WOLF//SEC
← Domain 5
OBJECTIVE 5.1 Summarize

Summarize elements of effective security governance

Governance is the framework that ensures security decisions are made deliberately, consistently, and in alignment with business objectives. Without governance, security is ad hoc — individuals making inconsistent decisions without accountability.

Governance Structures

Boards and Committees

  • Board of Directors: Ultimate accountability for organizational risk, including cybersecurity
  • Security Steering Committee: Cross-functional group (IT, legal, HR, business units) that sets security priorities and resolves conflicts
  • Exam context: Know that security governance ultimately reports to executive leadership, not just IT

Roles and Responsibilities

  • CISO (Chief Information Security Officer): Owns the security program. Reports to CIO, CEO, or board depending on org maturity.
  • Data Owner: Business executive responsible for a data set. Decides classification and authorized access.
  • Data Custodian: IT staff responsible for implementing the controls the data owner defines. Manages backups, encryption, access enforcement.
  • Data Processor: Entity that processes data on behalf of the data controller (often a third party).
  • Data Controller: Entity that determines the purposes and means of data processing.

Exam trap: Data owner ≠ data custodian. The owner makes policy decisions; the custodian implements them technically.

Policies, Standards, Procedures, and Guidelines

Policies

High-level statements of management intent. Mandatory. Define what the organization will do.

  • “All systems must use encrypted communications for sensitive data.”
  • Approved by senior management. Broad in scope. Changed infrequently.

Standards

Specific, mandatory requirements that implement policies. Define how.

  • “Encrypted communications must use TLS 1.2 or higher.”
  • Measurable and enforceable. More technical detail than policies.

Procedures

Step-by-step instructions for performing a specific task.

  • “To configure TLS on the web server: 1) Open the configuration file… 2) Set the minimum protocol version…”
  • Detailed, operational. Updated as technology changes.

Guidelines

Recommendations and best practices. Not mandatory.

  • “It is recommended to use TLS 1.3 where supported.”
  • Flexible. Provide direction without strict requirements.

Hierarchy

Policies → Standards → Procedures → Guidelines (mandatory → recommended)

Key Policy Types

Acceptable Use Policy (AUP)

Defines what users can and cannot do with organizational resources.

  • Internet usage, email usage, personal device usage, social media
  • Must be acknowledged by all users (typically during onboarding)

Information Security Policy

Overarching policy defining the organization’s security posture, objectives, and responsibilities.

Business Continuity Policy

Requirements for maintaining operations during and after a disruption.

Disaster Recovery Policy

Requirements for restoring IT systems and data after a disaster.

Incident Response Policy

Defines what constitutes a security incident and how the organization will respond.

Change Management Policy

Requirements for how changes to systems and processes are proposed, reviewed, approved, and implemented.

Data Classification Policy

Defines classification levels and handling requirements for each level.

Frameworks and Standards

NIST Cybersecurity Framework (CSF)

Five core functions: Identify, Protect, Detect, Respond, Recover.

  • Voluntary framework widely adopted in the US
  • Risk-based approach — adapt to your organization’s needs

ISO 27001/27002

  • 27001: Requirements for an Information Security Management System (ISMS). Certifiable.
  • 27002: Code of practice — detailed controls guidance.
  • International standard. Common in organizations with global operations.

CIS Controls

Prioritized set of cybersecurity best practices organized by implementation group (IG1, IG2, IG3).

  • IG1: Essential cyber hygiene (the minimum)
  • Prescriptive and actionable — good for organizations starting their security program

COBIT

Framework for IT governance and management. Bridges business requirements and IT goals.

CSA Cloud Controls Matrix (CCM)

Cloud-specific security controls framework. Maps to other frameworks (ISO, NIST, PCI).

Monitoring and Revision

Governance isn’t static. Regular review ensures policies stay relevant:

  • Annual policy reviews at minimum
  • Reviews triggered by significant incidents, regulatory changes, or business changes
  • Metrics and KPIs to measure program effectiveness (patch compliance rate, MTTD, training completion)

Offensive Context

Governance gaps are the preconditions for breaches. An organization without a data classification policy treats all data the same — which means sensitive data gets the same weak protections as public data. Without change management, unauthorized changes blend in with authorized ones. Without defined roles, nobody owns the security of critical systems. Attackers don’t need to defeat strong controls if governance failures mean the controls were never implemented consistently in the first place.