Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

6.1.3. Governance Structures and Roles

šŸ’” First Principle: Governance structures define who makes decisions, who implements them, and who is accountable. Clear roles prevent gaps where no one is responsible and conflicts where multiple people try to control the same area.

Boards and committees ā€” executive oversight bodies that set security direction, approve policies, allocate budgets, and accept risk on behalf of the organization. A security steering committee typically includes representation from IT, legal, compliance, HR, and business units.

Government entities ā€” regulatory bodies that create and enforce compliance requirements (FTC, SEC, HHS for HIPAA, state attorneys general).

Centralized governance ā€” one team controls security decisions for the entire organization. Ensures consistency but may be slow to respond to local needs.

Decentralized governance ā€” individual business units manage their own security. More responsive but risks inconsistency and gaps.

Key roles:
  • CISO (Chief Information Security Officer) ā€” senior executive responsible for the overall security program, policy development, risk management, and reporting to the board.
  • Security team ā€” implements and operates security controls, monitors threats, responds to incidents.
  • Data owner ā€” business executive who determines the classification and authorized use of data assets. Makes policy decisions about data handling.
  • Data custodian ā€” IT role that implements the technical controls the data owner specifies. Manages day-to-day data handling according to policy.
  • Data processor ā€” third party that processes data on behalf of the data controller/owner (especially relevant under GDPR).
  • Data controller ā€” entity that determines the purposes and means of data processing (GDPR term). The organization collecting the data.

āš ļø Exam Trap: Data owner vs. data custodian: the owner decides how data should be protected (classification, access policy). The custodian implements those decisions (encryption, backups, access controls). The owner is typically a business leader; the custodian is typically IT. Don't confuse who decides with who implements.

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications