Security Governance: Policies, Standards, Procedures, and Guidelines

Security governance is the framework of policies, standards, procedures, and guidelines that direct and control an organization's security program. It ensures alignment with business objectives and regulatory requirements.

Governance Documents Hierarchy

Security governance follows a hierarchy: Policies — high-level statements of management intent, mandatory. Standards — specific mandatory requirements, often referencing industry frameworks (NIST, ISO 27001). Procedures — step-by-step instructions for performing tasks. Guidelines — recommended practices that are not mandatory.

Policies are the top-level. Standards make policies more specific. Procedures implement standards. Guidelines provide flexibility.

Common security policies: Acceptable Use Policy (AUP — defines permitted use of organizational resources), Data Classification Policy (how data is categorized and protected), Password Policy (minimum length, complexity, rotation), and Remote Access Policy (VPN requirements, allowed devices).

  • Policies: high-level, mandatory — management intent
  • Standards: specific mandatory requirements (often from NIST, ISO)
  • Procedures: step-by-step instructions for specific tasks
  • Guidelines: recommended, not mandatory — flexible
  • AUP: acceptable use of organizational resources — widely tested

Roles and Responsibilities

Security governance defines clear roles: Board of Directors — ultimate accountability for security risk. Senior Management (CEO, CIO) — responsible for security program effectiveness. CISO (Chief Information Security Officer) — leads the security team and program. Security Team — implements and operates security controls. All Employees — follow policies and report incidents.

Data-specific roles: Data Owner (senior manager responsible for data classification and protection), Data Controller (determines purpose and means of processing personal data), Data Processor (processes data on behalf of controller), Data Custodian (manages technical storage/handling of data), and Data Subject (individual whose data is processed).

  • CISO: leads security program, reports to senior management
  • Data Owner: senior manager — classifies data, determines protection
  • Data Controller: decides why/how data is processed (GDPR role)
  • Data Processor: processes data on behalf of controller
  • Data Custodian: implements technical controls (IT admin)

Business Continuity and Disaster Recovery Policies

BCP (Business Continuity Plan) — ensures critical business functions continue during and after a disruption. Defines essential personnel, alternate facilities, and communication plans.

DRP (Disaster Recovery Plan) — specific plan for restoring IT systems after a disaster. Covers recovery procedures, personnel assignments, and vendor contacts.

BCP/DRP components: Plan activation (who decides to activate, under what conditions), Emergency response (immediate actions — evacuation, incident notification), Succession planning (who takes over if key personnel are unavailable), and Plan testing (tabletop exercises, functional drills, full-scale tests).

For the Security+ exam, know the difference between BCP (business-wide) and DRP (IT-focused), and the importance of regular testing.

  • BCP: keeps the business running — broader than DR
  • DRP: restores IT systems — specific technical procedures
  • Succession planning: identifies backups for key roles
  • Plan testing: tabletop exercises (discussion) vs full-scale drills (operational)
  • Plans must be reviewed and updated at least annually

Change Management

Change management is a formal process for controlling changes to IT systems. It prevents unauthorized changes that could introduce security vulnerabilities or cause outages.

Change management process: (1) Request — submit change request with justification, scope, and risk assessment, (2) Review — change advisory board (CAB) evaluates impact and approves or rejects, (3) Test — changes should be tested in a staging environment first, (4) Approve — authorized personnel give final approval, (5) Implement — deploy the change during the approved maintenance window, (6) Document — update configuration management database (CMDB), (7) Review — post-implementation review to confirm success.

Emergency changes (security patches, critical fixes) may bypass normal review but still require documentation and post-implementation approval.

  • Change management prevents unauthorized or poorly planned changes
  • CAB (Change Advisory Board) reviews and approves changes
  • Standard changes: pre-approved, low-risk (e.g., password reset)
  • Emergency changes: expedited but still documented
  • CMDB tracks configuration items and their relationships

Exam Tip

Know the hierarchy: Policy → Standards → Procedures → Guidelines. AUP (Acceptable Use Policy) is the most commonly tested policy. Change management steps: Request → Review → Approve → Implement → Document. CISO is the key governance role.