WOLF//SEC
← Dashboard
DOMAIN 5.0 20% of exam

Security Program Management & Oversight

Governance, risk, and compliance. Six objectives covering security governance (policies, standards, procedures, frameworks like NIST CSF and ISO 27001), risk management (quantitative and qualitative assessment, SLE/ALE calculations, risk response strategies, BIA), third-party risk (vendor assessment, supply chain security, agreements), compliance frameworks (GDPR, HIPAA, PCI-DSS, SOX), audits and assessments (vulnerability scanning, penetration testing, internal/external audits), and security awareness practices.

Objective 5.6 (“Given a scenario, implement security awareness practices”) is the PBQ target — phishing campaign design, anomalous behavior recognition, user training program development, and security awareness metrics.

The offensive angle: social engineering awareness runs deeper when you understand how pretexting and manipulation work from the attacker’s side. Compliance and vendor evaluation are more effective when informed by actual threat modeling rather than checkbox exercises. Risk management from the attacker’s perspective is target selection — making your org an expensive target with low payoff is the goal.

OBJECTIVES

5.1 Summarize elements of effective security governance
summarize
5.2 Explain elements of the risk management process
explain
5.3 Explain the processes associated with third-party risk assessment and management
explain
5.4 Summarize elements of effective security compliance
summarize
5.5 Explain types and purposes of audits and assessments
explain
5.6 Implement security awareness practices
PBQ