Domain 1 of 5 · Chapter 5 of 5

Governance

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified in Cybersecurity premium course — no separate purchase.

Included in this chapter:

  • The governance document hierarchy
  • Mandatory versus discretionary, and reading the type from a scenario
  • Internal versus external: regulations, laws, and exam patterns

The governance document types: who writes them and whether they bind

AttributePolicyStandardProcedureGuidelineRegulation / Law
SourceInternal (leadership)InternalInternalInternalExternal (government)
Mandatory?YesYesYesNo (discretionary)Yes (legally binding)
Level of detailHigh-level, broadSpecific setting/parameterStep-by-stepRecommended practiceVaries, externally set
Answers which questionWhy / what (intent)Exactly whichHow (steps)What we suggestWhat the law requires
ExampleAcceptable use intentMin 12-char passwordsAccount-offboarding stepsRecommended hardening tipsHIPAA, GDPR

Decision tree

Imposed from outsideby a government?YesRegulation / Lawexternal, mandatory (HIPAA, GDPR)No (internal)Broad management intent?no mechanics namedYesPolicyhigh-level intent, mandatoryNoPrecise required setting?exact value, version, productYesStandardspecific value, mandatoryNoOrdered step-by-step?numbered how-toYesProcedurestep-by-step, mandatoryNo (recommended / optional)Guidelinediscretionary: adapt or skipAlways: policy, standard, and procedure bind; only the guideline is optionalPCI DSS is a contractual industry standard, not a government law

Cheat sheet

  • Governance is leadership setting direction in writing
  • Policies, standards, and procedures are mandatory; only guidelines are discretionary
  • A policy is high-level intent, broad and rarely changing
  • A standard names the exact required setting
  • A procedure is the ordered step-by-step how-to
  • A guideline is recommended practice, not a requirement
  • Identify the document type by how general or specific it is
  • The hierarchy runs policy then standard then procedure, with guidelines advising
  • Regulations and laws are external and mandatory, written by governments
  • HIPAA and GDPR are laws a CC candidate should recognize by name
  • PCI DSS is a contractual industry standard, not a government law
  • Accountability cannot be delegated, only the work can
  • Governance is about documents, not about choosing individual controls
  • Classify a mixed document or system at the highest sensitivity level present
  • The data owner sets classification and access; the custodian implements the controls
  • Higher classification levels demand stronger controls, so classify to prioritize protection
  • GDPR gives data subjects rights like erasure and requires 72-hour breach notice
  • Review security policies at least annually and when significant changes occur

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. https://csrc.nist.gov/pubs/sp/800/12/r1/final
  2. https://www.pcisecuritystandards.org/standards/pci-dss/
  3. https://www.nist.gov/cyberframework