or higher.”
  • Measurable and enforceable. More technical detail than policies.

Procedures

Step-by-step instructions for performing a specific task.

  • “To configure TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit on the web server: 1) Open the configuration file… 2) Set the minimum protocol version…”
  • Detailed, operational. Updated as technology changes.

Guidelines

Recommendations and best practices. Not mandatory.

  • “It is recommended to use TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit 1.3 where supported.”
  • Flexible. Provide direction without strict requirements.

Hierarchy

Policies → Standards → Procedures → Guidelines (mandatory → recommended)

Key Policy Types

Acceptable Use Policy (AUP)

Defines what users can and cannot do with organizational resources.

  • Internet usage, email usage, personal device usage, social media
  • Must be acknowledged by all users (typically during onboarding)

Information Security Policy

Overarching policy defining the organization’s security posture, objectives, and responsibilities.

Business Continuity Policy

Requirements for maintaining operations during and after a disruption.

Disaster Recovery Policy

Requirements for restoring ITInformation Technology — Broad term for computing infrastructure and services systems and data after a disaster.

Incident Response Policy

Defines what constitutes a security incident and how the organization will respond.

Change Management Policy

Requirements for how changes to systems and processes are proposed, reviewed, approved, and implemented.

Data Classification Policy

Defines classification levels and handling requirements for each level.

Frameworks and Standards

NIST Cybersecurity Framework (CSF)

Five core functions: Identify, Protect, Detect, Respond, Recover.

  • Voluntary framework widely adopted in the US
  • Risk-based approach — adapt to your organization’s needs

ISO 27001/27002

  • 27001: Requirements for an Information Security Management System (ISMS). Certifiable.
  • 27002: Code of practice — detailed controls guidance.
  • International standard. Common in organizations with global operations.

CIS Controls

Prioritized set of cybersecurity best practices organized by implementation group (IG1, IG2, IG3).

  • IG1: Essential cyber hygiene (the minimum)
  • Prescriptive and actionable — good for organizations starting their security program

COBIT

Framework for ITInformation Technology — Broad term for computing infrastructure and services governance and management. Bridges business requirements and ITInformation Technology — Broad term for computing infrastructure and services goals.

CSA Cloud Controls Matrix (CCM)

Cloud-specific security controls framework. Maps to other frameworks (ISOInternational Organization for Standardization — Publishes ISO 27001/27002 security standards, NISTNational Institute of Standards and Technology — US standards body, publishes CSF and SP 800 series, PCI).

SDLC Governance

Security must be integrated into the Software Development Lifecycle, not bolted on after deployment.

Security Checkpoints by Phase

SDLC PhaseSecurity Activity
RequirementsSecurity requirements defined, threat modeling, privacy impact assessment
DesignSecure design review, architecture risk analysis
ImplementationSecure coding standards, peer review, SASTStatic Application Security Testing — Analyzing source code for vulnerabilities
TestingDASTDynamic Application Security Testing — Testing running applications for vulnerabilities, penetration testing, SCASoftware Composition Analysis — Identifying vulnerable third-party dependencies (dependency scanning)
DeploymentConfiguration review, hardening verification, change management approval
MaintenancePatch management, vulnerability scanning, incident response
  • Each phase has a gate — work doesn’t proceed until security criteria are met
  • DevSecOps automates these gates into CI/CD pipelines (SASTStatic Application Security Testing — Analyzing source code for vulnerabilities in PR checks, SCASoftware Composition Analysis — Identifying vulnerable third-party dependencies in build, DASTDynamic Application Security Testing — Testing running applications for vulnerabilities in staging)
  • Governance defines who can approve gate passage and what evidence is required

Centralized vs. Decentralized Governance

CompTIA explicitly tests this distinction.

AspectCentralizedDecentralized
Decision authoritySingle security team/CISOChief Information Security Officer — Executive responsible for security programDistributed to business units
Policy consistencyUniform across orgMay vary by unit
SpeedSlower (bottleneck risk)Faster (local decisions)
AccountabilityClear chainCan be ambiguous
Best forRegulated industries, small/mid orgsLarge enterprises, diverse business units

Most organizations use a hybrid model: centralized policy and standards, decentralized implementation and day-to-day decisions. The security team sets the rules; business units execute within those rules.

External Considerations

Governance doesn’t exist in a vacuum. External factors shape what policies are required:

Regulatory Bodies

  • Federal: FTC, SEC, HHS/OCR (HIPAAHealth Insurance Portability and Accountability Act — US healthcare data protection law enforcement), CISA
  • International: EU Data Protection Authorities (GDPRGeneral Data Protection Regulation — EU data privacy regulation), UK ICO
  • Industry: PCI SSC (payment cards), NERC (energy/utilities)
  • Organizations must monitor regulatory changes and update governance accordingly

Geographic and Jurisdictional

  • Data sovereignty: Laws of the country where data is stored apply
  • Cross-border transfers: GDPRGeneral Data Protection Regulation — EU data privacy regulation restricts transfers outside EU without adequate protections (Standard Contractual Clauses, adequacy decisions)
  • Conflicting requirements: One country’s mandatory retention may conflict with another’s deletion requirements — governance must address this
  • State-level variation: US has no federal privacy law — 50 different state breach notification laws

Industry-Specific

  • Healthcare: HIPAAHealth Insurance Portability and Accountability Act — US healthcare data protection law, HITECH
  • Financial services: GLBAGramm-Leach-Bliley Act — US financial data protection law, SOXSarbanes-Oxley Act — US financial reporting controls law, PCI-DSSPayment Card Industry Data Security Standard — Credit card data protection standard, FFIEC guidance
  • Government/defense: NISTNational Institute of Standards and Technology — US standards body, publishes CSF and SP 800 series 800-171, CMMC, FedRAMP, ITAR
  • Education: FERPAFamily Educational Rights and Privacy Act — US student data privacy law
  • Governance must identify which industry requirements apply and ensure policies address them

Governance Committee Operations

Composition

  • Cross-functional: security, ITInformation Technology — Broad term for computing infrastructure and services, legal, HR, business unit representatives, privacy officer
  • Not just technical staff — business context is essential for risk decisions
  • Executive sponsor provides authority and budget

Decision-Making

  • Risk acceptance authority: who can accept residual risk and at what level
  • Exception process: how deviations from policy are requested, reviewed, and documented
  • Escalation path: unresolved disagreements go up, not sideways

Cadence

  • Regular meetings (monthly or quarterly) to review security posture, incidents, metrics
  • Ad hoc sessions for urgent issues (active incidents, zero-day disclosures, regulatory changes)
  • Minutes documented — governance decisions must be traceable

Monitoring and Revision

Governance isn’t static. Regular review ensures policies stay relevant:

  • Annual policy reviews at minimum
  • Reviews triggered by significant incidents, regulatory changes, or business changes
  • Metrics and KPIs to measure program effectiveness (patch compliance rate, MTTD, training completion)

Offensive Context

Governance gaps are the preconditions for breaches. An organization without a data classification policy treats all data the same — which means sensitive data gets the same weak protections as public data. Without change management, unauthorized changes blend in with authorized ones. Without defined roles, nobody owns the security of critical systems. Attackers don’t need to defeat strong controls if governance failures mean the controls were never implemented consistently in the first place.