Cybersecurity Governance | Cybersecurity Policy

Slide 1 of 14 | CSP-W3-01 | Week 3

Cybersecurity Governance
COBIT, ISO 27001, Policy Hierarchy

Board Oversight • COBIT 2019 • ISO 27001/27002 • Policy Architecture • Governance Structures • Risk Governance • Metrics • Framework Comparison

Cybersecurity governance is not a technical problem -- it is a business problem. It determines who makes decisions about risk, who is accountable when things go wrong, and how the organization's security posture aligns with its strategic objectives. This deck covers the frameworks, structures, and metrics that transform cybersecurity from an IT cost center into a board-level strategic function. Every policy you write exists within a governance structure -- understanding that structure is prerequisite to writing effective policy.

14 Slides CSP-W3-01 Week 3 CIS2208 -- Cybersecurity Policy

Slide 2 of 14

What Is Cybersecurity Governance?

Board-level oversight, accountability structures, and risk appetite -- the strategic layer above security operations.

Direction

Setting the strategic vision for cybersecurity. The board defines what the organization must protect, what level of risk is acceptable, and how security investments align with business objectives. Direction flows top-down -- from the boardroom to the SOC.

Oversight

Monitoring whether security activities achieve their intended outcomes. The board does not configure firewalls -- it asks whether the firewall investment reduced breach probability. Oversight requires metrics, reporting cadence, and independent audit verification.

Accountability

Ensuring clear ownership for cybersecurity outcomes at every level. The CEO is ultimately accountable to the board. The CISO is responsible for program execution. Individual managers own risk within their domains. Accountability without authority is dysfunction.

Governance answers three questions: Who decides? Who is accountable? How do we know it is working? Without governance, organizations have security tools and personnel but no coherent strategy, no measured outcomes, and no executive accountability when a breach occurs.

Risk Appetite

Risk appetite is a board-level declaration of how much risk the organization is willing to accept in pursuit of its objectives. It is not a number -- it is a strategic position. "We accept no risk of customer data exposure" versus "We accept moderate risk of operational disruption during cost optimization" produce radically different security programs and budgets.

Slide 3 of 14

Corporate vs IT vs Cybersecurity Governance

Three nested governance domains -- each with distinct scope, stakeholders, and accountability structures.

Corporate Governance

The board ensures the organization creates value for stakeholders while managing risk. Sarbanes-Oxley, SEC regulations, and fiduciary duties define the boundaries. Cybersecurity is a board-reportable risk -- the same as financial risk or operational risk.

IT Governance

Ensures IT investments support business objectives and deliver value. COBIT, ITIL, and Val IT provide frameworks. IT governance asks: are we building the right systems, and are we building them right? The CIO is the primary accountable officer.

Cybersecurity Governance

A subset of IT governance focused specifically on protecting information assets and managing cyber risk. The CISO leads execution, but governance authority flows from the board. Effective cybersecurity governance requires both technical expertise and business acumen.

Key Insight

These three layers are not independent -- they are nested. A cybersecurity policy that contradicts corporate governance will be overridden. A CISO who reports through four layers to reach the board has structurally less influence than one who reports directly. Governance structure determines governance effectiveness.

Slide 4 of 14

COBIT 2019 Framework

Five principles, 40 governance and management objectives -- ISACA's comprehensive framework for enterprise IT governance.

Governance Objectives (EDM)

Evaluate, Direct, Monitor -- the 5 objectives that belong to the board. EDM01: Ensured Governance Framework. EDM02: Ensured Benefits Delivery. EDM03: Ensured Risk Optimization. EDM04: Ensured Resource Optimization. EDM05: Ensured Stakeholder Engagement.

Management Objectives (35)

Spread across four domains: APO (Align, Plan, Organize -- 14 objectives covering strategy, architecture, risk, and security), BAI (Build, Acquire, Implement -- 11), DSS (Deliver, Service, Support -- 6), and MEA (Monitor, Evaluate, Assess -- 4).

COBIT for Cybersecurity

COBIT 2019 includes APO13 (Managed Security) as a dedicated security management objective, but cybersecurity governance touches nearly every other objective. Risk management (APO12), compliance (MEA03), incident management (DSS02), and change management (BAI06) all have direct cybersecurity implications. COBIT's strength is connecting security activities to business value -- something pure technical frameworks often lack.

Slide 5 of 14

ISO/IEC 27001 -- ISMS

The international standard for Information Security Management Systems -- Plan, Do, Check, Act.

Certification Process

STEP 1

Gap Analysis

Assess current state against ISO 27001 requirements

STEP 2

Risk Assessment

Identify assets, threats, vulnerabilities, risk treatment

STEP 3

Implement ISMS

Deploy controls, train staff, document processes

STEP 4

Stage 1 Audit

Documentation review by certification body

STEP 5

Stage 2 Audit

On-site assessment of ISMS effectiveness

STEP 6

Surveillance

Annual audits, recertification every 3 years

Why Certification Matters

ISO 27001 certification is increasingly a contractual requirement for cloud providers, managed service providers, and any organization handling sensitive data. It demonstrates due diligence to regulators, provides a competitive advantage in procurement, and establishes a defensible security posture. The standard does not prescribe specific technologies -- it requires a systematic, risk-based approach to information security management.

Slide 6 of 14

ISO 27002 -- Controls Catalogue

The companion standard -- 93 controls organized into four themes that implement the ISO 27001 ISMS.

Organizational (37)

Policies, roles, responsibilities, asset management, access control, supplier relationships, incident management, business continuity, compliance. The largest theme -- defines the governance scaffolding around all other controls.

People (8)

Screening, terms of employment, security awareness, disciplinary process, responsibilities after termination, confidentiality agreements, remote working, and security event reporting. The human element that technology alone cannot address.

Physical (14)

Physical security perimeters, entry controls, securing offices and facilities, monitoring, protection against environmental threats, equipment security, secure disposal, clear desk and screen. Defense starts at the building perimeter.

Technological (34)

Endpoint security, privileged access, authentication, malware protection, vulnerability management, logging, monitoring, network security, secure development, data masking, DLP, encryption, and web filtering. The technical controls most security teams focus on.

Key Control Examples

Control ID	Control Name	Theme
5.1	Policies for information security -- documented and approved by management	Organizational
6.3	Information security awareness, education, and training	People
7.1	Physical security perimeters -- barriers to prevent unauthorized access	Physical
8.5	Secure authentication -- multi-factor for sensitive systems	Technological
8.16	Monitoring activities -- detection of anomalous behavior and events	Technological

27001 vs 27002 Relationship

ISO 27001 is the certifiable standard -- it defines what an ISMS must include. ISO 27002 is the implementation guide -- it describes how to implement each control. You certify against 27001. You reference 27002 when deciding how to satisfy the Statement of Applicability. Think of 27001 as the blueprint and 27002 as the construction manual.

Slide 7 of 14

Policy Hierarchy

Policies, standards, procedures, guidelines, baselines -- five layers from strategic intent to operational execution.

Policies

High-level statements of management intent. "All employees must use multi-factor authentication for remote access." Approved by the board or senior management. Broad in scope, stable over time, mandatory for all employees.

Standards

Specific, measurable requirements that implement policies. "MFA must use FIDO2-compliant hardware tokens or TOTP with minimum 6-digit codes." Mandatory compliance. Updated more frequently than policies as technology evolves.

Procedures

Step-by-step instructions for performing specific tasks. "To enroll a FIDO2 token: 1) Log into IAM portal. 2) Select Security Keys. 3) Insert token. 4) Follow enrollment wizard." Mandatory for affected personnel. Highly specific and operational.

Guidelines & Baselines

Guidelines are recommended practices -- advisory, not mandatory. "Consider using password managers for non-SSO applications." Baselines are mandatory minimum configurations: "All Windows endpoints must run CIS Benchmark Level 1." Baselines are enforceable; guidelines are not.

Common Mistake

Organizations often confuse policies with procedures. A 200-page document that specifies both "we will protect customer data" and "click File, then Save As, then select Encrypted PDF" is neither a good policy nor a good procedure -- it is an unmaintainable hybrid that no one reads. Keep each layer at its proper level of abstraction.

Slide 8 of 14

Writing Effective Security Policies

Components, approval workflows, review cycles, and the difference between a policy that works and one that gathers dust.

Required Policy Components

Purpose & Scope

Why does this policy exist? Who does it apply to? A clear purpose statement prevents scope creep and ensures readers know immediately whether the policy applies to them. "This policy applies to all employees, contractors, and third-party users who access company information systems."

Policy Statements

The actual requirements -- clear, unambiguous, and enforceable. Use "must" for mandatory requirements, "should" for recommendations, "may" for discretionary. Avoid vague language like "adequate" or "appropriate" without defining what those mean in context.

Roles & Responsibilities

Who owns this policy? Who enforces it? Who reviews it? Every policy needs an owner (typically a department head or CISO), an enforcement mechanism (HR, IT, management), and designated reviewers. Orphaned policies are dead policies.

Compliance & Enforcement

What happens if someone violates this policy? Consequences must be defined and consistently applied -- from verbal warning to termination. A policy without enforcement is a suggestion. Reference the disciplinary process and exception-handling procedures.

Definitions & References

Define technical terms for non-technical audiences. Reference related policies, standards, and regulatory requirements. Cross-referencing prevents contradictions between policies and ensures readers can find supporting detail.

Review & Revision

Every policy must specify its review cycle -- typically annual or after a significant security event. Include version history, approval dates, and next review date. A policy last reviewed in 2019 has questionable relevance in 2026.

Approval Workflow

DRAFT

Author

CISO or policy owner drafts based on risk assessment

REVIEW

Stakeholders

Legal, HR, IT, business units review for impact and feasibility

APPROVE

Authority

Senior management or board approval based on policy tier

PUBLISH

Communicate

Distribute, train affected staff, obtain acknowledgment

ENFORCE

Monitor

Track compliance, handle exceptions, audit adherence

The Readability Test

If your information security policy cannot be understood by a non-technical manager in five minutes, it will not be followed. The best policies are short (2-5 pages), written in plain language, and focused on a single topic. Detailed technical implementation belongs in standards and procedures -- not in the policy itself.

Slide 9 of 14

Governance Structures

Board committees, CISO reporting lines, steering committees -- the organizational architecture of cybersecurity governance.

Board Risk Committee

Oversees enterprise risk management including cyber risk. Reviews risk appetite statements, approves risk treatment plans, and receives quarterly CISO briefings. Many boards now require at least one member with cybersecurity expertise -- a SEC recommendation since 2023.

CISO Reporting Line

Where the CISO reports determines their influence. Direct CEO reporting (NIST recommendation) gives cybersecurity executive-level voice. Reporting through the CIO creates a conflict of interest -- the CIO prioritizes availability and delivery, while the CISO prioritizes security.

Steering Committee

Cross-functional body that bridges security and business. Includes representatives from every major business unit, Legal, HR, Finance, and IT. Meets monthly or quarterly to review policy changes, budget requests, risk acceptances, and incident lessons learned. Advisory role -- authority remains with the CISO and board.

Structural Failure Pattern

When the CISO reports to the CIO, who reports to the CFO, who reports to the CEO -- cybersecurity is four levels removed from the board. Critical risk decisions get filtered, diluted, or deprioritized. The Equifax breach (2017) investigation revealed that the CISO reported through the CIO with no direct board access -- a structural failure that delayed breach response by weeks.

Slide 10 of 14

Risk Governance

Risk appetite vs tolerance vs capacity -- the risk register and risk treatment decisions that drive governance outcomes.

Risk Appetite

The amount and type of risk the organization is willing to accept in pursuit of its objectives. Set by the board. "We accept moderate risk of operational disruption but zero tolerance for customer data exposure." Expressed qualitatively or quantitatively in a Risk Appetite Statement.

Risk Tolerance

The acceptable deviation from risk appetite. If risk appetite says "moderate," tolerance defines the boundary. "We will tolerate up to 4 hours of downtime per quarter for non-critical systems." More granular than appetite -- applied at the business unit or system level.

Risk Capacity

The maximum risk the organization can absorb before existential failure. A startup with $2M in revenue cannot survive a $50M breach -- its capacity is far lower than a Fortune 500 company. Capacity is a hard limit. Appetite should never exceed capacity.

Risk Register

Field	Purpose
Risk ID	Unique identifier for tracking and cross-referencing across governance documents
Description	Clear statement of the risk scenario -- threat, vulnerability, and potential impact
Likelihood	Probability of occurrence -- qualitative (High/Med/Low) or quantitative (annualized rate)
Impact	Business consequence if the risk materializes -- financial, reputational, operational, legal
Risk Owner	The individual accountable for monitoring and managing this risk
Treatment	Accept, Mitigate, Transfer (insure), or Avoid -- with justification for the decision

Slide 11 of 14

Governance Metrics

What gets measured gets managed -- compliance rates, policy exceptions, audit findings, and board reporting cadence.

Policy Compliance Rate

Percentage of organizational units compliant with each security policy. Measured through automated scanning (endpoint compliance), manual audits (physical security), and self-attestation (acceptable use). Target: 95%+ for critical policies. Track trends quarterly -- declining compliance signals policy fatigue or enforcement gaps.

Policy Exception Count

Number of active policy exceptions and their risk-adjusted impact. Every exception represents accepted risk. Track: total active exceptions, average exception duration, exceptions by department, exceptions past their expiration date. A rising exception count indicates the policy may be misaligned with operational reality.

Audit Findings

Open audit findings by severity, age, and remediation status. Critical findings open for more than 30 days signal governance failure. Track: total open findings, mean time to remediate (MTTR) by severity, repeat findings (indicates systemic issues), and findings per business unit.

Security Awareness Completion

Percentage of employees who have completed required security training. Regulatory frameworks (HIPAA, PCI-DSS, CMMC) mandate annual training. Track: completion rate, phishing simulation click rates (behavioral metric), and time-to-completion. Below 90% completion is a compliance risk.

Board Reporting

Board members are not cybersecurity experts -- they are fiduciaries. Effective board reporting translates technical metrics into business risk language. Instead of "47 critical CVEs unpatched," report "3 business-critical systems have exploitable vulnerabilities with a combined potential impact of $12M." Include trend data, peer benchmarking, and clear action requests. Frequency: quarterly minimum, with immediate escalation for material incidents.

Slide 12 of 14

Framework Comparison

COBIT vs ISO 27001 vs NIST CSF vs ITIL -- selecting the right governance framework for the right purpose.

Layering Strategy

Use COBIT for enterprise IT governance alignment with business strategy. Layer ISO 27001 for a certifiable ISMS. Adopt NIST CSF for cybersecurity risk management communication. Use ITIL for operational service delivery. Each addresses a different governance need -- they are complementary, not competing.

Selection Criteria

Choose based on: regulatory requirements (some mandate specific frameworks), industry norms (healthcare favors NIST, finance favors COBIT), customer expectations (B2B SaaS clients demand ISO 27001 certification), organizational maturity (NIST CSF tiers help immature organizations start), and geographic scope (ISO is global, NIST is US-centric but widely adopted).

Mapping Across Frameworks

NIST provides official crosswalks between CSF and ISO 27001, COBIT, and other frameworks. This allows organizations to demonstrate compliance with multiple frameworks simultaneously without duplicating effort. A single control implementation can satisfy COBIT APO13, ISO 27001 A.8.5, and NIST CSF PR.AC-7 -- but only if the governance structure explicitly maps and tracks these relationships.

Slide 13 of 14

Key Takeaways

Cybersecurity governance distilled into policy-actionable principles.

1 Cybersecurity governance is a board-level responsibility, not an IT function. It provides direction, oversight, and accountability for how the organization manages cyber risk. Without governance, security tools exist without strategy.

2 Corporate, IT, and cybersecurity governance are nested layers. Cybersecurity governance operates within -- and must align with -- the broader IT and corporate governance structures. Misalignment creates policy conflicts and resource competition.

3 COBIT 2019 connects IT governance to business value through 40 governance and management objectives. Its strength is bridging the gap between what the board cares about and what IT delivers. APO13 specifically addresses security management.

4 ISO 27001 provides a certifiable ISMS built on the Plan-Do-Check-Act cycle. ISO 27002 supplies the 93 controls across four themes -- organizational, people, physical, and technological -- that implement the ISMS requirements.

5 The policy hierarchy -- policies, standards, procedures, guidelines, baselines -- keeps each document at the correct level of abstraction. Policies declare intent. Standards specify requirements. Procedures describe execution. Mixing levels produces unreadable, unmaintainable documents.

6 Effective security policies require clear purpose, enforceable language, defined ownership, compliance mechanisms, and mandatory review cycles. A policy without enforcement is a suggestion. A policy without review is obsolete.

7 CISO reporting structure determines governance effectiveness. Direct-to-CEO reporting gives cybersecurity executive voice. Burying the CISO under the CIO creates structural conflicts between availability and security priorities.

8 Risk appetite, tolerance, and capacity are distinct governance concepts. Appetite is what you are willing to accept. Tolerance is the acceptable deviation. Capacity is the maximum you can survive. The risk register operationalizes all three.

9 Governance metrics translate security operations into board-level language. Compliance rates, exception counts, audit findings, and training completion rates are the KPIs that demonstrate whether governance is working -- or failing.

10 COBIT, ISO 27001, NIST CSF, and ITIL are complementary frameworks. Most mature organizations layer multiple frameworks -- using crosswalks to satisfy multiple compliance requirements from a single set of implemented controls.

What Comes Next

Governance provides the structure within which all cybersecurity decisions are made. The frameworks, policies, and metrics covered in this deck are the foundation for every regulatory compliance effort, risk management decision, and incident response plan you will encounter. In the next module, you will apply these governance principles to specific regulatory frameworks -- examining how HIPAA, PCI-DSS, and GDPR translate governance intent into enforceable requirements.

Slide 14 of 14 | Complete

Presentation
Complete

Cybersecurity Governance -- 14 slides

Board Oversight • COBIT 2019 • ISO 27001/27002 • Policy Hierarchy • Effective Policies • Governance Structures • Risk Governance • Metrics • Framework Comparison

CIS2208 Cybersecurity Policy Week 3