Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Twitter Facebook-f Pinterest-p Instagram
5.1 Domain 5 · Security Program Management

Elements of Effective Security Governance

Policies, standards, procedures, and guidelines — plus the roles, committees, and external forces that shape them. How “we have a rulebook” becomes “we run a security program.”

Concept
2
Textbook
3
Reference
4
Real Scenario
5
Hard Choice
6
Common Traps
7
Exam Signal
The Concept

Governance is the layer between executive intent and daily security operations. Leadership says “we will protect customer data”; governance turns that into a policy, the policy points at standards that specify “how good,” standards point at procedures that specify “how to do it,” and everything is backed by guidelines that offer best-practice advice without the force of a mandate. The exam constantly tests whether you can match a sentence to its document type.

The second pattern is the governance structure: who approves, who oversees, who executes. Boards set the tone; committees (security steering, audit, risk) ratify; management implements. Alongside those sit roles for data and systemsowner (accountable, approves access), custodian/steward (implements controls), controller (GDPR: decides purposes of personal-data processing), processor (GDPR: processes on the controller’s behalf). “Owner decides, custodian implements” is a lifetime exam cue.

The document hierarchy — mandatory vs. suggested. A policy is a top-level, mandatory statement of what and why, approved by executive leadership. A standard specifies required technical or procedural detail that supports the policy — also mandatory. A procedure is a step-by-step “how-to” — mandatory in execution but operational rather than strategic. A guideline is recommended best practice — not mandatory. “Employees must protect their credentials” is policy language. “Passwords must be at least 14 characters, include three of four character classes, and rotate every 180 days” is a standard. “Open the IAM console, navigate to Users…” is a procedure. “Consider using a password manager” is a guideline.

Policy families the exam names explicitly. Acceptable Use Policy (AUP) — permitted use of company resources. Information security policy — top-level direction. Business continuity — keep the business functioning during disruption. Disaster recovery — IT restoration after a disaster. Incident response — who does what when something breaks. Software development lifecycle (SDLC) — security integrated into the build process. Change management — controlled modification of production systems.

Standards the exam names. Password standards (length, complexity, reuse, expiration), access control standards (RBAC, least privilege), physical security standards (perimeter, access, environmental), and encryption standards (approved algorithms, key lengths, TLS 1.2+, AES-256). Procedures the exam names: change management, onboarding/offboarding, and playbooks/runbooks for specific scenarios (IR, DR, common alerts).

External considerations. Policies and standards do not live in a vacuum; they are shaped by regulatory (HIPAA, SOX, FISMA), legal (contractual and statutory), industry (PCI DSS for card processors), and geographic scope (local/regional/national/global — state breach-notification laws, GDPR, country-specific data laws). A policy that does not reflect the regulations it lives under is not a living document — and policies are supposed to be living: reviewed and updated as threats, technology, regulations, and business change.

Governance structures. Boards (board of directors) hold ultimate oversight. Committees — security steering committee, audit committee, risk committee — ratify strategy and review metrics. Government entities (SEC, HHS-OCR, FTC) regulate sectors. Centralized governance puts a single team in charge for the whole enterprise; decentralized pushes ownership down to business units. Neither is universally correct; the right structure depends on company size, industry, and risk posture.

Roles for systems and data. Owner is accountable for the asset — approves access, defines classification, signs off on risk. Controller is the GDPR term for the party that determines the purposes and means of processing personal data — typically the organization that originally collects the data. Processor processes personal data on behalf of a controller (vendors, SaaS providers). Custodian (also called steward) implements and maintains security controls on behalf of the owner — the IT team, the DBA, the SysAdmin. Exam test pattern: owner decides, custodian implements, controller and processor are GDPR roles.

DocumentMandatory?AnswersExam cue
PolicyYesWhat and why (executive intent)“Employees must protect credentials”
StandardYesRequired technical detail“Passwords at least 14 chars, AES-256”
ProcedureYes (in execution)Step-by-step how“Open the console, click Users…”
GuidelineNo — recommendedBest-practice suggestion“Consider using a password manager”
RoleResponsibilityExam cue
OwnerAccountable; approves access; defines classification“Decides who can have access”
Custodian / StewardImplements + maintains controls on behalf of the owner“DBA enforces encryption on the database”
Controller (GDPR)Determines purposes and means of personal-data processing“Company collecting data from users”
Processor (GDPR)Processes personal data on behalf of a controller“SaaS vendor under a DPA”
Data Subject (GDPR)The individual the data is about“EU citizen whose data is held”
Key Takeaway

Two forcing functions run 5.1: (1) document hierarchy — policy/standard/procedure are mandatory, guideline is not; and (2) role separation — owner decides, custodian implements, controller is GDPR’s data decision-maker. Match the sentence to the document type; match the verb to the role.

A 900-person SaaS company is preparing for its first SOC 2 Type II audit. The CISO asks Engineering to send over the “password policy.” Engineering sends back a one-page document titled “Password Policy” that reads, in full, like a deployment guide: “Step 1: open the Okta admin console. Step 2: click Security. Step 3: set min length to 12. Step 4…” It’s accurate, but it’s not a policy. The auditor arrives in two weeks.

Scenario
Policy vs. Standard vs. Procedure
900-person SaaS · first SOC 2 Type II audit
Eng Director“We have the password policy. It’s one page. The auditor can read it in two minutes.”
CISO“What you sent me is a procedure — Okta click-paths. The auditor will want three separate documents: a policy (executive intent: ‘we will authenticate users with strong credentials’), a standard (required specs: min 14 chars, no reuse of last 10, MFA required for admin roles), and a procedure (the Okta click-paths you already have). We also need a guideline that says ‘we recommend a password manager’ — that part is advisory.”
Eng Director“Why does the auditor care about the split?”
CISO“Because the policy is what the board signs, the standard is what we enforce, and the procedure changes every time Okta ships a UI update. Mix them and every admin-console change becomes a board-approved policy revision. Split them and we can update the procedure quarterly without touching executive approvals.”
Compensating Action

Where the document hierarchy is missing, create the split before the audit. Draft the policy in board-ready language (one or two pages, mandatory, “employees must…”). Pull the numeric requirements into a standard. Keep the procedure as a living operational doc. Add a brief guidelines section for the advisory items. Auditors look for the split — and so do exam questions.

Real Talk — Career Context

The fastest way to fail an audit is to mix document types. Every seasoned GRC lead has seen “policies” that are really procedures, or “standards” that read like aspirations. A clean split makes the policy readable for the board, the standard enforceable by engineering, and the procedure maintainable by operations.

On the exam: sentence-matching. “Must be at least 14 characters” → standard. “Must protect credentials” → policy. “Open the console, click Users…” → procedure. “Consider using a password manager” → guideline.

A finance analyst requests read access to the HR payroll database to build an executive compensation analysis. HR is the business owner of the data; the database team runs the server and implements the controls. The IAM team is drafting the approval workflow. Who should the request go to for approval before access is provisioned?

Option A
Database team (custodian) — they have the technical access

The DBAs manage the server, enforce encryption, and provision accounts. Let them decide.

Option B
HR (data owner) — they own the asset and the risk

HR classified the data and is accountable for who should see it. Custodians implement the owner’s decision.

Option B fits better — owner decides, custodian implements

Option B: The data owner (HR) is accountable for access decisions, classification, and the risk that flows from disclosure. The custodian’s job is to implement the owner’s decision — provision the account once approval is in hand. Giving the custodian the approval authority inverts the separation of duties and gives IT the ability to grant sensitive access without business accountability.

Option A’s kernel of truth: the custodian does have the technical ability to grant access, which is why separation is important. Without an owner-approves / custodian-implements split, the technical team becomes the de facto policy maker.

On the exam: “approves access,” “decides who can see it” → owner. “Implements controls,” “provisions the account” → custodian. Any question about GDPR “decides the purposes” → controller.

Guideline treated as mandatory
A guideline is recommended, not required. If the question asks “which of these is enforceable?” a guideline is never the right answer. Policy, standard, and procedure are mandatory in their respective layers.
Why it is tempting: guidelines are often well-written and sensible. Exam distinguishes advisory from enforceable.
Policy = standard
“Passwords must be 14 characters” is a standard, not a policy. Policy language is higher-level: “Employees must use strong authentication.” The exam reliably tests whether you can sort the sentence by specificity.
Why it is tempting: real-world “password policies” are often written as standards. CompTIA grades by the strict definitions.
Owner = custodian
Owner is accountable, decides access, defines classification. Custodian (steward) implements and maintains controls. Giving approval authority to the custodian breaks separation of duties.
Why it is tempting: custodians have the technical power. Accountability and capability are different things.
Controller = processor
Under GDPR, the controller decides the purposes and means of processing — typically the organization that originally collects the data. The processor processes on the controller’s behalf (vendors, SaaS). The exam rewards knowing who holds the decision power.
Why it is tempting: both “handle personal data.” One decides; the other executes.
Policies as a one-time artifact
Policies must be living documents. They are reviewed and updated as threats, technology, regulations, and business change. A policy dated three years ago and never touched is a compliance finding.
Why it is tempting: “we have a policy” feels like closure. Exam expects ongoing review.
Exam Signal

5.1 questions test two patterns: (1) sentence-to-document matching (policy vs. standard vs. procedure vs. guideline), and (2) role separation (owner decides, custodian implements, GDPR controller vs. processor). Look for the verb in the sentence: “must protect,” “must be 14 characters,” “click Users,” “consider using…” — each maps cleanly to one document type.

Quick Check — 5.1 Q1
A document in the company’s GRC repository reads: “All passwords must be at least 14 characters, include three of four character classes, and cannot reuse any of the last 10 passwords.” Which document type is this?
  • A Policy
  • B Standard
  • C Procedure
  • D Guideline

Correct: B. Specific, measurable, mandatory technical requirements that support the policy are standards. “14 characters” is a spec; policies read at a higher level (“employees must protect credentials”). Procedures are step-by-step; guidelines are advisory.

A wrong: Too specific for policy language.

C wrong: No step-by-step how.

D wrong: “Must” language indicates mandatory, not advisory.

Source: CompTIA SY0-701 Objectives v5.0 — 5.1 Summarize elements of effective security governance

Quick Check — 5.1 Q2
Under GDPR, a SaaS company in the EU uses a US-based email marketing vendor to send newsletters to EU subscribers who signed up through the SaaS company’s website. Which GDPR role does the SaaS company hold?
  • A Controller
  • B Processor
  • C Data subject
  • D Custodian

Correct: A. The controller determines the purposes and means of processing. The SaaS company decides the newsletter exists, who receives it, and why — that is controller. The email vendor processes the personal data on the controller’s behalf and is the processor.

B wrong: The vendor is the processor.

C wrong: Data subjects are the individuals (subscribers).

D wrong: Custodian is the general IT-stewardship term, not the GDPR legal role.

Source: CompTIA SY0-701 Objectives v5.0 — 5.1; GDPR Article 4 definitions

Quick Check — 5.1 Q3
Who is MOST appropriately responsible for approving access to a sensitive HR dataset?
  • A The database administrator (custodian)
  • B The data owner
  • C The end user requesting access
  • D The help desk

Correct: B. Owner decides; custodian implements. The data owner is accountable for classification and access, approves the request, and documents the business justification. The DBA provisions the account after approval.

A wrong: Custodian implements after approval but does not own the risk decision.

C wrong: Requesters do not self-approve.

D wrong: Help desk has no authority over sensitive-data access.

Source: CompTIA SY0-701 Objectives v5.0 — 5.1

Related Topics
→ 5.2 Risk Management→ 5.3 Third-Party Risk→ 5.4 Compliance
← Domain 5 Hub ← All Objectives Next: 5.2 Risk Management →
Disclaimer: This content is provided for educational and exam preparation purposes only. It is not official CompTIA content, is not endorsed by CompTIA, and does not guarantee exam success. All practice questions are original and based on the published CompTIA SY0-701 Exam Objectives (v5.0). Always refer to the official CompTIA Security+ Exam Objectives as your primary reference.