# Security Governance One-sentence definition: The framework of leadership, structures, and processes that ensure security supports business objectives and manages risk. ## Key Facts - Aligns security strategy with organizational goals and legal obligations. - Establishes policy hierarchy and assigns **accountability** to roles (e.g., data owner). - Uses risk management to prioritize investments and control selection. - Requires measurable objectives, metrics, and reporting to leadership/board. - Governance ≠ management: set direction vs. execute operations. - Integrates with enterprise governance (e.g., COBIT, COSO—see Part B). - Culture and ethics are governance enablers (tone from the top). - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Identify governance vs management decisions. - Choose governance artifacts (policies, roles) for given scenarios. **Mnemonic:** “Direct, Decide, Delegate” → governance sets direction; managers deliver. ## Mini Scenario Q: Who owns acceptable risk levels for a business unit system? A: The business/data owner, as part of governance. ## Revision Checklist - Define governance; contrast with management. - Name two governance inputs and two outputs. - Identify the accountable role for risk acceptance. ## Related [[Governance vs Management]] · [[Security Policy Hierarchy]] · [[Security Roles and Responsibilities]] · [[Risk Management Lifecycle]] · [[Compliance and Regulatory Concepts]] · [[Domain 1 - Index]]