Home ›
D1: Security & Risk Mgmt ›
Security Governance & Policy
Domain 1 · Lesson 3 of 10
Security Governance & Policy
Quản trị Bảo mật & Chính sách
Security Governance Fundamentals
Security governance is the alignment of security strategy with business strategy — ensuring security decisions support organizational goals rather than impede them.
Key Governance Roles
| Role | Responsibility | Focus |
|---|---|---|
| CISO | Chief Information Security Officer — owns security strategy | Strategic; reports to CEO/Board |
| CIO | Chief Information Officer — owns IT systems and infrastructure | Technology operations |
| Data Owner | Business executive who owns the data and sets classification | Business; decides sensitivity level |
| Data Custodian | IT role that implements controls the Data Owner requires | Technical; backs up, secures, stores |
| Security Practitioner | Day-to-day implementation of security controls | Technical execution |
Policy Hierarchy (Top → Bottom)
Security governance documents follow a strict hierarchy. Higher-level documents define "what" and "why"; lower-level documents define "how".
POLICY
High-level principles — "what we must do"
Example: "All PII must be encrypted at rest." | Created by: CTO / Board
Mandatory. Brief. Sets direction. Cannot conflict with law.
STANDARD
Specific mandatory requirements — "the minimum bar"
Example: "Use AES-256-CTR minimum for PII encryption." | Created by: CISO
Mandatory. Defines the specific technical or procedural requirement.
GUIDELINE
Recommendations — "best practice suggestions"
Example: "Prefer GCM over CTR for new services." | Created by: Security Team
Optional. Recommended but not mandatory. Provides flexibility.
PROCEDURE
Step-by-step instructions — "exactly how to do it"
Example: "How to configure Vault encryption for a new service." | Created by: Engineering
Mandatory where required. Operational detail. Changes frequently.
Policy Types by Purpose
| Type | Purpose | Example |
|---|---|---|
| Regulatory | Required by law or regulation — must comply | "Breach must be reported within 72 hours per Decree 13/2023" |
| Advisory | Strongly recommended — consequences for non-compliance | "Employees should not use personal email for work data" |
| Informative | For awareness — no compliance requirement | "Background on why we use zero-trust architecture" |
Due Care vs Due Diligence
This is one of the most frequently tested distinctions in Domain 1. People often confuse these two.
Due Diligence
Thẩm định trước · BEFORE
Researching and verifying before making a decision. Doing your homework.
Examples: reviewing a vendor's SOC 2 report before signing a contract; assessing risks before deploying a new system; background checks before hiring.
Due Care
Chăm sóc liên tục · ONGOING
Ongoing responsible action after a decision. Doing the right thing continuously.
Examples: monitoring AML alert quality monthly after signing vendor; applying security patches regularly; annual DPA reviews; continuous vulnerability scanning.
Governance Frameworks
| Framework | Focus | Key Concept |
|---|---|---|
| COBIT | IT governance & management | Aligns IT with business goals; 40 governance objectives |
| ITIL | IT service management | Best practices for IT service delivery and support |
| NIST CSF | Cybersecurity risk management | 5 functions: Identify → Protect → Detect → Respond → Recover |
| ISO 27001 | Information security management system (ISMS) | Certifiable standard; Plan-Do-Check-Act cycle |
| ISO 27002 | Security controls guidance | Best practice controls to implement ISO 27001 |
Key Terms
| Term | Tiếng Việt | Definition |
|---|---|---|
| Policy | Chính sách | High-level mandatory principles set by leadership |
| Standard | Tiêu chuẩn | Specific mandatory requirements that implement a policy |
| Guideline | Hướng dẫn | Non-mandatory recommendations and best practices |
| Procedure | Quy trình | Step-by-step instructions for performing a task |
| Due Care | Chăm sóc đúng mực | Ongoing responsible action after a decision is made |
| Due Diligence | Thẩm định | Research and verification before making a decision |
| CISO | Giám đốc An ninh Thông tin | Executive responsible for security strategy; reports to CEO/Board |
| Governance | Quản trị | Framework ensuring security aligns with business objectives |
Exam Tips
- 1. Policy hierarchy: Policy (what) → Standard (mandatory requirement) → Guideline (recommended) → Procedure (how). Guidelines are the ONLY optional level.
- 2. Due Diligence = before decision; Due Care = ongoing action. The exam often gives scenarios and asks which is being performed. "Before signing a vendor contract, we reviewed their SOC 2 report" = Due Diligence. "We monitor the vendor's SLA monthly" = Due Care.
- 3. NIST CSF 5 functions: Identify, Protect, Detect, Respond, Recover — in that order. "Govern" was added in CSF 2.0 as a new 6th function.
- 4. CISO reports to CEO or Board, not the CIO. A CISO reporting to CIO creates a conflict of interest (IT operations vs security oversight).
- 5. Data Owner = business executive (sets classification level); Data Custodian = IT (implements the controls the Data Owner requires).
Work Application — FinTech Company X
Due Care / Due Diligence example with AML Vendor (AML vendor):
- Due Diligence (before signing): Review AML Vendor's SOC 2 Type 2 report; verify AMLC/UNSC/OFAC coverage for PH market; assess data residency compliance with Decree 13/2023; conduct security questionnaire; check PH BSP acceptance.
- Due Care (after signing): Monitor AML alert quality monthly via Datadog dashboards; review the DPA annually; re-assess vendor's SOC 2 renewal each year; track false positive/negative rates to ensure service quality.
Policy statement for FinTech Company X (Standard level):
"All third-party processors handling customer PII must provide a current SOC 2 Type 2 report annually and maintain a signed Data Processing Agreement that includes breach notification within 72 hours."
Practice Questions
Q1. "All data at rest must be encrypted using AES-256 or stronger" — which level of security documentation is this?
A) Standard — it is a specific, mandatory technical requirement implementing a broader policyRationale: A Policy would say "All sensitive data must be protected." A Standard specifies the exact requirement ("AES-256 or stronger") and is mandatory. A Guideline would say "AES-256-GCM is preferred." A Procedure would say "Step 1: Configure Vault with AES-256-GCM..."
Q2. Before partnering with eKYC Vendor for eKYC, the engineering team requested and reviewed their latest penetration test report. What concept does this represent?
A) Due Diligence — researching and verifying a vendor's security posture before making a business decisionRationale: Due Diligence is the practice of investigating and verifying information before a decision. Reviewing a pen test report, SOC 2, or security questionnaire before signing a vendor contract is classic Due Diligence. After the contract is signed and you monitor ongoing compliance, that becomes Due Care.
Q3. After a security incident in Platform C, the team conducts monthly vulnerability scans and reviews access logs weekly. Which concept does this represent?
A) Due Care — ongoing responsible security actions to maintain protection over timeRationale: Due Care is the continuous, responsible exercise of security practices after a system is operational. Regular scanning, monitoring, and patching are all Due Care activities. They demonstrate that the organization is not negligent in maintaining security controls.
Q4. In a mature security governance model, who should the CISO report to?
A) CEO or directly to the Board of DirectorsRationale: The CISO should have an independent reporting line to the CEO or Board to avoid conflicts of interest. If the CISO reports to the CIO, security concerns may be subordinated to IT operational priorities. Board-level CISO reporting ensures security gets executive attention without filtering.
Q5. Which NIST CSF function involves monitoring for security events and detecting anomalies in real time?
A) Detect — the third function, focused on identifying security events as they occurRationale: NIST CSF 5 functions in order: Identify (asset inventory, risk), Protect (access control, training, data security), Detect (monitoring, anomaly detection), Respond (incident response), Recover (restore capabilities). Datadog alerting and SIEM rules both fall under the Detect function.