2.1.2. Security Governance Principles and Frameworks
💡 First Principle: Security governance answers the question "who is accountable for what security outcomes?" without which every security decision becomes either arbitrary or paralyzed by competing authority. Governance doesn't tell you how to be secure — it tells you who decides and how they're held accountable.
Security governance sits above security management. Management is the day-to-day execution of security activities. Governance is the structures, processes, and relationships through which the organization directs and controls its security posture at the board and executive level.
Key governance roles:
| Role | Accountability | Does NOT Do |
|---|---|---|
| Board of Directors | Sets risk appetite; ensures security is part of corporate strategy | Day-to-day security management |
| CEO / Executive Team | Ensures resources are allocated; owns enterprise risk | Technical security decisions |
| CISO | Translates business risk into security strategy; reports to board/C-suite | Network administration, patch deployment |
| Data Owner | Business unit manager accountable for specific data's classification and use | Physically managing storage systems |
| Data Custodian | IT staff who implement controls the data owner requires | Setting classification policies |
| Data User | Employees accessing data for their job function | Modifying classification or controls |
Major security frameworks — these appear frequently on the exam as selection scenarios (which framework best fits this organization?):
| Framework | Best For | What It Provides |
|---|---|---|
| ISO 27001/27002 | Organizations wanting internationally recognized certification | ISMS certification, controls catalog (27002), audit-ready structure |
| NIST CSF | Organizations wanting flexible, risk-based framework | Five functions: Identify, Protect, Detect, Respond, Recover |
| NIST 800-53 | US federal agencies and contractors | Comprehensive control catalog, impact-based baselines |
| COBIT | Organizations aligning IT to business governance | IT governance, process maturity, board-level accountability |
| SABSA | Enterprise security architects | Business-driven, risk-based security architecture methodology |
| PCI DSS | Organizations processing payment cards | Prescriptive technical and procedural requirements |
| FedRAMP | Cloud providers serving US federal government | Cloud security authorization baseline |
💡 Key Point: The exam uses "due care" and "due diligence" with surgical precision. Due diligence is the investigation and assessment conducted before making a decision (research, audits, vendor assessments). Due care is the ongoing responsible action after a decision to maintain an appropriate level of protection. You exercise due diligence when evaluating a vendor; you exercise due care when monitoring them afterward.
⚠️ Exam Trap: "Senior management is ultimately responsible for security." This is true — and it means management cannot fully delegate security accountability to the security team. The CISO is responsible for the security program; senior management is responsible for the security outcomes of the organization. When a major breach occurs, executives — not just the CISO — bear accountability.
Reflection Question: A company is evaluating two security frameworks: ISO 27001 (requires third-party certification audit) and NIST CSF (self-assessment, no certification). They serve enterprise customers in the EU and US. Which is more appropriate, and why? What governance question does this answer raise?
