Cybersecurity Governance and Risk Management Principles

Posted on Dec 25, 2025 in Business Administration and Innovation Management

Governance

Documentation Hierarchy

  • Understand the hierarchy in terms of specificity and enforceability:
    • Policies: High-level rules (e.g., “All systems must be patched monthly.”)
    • Standards: Mandatory requirements to meet the policy (e.g., “Use AES-256 for encryption.”)
    • Guidelines: Best practices, optional (e.g., “Avoid using public Wi-Fi.”)
    • Procedures: Step-by-step instructions (e.g., “How to apply Windows patches.”)

Tip: Expect questions like, “What document outlines how a task should be done?” — answer: Procedure.

Key Roles and Responsibilities

  • CISO (Chief Information Security Officer): Sets strategic direction for the security program.
  • Data Owner: Determines classification, who can access data, and how it is used.
  • Custodian: Implements controls set by the owner (e.g., a sysadmin applying permissions).
  • Privacy Officer: Ensures compliance with data protection laws (like GDPR, HIPAA).

Tip: Do not confuse Data Owner (a business role) with Custodian (a technical role).

Common Frameworks

These are foundational models or standards organizations use to build security programs:

FrameworkPurpose
NIST CSFUS-focused; guides risk-based security strategy.
ISO 27001International standard for Information Security Management Systems (ISMS).
COBITGovernance of enterprise IT (aligns IT with business goals).
PCI-DSSSecurity standard for handling credit card data.
HIPAAU.S. law for healthcare data protection.
GDPREU regulation for personal data and privacy.

Tip: Know which framework applies where (e.g., HIPAA for medical, PCI-DSS for card data).

Risk Management

Quantitative Risk Concepts

Used to calculate the expected financial impact of risk:

  • SLE (Single Loss Expectancy) = Asset value × Exposure factor
    (e.g., server worth $10K, 50% data loss → SLE = $5K)
  • ARO (Annual Rate of Occurrence) = How often a threat happens per year (e.g., once/year = 1).
  • ALE (Annual Loss Expectancy) = SLE × ARO
    (e.g., $5K × 1 = $5K loss per year)

Tip: Know how to plug and calculate these values; simple math shows up on the exam.

Recovery Metrics

Used in business continuity and disaster recovery:

  • RTO (Recovery Time Objective): Maximum acceptable downtime.
    ➜ “How fast must the service be restored?”
  • RPO (Recovery Point Objective): Maximum data loss measured in time.
    ➜ “How recent must the last backup be?”

Example: If RPO = 4 hours, you need backups at least every 4 hours to meet the goal.

Risk Response Types

  • Accept: Take no action (risk is low or cost of control is too high).
  • Transfer: Shift risk to a third party (e.g., cyber insurance, outsourcing).
  • Mitigate: Reduce likelihood or impact (e.g., patch vulnerabilities).
  • Avoid: Eliminate risk entirely (e.g., do not engage in the risky activity).

Tip: The exam may ask for the most cost-effective or realistic risk response — often mitigation unless otherwise stated.

Vendor and Supply Chain Risk

This is huge in real-world security (think SolarWinds attack), and it is growing in exam importance.

Due Diligence

  • Perform risk assessments before engaging a vendor.
  • Use security questionnaires, review certifications, and perform audits.

Agreements

Know what each of these contracts does:

  • SLA (Service Level Agreement): Defines expected service (uptime, support).
  • NDA (Non-Disclosure Agreement): Ensures confidentiality of data.
  • BPA (Business Partnership Agreement): Outlines partnership roles and responsibilities.
  • MSA (Master Service Agreement): Governs all future contracts between two parties.

Tip: Expect to be asked what kind of agreement applies in scenarios (e.g., NDA for protecting sensitive designs).

Right to Audit and Monitoring

  • Clauses that let your organization inspect the vendor’s controls.
  • Continuous monitoring of vendor posture (e.g., breach alerts, public security reports).

– 5.5 Compliance and Auditing

Audits

  • Internal: Conducted by your own organization for internal control evaluation.
  • External: Conducted by third parties; often for compliance certification (e.g., SOC 2).

Compliance Tools

  • Monitor configurations, access, and patching.
  • Use of GRC tools (Governance, Risk, and Compliance) to automate compliance tracking.

Certifications and Standards

  • SOC 2: Trust principles (Security, Availability, Confidentiality, etc.).
  • ISO 27001: International ISMS certification.
  • PCI Scans: Required vulnerability scans for cardholder environments.

Evidence Handling

  • Attestation: A formal declaration (e.g., “We are compliant.”).
  • Legal hold: Preserving data for investigation or litigation.

Tip: Know the difference between certification (ISO 27001) and attestation (SOC 2 Type II).

Training and Awareness

This is about building a human firewall — getting people to recognize and avoid risks.

Awareness Training

  • Annual minimum for all users.
  • Should include policies, phishing, safe browsing, and password use.

Role-Based Training

  • Technical staff (e.g., sysadmins) get deeper, more focused training.
  • Example: Developers learn about secure coding.

Phishing Simulations

  • Measure user readiness and susceptibility.
  • Can be used to improve training programs.

Executive Support

  • If executives are not behind the program, it will fail culturally.
  • Leadership sets the tone for a security-aware culture.

Metrics for Effectiveness

  • Track the percentage of users who click phishing emails.
  • Monitor completion rates of training.
  • Analyze survey results (security confidence).

Tip: Training is not just a check-the-box exercise — it is about changing behavior and reducing human risk.