WOLF//SEC
← Domain 5
OBJECTIVE 5.1 Summarize

Summarize elements of effective security governance

Governance is the framework that ensures security decisions are made deliberately, consistently, and in alignment with business objectives. Without governance, security is ad hoc — individuals making inconsistent decisions without accountability.

Governance Structures

Boards and Committees

  • Board of Directors: Ultimate accountability for organizational risk, including cybersecurity
  • Security Steering Committee: Cross-functional group (IT, legal, HR, business units) that sets security priorities and resolves conflicts
  • Exam context: Know that security governance ultimately reports to executive leadership, not just IT

Roles and Responsibilities

  • CISO (Chief Information Security Officer): Owns the security program. Reports to CIO, CEO, or board depending on org maturity.
  • Data Owner: Business executive responsible for a data set. Decides classification and authorized access.
  • Data Custodian: IT staff responsible for implementing the controls the data owner defines. Manages backups, encryption, access enforcement.
  • Data Processor: Entity that processes data on behalf of the data controller (often a third party).
  • Data Controller: Entity that determines the purposes and means of data processing.

Exam trap: Data owner ≠ data custodian. The owner makes policy decisions; the custodian implements them technically.

Policies, Standards, Procedures, and Guidelines

Policies

High-level statements of management intent. Mandatory. Define what the organization will do.

  • “All systems must use encrypted communications for sensitive data.”
  • Approved by senior management. Broad in scope. Changed infrequently.

Standards

Specific, mandatory requirements that implement policies. Define how.

  • “Encrypted communications must use TLS 1.2 or higher.”
  • Measurable and enforceable. More technical detail than policies.

Procedures

Step-by-step instructions for performing a specific task.

  • “To configure TLS on the web server: 1) Open the configuration file… 2) Set the minimum protocol version…”
  • Detailed, operational. Updated as technology changes.

Guidelines

Recommendations and best practices. Not mandatory.

  • “It is recommended to use TLS 1.3 where supported.”
  • Flexible. Provide direction without strict requirements.

Hierarchy

Policies → Standards → Procedures → Guidelines (mandatory → recommended)

Key Policy Types

Acceptable Use Policy (AUP)

Defines what users can and cannot do with organizational resources.

  • Internet usage, email usage, personal device usage, social media
  • Must be acknowledged by all users (typically during onboarding)

Information Security Policy

Overarching policy defining the organization’s security posture, objectives, and responsibilities.

Business Continuity Policy

Requirements for maintaining operations during and after a disruption.

Disaster Recovery Policy

Requirements for restoring IT systems and data after a disaster.

Incident Response Policy

Defines what constitutes a security incident and how the organization will respond.

Change Management Policy

Requirements for how changes to systems and processes are proposed, reviewed, approved, and implemented.

Data Classification Policy

Defines classification levels and handling requirements for each level.

Frameworks and Standards

NIST Cybersecurity Framework (CSF)

Five core functions: Identify, Protect, Detect, Respond, Recover.

  • Voluntary framework widely adopted in the US
  • Risk-based approach — adapt to your organization’s needs

ISO 27001/27002

  • 27001: Requirements for an Information Security Management System (ISMS). Certifiable.
  • 27002: Code of practice — detailed controls guidance.
  • International standard. Common in organizations with global operations.

CIS Controls

Prioritized set of cybersecurity best practices organized by implementation group (IG1, IG2, IG3).

  • IG1: Essential cyber hygiene (the minimum)
  • Prescriptive and actionable — good for organizations starting their security program

COBIT

Framework for IT governance and management. Bridges business requirements and IT goals.

CSA Cloud Controls Matrix (CCM)

Cloud-specific security controls framework. Maps to other frameworks (ISO, NIST, PCI).

SDLC Governance

Security must be integrated into the Software Development Lifecycle, not bolted on after deployment.

Security Checkpoints by Phase

SDLC PhaseSecurity Activity
RequirementsSecurity requirements defined, threat modeling, privacy impact assessment
DesignSecure design review, architecture risk analysis
ImplementationSecure coding standards, peer review, SAST
TestingDAST, penetration testing, SCA (dependency scanning)
DeploymentConfiguration review, hardening verification, change management approval
MaintenancePatch management, vulnerability scanning, incident response
  • Each phase has a gate — work doesn’t proceed until security criteria are met
  • DevSecOps automates these gates into CI/CD pipelines (SAST in PR checks, SCA in build, DAST in staging)
  • Governance defines who can approve gate passage and what evidence is required

Centralized vs. Decentralized Governance

CompTIA explicitly tests this distinction.

AspectCentralizedDecentralized
Decision authoritySingle security team/CISODistributed to business units
Policy consistencyUniform across orgMay vary by unit
SpeedSlower (bottleneck risk)Faster (local decisions)
AccountabilityClear chainCan be ambiguous
Best forRegulated industries, small/mid orgsLarge enterprises, diverse business units

Most organizations use a hybrid model: centralized policy and standards, decentralized implementation and day-to-day decisions. The security team sets the rules; business units execute within those rules.

External Considerations

Governance doesn’t exist in a vacuum. External factors shape what policies are required:

Regulatory Bodies

  • Federal: FTC, SEC, HHS/OCR (HIPAA enforcement), CISA
  • International: EU Data Protection Authorities (GDPR), UK ICO
  • Industry: PCI SSC (payment cards), NERC (energy/utilities)
  • Organizations must monitor regulatory changes and update governance accordingly

Geographic and Jurisdictional

  • Data sovereignty: Laws of the country where data is stored apply
  • Cross-border transfers: GDPR restricts transfers outside EU without adequate protections (Standard Contractual Clauses, adequacy decisions)
  • Conflicting requirements: One country’s mandatory retention may conflict with another’s deletion requirements — governance must address this
  • State-level variation: US has no federal privacy law — 50 different state breach notification laws

Industry-Specific

  • Healthcare: HIPAA, HITECH
  • Financial services: GLBA, SOX, PCI-DSS, FFIEC guidance
  • Government/defense: NIST 800-171, CMMC, FedRAMP, ITAR
  • Education: FERPA
  • Governance must identify which industry requirements apply and ensure policies address them

Governance Committee Operations

Composition

  • Cross-functional: security, IT, legal, HR, business unit representatives, privacy officer
  • Not just technical staff — business context is essential for risk decisions
  • Executive sponsor provides authority and budget

Decision-Making

  • Risk acceptance authority: who can accept residual risk and at what level
  • Exception process: how deviations from policy are requested, reviewed, and documented
  • Escalation path: unresolved disagreements go up, not sideways

Cadence

  • Regular meetings (monthly or quarterly) to review security posture, incidents, metrics
  • Ad hoc sessions for urgent issues (active incidents, zero-day disclosures, regulatory changes)
  • Minutes documented — governance decisions must be traceable

Monitoring and Revision

Governance isn’t static. Regular review ensures policies stay relevant:

  • Annual policy reviews at minimum
  • Reviews triggered by significant incidents, regulatory changes, or business changes
  • Metrics and KPIs to measure program effectiveness (patch compliance rate, MTTD, training completion)

Offensive Context

Governance gaps are the preconditions for breaches. An organization without a data classification policy treats all data the same — which means sensitive data gets the same weak protections as public data. Without change management, unauthorized changes blend in with authorized ones. Without defined roles, nobody owns the security of critical systems. Attackers don’t need to defeat strong controls if governance failures mean the controls were never implemented consistently in the first place.