← Back to domain
Domain 1 Module 1.5

Governance

Module 1.5: Governance Processes

Learning Objectives

By the end of this module, you will:

  • Explain the governance hierarchy (policies, standards, procedures, guidelines)
  • Differentiate between mandatory and advisory governance documents
  • Identify key regulations and their scope (GDPR, HIPAA, PCI-DSS, SOX)
  • Understand security governance roles and responsibilities
  • Apply governance concepts to organizational scenarios

---

What is Security Governance?

Governance = The system by which security is directed and controlled at the highest organizational level.

Key Principle: Security governance is a management responsibility, not a technical one. The Board and C-suite set the direction; security teams execute.

Governance vs Management

| Governance | Management | |-----------|-----------| | Sets DIRECTION and strategy | EXECUTES the strategy | | Defines WHAT must be achieved | Determines HOW to achieve it | | Board/C-suite responsibility | Security team responsibility | | Defines risk appetite | Manages risk within appetite | | Approves policies | Creates procedures/standards | | Oversight and accountability | Operations and implementation |

---

The Governance Hierarchy

┌─────────────────────────────────────┐
│          POLICIES                    │ ← WHAT (Senior Management)
│   "All sensitive data must be        │    Mandatory, broad
│    protected from unauthorized        │
│    disclosure."                       │
├─────────────────────────────────────┤
│          STANDARDS                   │ ← HOW MUCH (Security/IT)
│   "Sensitive data must be encrypted  │    Mandatory, specific
│    using AES-256 or equivalent."     │
├─────────────────────────────────────┤
│          PROCEDURES                  │ ← HOW (Operations)
│   "To encrypt a file:               │    Mandatory, step-by-step
│    1. Right-click → Properties       │
│    2. Advanced → Encrypt contents    │
│    3. Apply to folder and contents"  │
├─────────────────────────────────────┤
│          GUIDELINES                  │ ← SUGGESTED (Advisory)
│   "Consider using VeraCrypt for      │    Optional, flexible
│    personal file encryption."        │
└─────────────────────────────────────┘

---

Policies

Definition: High-level statements of management intent and direction for information security.

| Attribute | Detail | |-----------|--------| | Created by | Senior management / CISO | | Approved by | Executive leadership / Board | | Mandatory? | YES - compliance is required | | Scope | Organization-wide | | Detail level | High-level (WHAT, not HOW) | | Review cycle | Annual or on significant change | | Enforcement | Violation → disciplinary action |

Characteristics of good policies:

  • Clear and concise
  • Technology-neutral (don't name specific products)
  • Enforceable
  • Measurable (can tell if compliant or not)
  • Supported by management
  • Communicated to all employees
  • Regularly reviewed and updated

Types of security policies: | Policy Type | Example | |-------------|---------| | Information security policy | Overall security program direction | | Acceptable use policy (AUP) | Rules for using IT resources | | Data classification policy | How to categorize data | | Access control policy | Who gets access to what | | Password policy | Credential requirements | | Incident response policy | How to handle security events | | Privacy policy | Personal data handling | | Remote work policy | Security for remote workers |

---

Standards

Definition: Specific mandatory requirements that support policies with measurable detail.

| Attribute | Detail | |-----------|--------| | Created by | Security/IT teams | | Approved by | CISO or security committee | | Mandatory? | YES | | Scope | Specific technical or operational area | | Detail level | Specific minimums and requirements | | Example | "All passwords must be minimum 14 characters" |

Standards define the minimum acceptable level:

  • Encryption standard: "Use AES-256 for data at rest"
  • Network standard: "All wireless must use WPA3"
  • Patch standard: "Critical patches within 72 hours"
  • Backup standard: "Daily incremental, weekly full"

---

Procedures

Definition: Detailed step-by-step instructions for implementing policies and standards.

| Attribute | Detail | |-----------|--------| | Created by | Operations/technical teams | | Approved by | Manager/team lead | | Mandatory? | YES (once approved) | | Scope | Specific task or process | | Detail level | Step-by-step ("do this, then this, then this") | | Example | "Procedure for onboarding a new employee" |

Procedures answer: "How exactly do I do this?"

---

Guidelines

Definition: Recommended best practices that are advisory, not mandatory.

| Attribute | Detail | |-----------|--------| | Created by | Anyone with expertise | | Approved by | Informational only | | Mandatory? | NO - recommendations only | | Scope | Flexible, situational | | Detail level | Advisory ("you should consider...") | | Example | "It's recommended to use a password manager" |

When guidelines become important: If someone ignores a guideline and an incident occurs, they may be asked "why didn't you follow the recommendation?"

---

Quick Comparison

| | Policy | Standard | Procedure | Guideline | |---|---|---|---|---| | Mandatory? | Yes | Yes | Yes | No | | Detail level | High (what) | Medium (how much) | High (how) | Medium (suggestions) | | Audience | Everyone | Technical staff | Operators | Anyone | | Changes | Rarely | Occasionally | Frequently | As needed | | Violation | Disciplinary | Non-compliance finding | Process failure | No penalty |

---

Regulations and Laws

Key Regulations (Awareness Level for CC)

#### GDPR (General Data Protection Regulation) | Aspect | Detail | |--------|--------| | Scope | EU citizens' personal data (applies globally to any org handling EU data) | | Key principles | Lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability | | Data subject rights | Access, rectification, erasure ("right to be forgotten"), portability, object | | Breach notification | 72 hours to supervisory authority | | Fines | Up to €20M or 4% of global annual revenue (whichever is greater) | | Key roles | Data Controller, Data Processor, Data Protection Officer (DPO) |

#### HIPAA (Health Insurance Portability and Accountability Act) | Aspect | Detail | |--------|--------| | Scope | US healthcare (covered entities + business associates) | | Protects | PHI (Protected Health Information) | | Key rules | Privacy Rule, Security Rule, Breach Notification Rule | | Security Rule | Administrative, physical, and technical safeguards for ePHI | | Breach notification | Individuals within 60 days; HHS if 500+ affected | | Fines | Up to $1.5M per violation category per year |

#### PCI-DSS (Payment Card Industry Data Security Standard) | Aspect | Detail | |--------|--------| | Scope | Any organization handling payment card data | | Type | Industry STANDARD, NOT a law | | Requirements | 12 requirements in 6 categories | | Key areas | Build/maintain secure network, protect cardholder data, vulnerability management, access control, monitoring/testing, security policy | | Compliance | Self-assessment (SAQ) or third-party audit (QSA) | | Penalties | Contractual fines from card brands, not government |

> ⚠️ Exam Trap: PCI-DSS is a STANDARD created by card brands (Visa, Mastercard, etc.), NOT a government law. But non-compliance has real financial consequences.

#### SOX (Sarbanes-Oxley Act) | Aspect | Detail | |--------|--------| | Scope | US publicly traded companies | | Purpose | Financial reporting accuracy and internal controls | | Key sections | 302 (CEO/CFO certification), 404 (internal controls assessment) | | Impact on IT | IT controls that affect financial reporting must be documented and audited | | Penalties | Criminal penalties for executives who certify false reports |

#### Other Regulations (Awareness)

| Regulation | Scope | Protects | |-----------|-------|----------| | FERPA | US education | Student educational records | | GLBA | US financial services | Customer financial information | | CFAA | US federal | Computer systems from unauthorized access | | COPPA | US | Children's online privacy (under 13) | | CCPA/CPRA | California | Consumer privacy rights |

---

Compliance vs Security

| Compliance | Security | |-----------|----------| | Meeting minimum regulatory requirements | Protecting against actual threats | | Pass/fail assessment | Continuous risk management | | Required by law/regulation | Required by good practice | | May lag behind actual threats | Should be ahead of threats | | Checkbox mentality risk | Risk-based mentality |

> 📝 Key Insight: You can be COMPLIANT but not SECURE (you checked all boxes but missed real threats). You can be SECURE but not COMPLIANT (great security but missing documentation requirements). The goal is BOTH.

---

Security Governance Roles

| Role | Responsibility | |------|---------------| | CEO | Ultimately accountable for all organizational risk | | Board of Directors | Oversight of security governance | | CISO | Security strategy, policy, and program leadership | | CIO | Information technology and systems | | CSO | Physical security (sometimes combined with CISO) | | DPO | Data protection compliance (required by GDPR) | | Risk Committee | Oversight of risk management activities | | Data Owner | Business person responsible for data classification | | Data Custodian | Technical person implementing controls for data | | System Owner | Responsible for specific system's security |

---

GRC (Governance, Risk, and Compliance)

GRC is the integrated approach to:

  • Governance: Setting direction and ensuring accountability
  • Risk: Identifying and managing threats
  • Compliance: Meeting regulatory and contractual requirements

These three are interconnected:

  • Governance defines risk appetite → Risk assessment identifies gaps → Compliance verifies controls are meeting requirements → Governance adjusts based on findings

---

Practice Questions

1. Which document provides step-by-step instructions for implementing a security policy?

  • A) Standard
  • B) Guideline
  • C) Procedure ✅
  • D) Policy

2. Guidelines differ from standards because guidelines are:

  • A) More detailed
  • B) Not mandatory ✅
  • C) Approved by the CEO
  • D) More technical

3. PCI-DSS is BEST described as:

  • A) A US federal law
  • B) An EU regulation
  • C) An industry standard ✅
  • D) A government guideline

4. Under GDPR, how quickly must a data breach be reported to the supervisory authority?

  • A) 24 hours
  • B) 72 hours ✅
  • C) 7 days
  • D) 30 days

5. Who is ULTIMATELY accountable for an organization's security posture?

  • A) The CISO
  • B) The IT department
  • C) Senior management/Board ✅
  • D) The security team

6. A document states "Use AES-256 for all data encryption." This is a:

  • A) Policy
  • B) Standard ✅
  • C) Procedure
  • D) Guideline

7. Which regulation protects health information in the United States?

  • A) GDPR
  • B) PCI-DSS
  • C) HIPAA ✅
  • D) SOX

8. The hierarchy from broadest to most specific is:

  • A) Procedure → Policy → Standard → Guideline
  • B) Policy → Standard → Procedure → Guideline ✅
  • C) Standard → Policy → Guideline → Procedure
  • D) Guideline → Policy → Procedure → Standard

9. An organization passes its PCI-DSS audit but is still breached. This illustrates:

  • A) PCI-DSS is ineffective
  • B) Compliance alone doesn't guarantee security ✅
  • C) The audit was performed incorrectly
  • D) Security is impossible to achieve

10. A Data Protection Officer (DPO) is specifically required by:

  • A) HIPAA
  • B) PCI-DSS
  • C) GDPR ✅
  • D) SOX

---

*End of Module 1.5 - End of Domain 1* *Next Domain: Domain 2: BC, DR & Incident Response*

← Previous: 1.4