Exercises: Security Governance
These exercises move from the vocabulary of governance to the judgment of designing it. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.
Work in your own notebook or a private repository. Where an exercise asks you to draft a policy, build a RACI, or design a structure, there is rarely one perfect answer; the reasoning and the form matter more than the exact words. Throughout, "Meridian" refers to the running bank from Chapter 1.
Part A — The document hierarchy ⭐
1.† In one sentence each, define policy, standard, procedure, and guideline, then state the single property that distinguishes a guideline from the other three.
2. Classify each as policy, standard, procedure, or guideline: (a) "All TLS connections must use TLS 1.2 or higher with an approved cipher suite." (b) "Meridian safeguards customer information in accordance with applicable law and its risk appetite." (c) "To onboard a new vendor: send the security questionnaire, score the responses, file the result in the GRC tool, and route to the risk owner for approval." (d) "Teams are encouraged to enable two-person review on production changes where practical." (e) "Privileged accounts are reviewed at least quarterly." (f) "When selecting a logging format, prefer structured JSON to ease parsing."
3. For each pair, identify which document tier each belongs to and explain why one must sit beneath the other in the hierarchy: (a) "Encrypt data at rest" vs. "Use AES-256 with keys stored in the cloud KMS"; (b) "Review access quarterly" vs. "Step 1: export entitlements; Step 2: …".
4.† Define control owner and explain, with a Meridian example, why the control owner is not always the person who performs the control. Why does accountability not delegate the way work does?
5. Give two reasons the specific value "AES-256" belongs in a standard rather than in the parent policy. What would go wrong operationally if it lived in the policy instead?
6. A program has a policy ("monitor privileged activity") but no standard beneath it and no procedure. Describe the two distinct failure modes this creates — one an auditor would catch, one an attacker would exploit.
Part B — Frameworks & governance concepts ⭐⭐
7.† Name the six Functions of NIST CSF 2.0. Which one is new relative to CSF 1.1, and why does its addition matter specifically for governance?
8. Contrast NIST CSF 2.0 with ISO/IEC 27001 along three dimensions of your choosing (e.g., voluntary vs. certifiable, scope, organizing idea). Then name one concrete situation where you would reach for each.
9. Explain the difference between governance and management (operation). For each of the following Meridian activities, label it governance or management: (a) the board approves the Information Security Policy; (b) Sam configures firewalls to the network standard; (c) the board sets the risk appetite; (d) Marcus tunes a SIEM correlation rule; (e) Dana reports program risk to the Audit Committee.
10.† A vendor's sales rep claims their GRC platform will "give you governance out of the box." Using the theme security is a process, not a product, write a three-sentence rebuttal explaining what the platform can and cannot provide.
11. Why is "we adopted NIST CSF" not the same as "we are secure"? Connect your answer to the theme compliance is the floor, not the ceiling.
Part C — Build a RACI ⭐⭐
12.† Build a RACI. For the activity "approve and publish a new security standard," assign RACI letters across these roles: Board, CISO, GRC Analyst, Security Engineer, affected System Owner. State your reasoning for the single A and for who is Consulted versus merely Informed.
13. Here is a flawed RACI row. Identify every rule it violates and fix it.
Activity: Run the quarterly access review
Board: A CISO: A GRC: C Engineer: I IAM Lead: C
14.† Build a RACI for the activity "accept a residual-risk exception to the hardening standard" (a legacy system that cannot meet the baseline). Include: Board, CISO, GRC Analyst, the System Owner who wants the exception, and the Security Engineer. Explain why the System Owner shares Responsibility and why the CISO is Accountable.
15. Explain the two cardinal RACI rules (exactly one A; at least one R per row) and, for each, give a concrete example of the control failure that occurs when the rule is broken.
Part D — Write the policy / standard ⭐⭐–⭐⭐⭐
16.† Write the policy. Draft the opening clause (3–5 sentences) of Meridian's Information Security Policy: its purpose, scope, and a statement of authority/management commitment. Keep it technology-neutral — if changing a vendor or version would require editing it, you have written it wrong.
17. Write the standard. The Information Security Policy says "remote access must be appropriately authenticated." Write three to five testable requirements for the Remote Access Standard that implement it. Each must be specific enough that an auditor could verify pass/fail.
18. Write the policy. Draft a one-paragraph Acceptable Use Policy statement covering the use of bank email and internet access. Mark which sentences are genuinely policy-tier and which you were tempted to write but belong in a standard or procedure instead.
19.† Rewrite this "policy" so that the durable intent stays in the policy and the operational specifics move to the correct lower tier. Identify which tier each moved sentence belongs to.
"Information Security Policy: Users must press Win+L to lock their screens before leaving their desks. Passwords must be exactly 12 characters and changed every 90 days. Antivirus must be CrowdStrike Falcon version 7 or higher. Meridian protects information assets."
20. ⭐⭐⭐ Design the governance. A 30-person fintech startup has no policies at all. Design the minimum coherent policy set (name the apex policy plus 4–6 topic policies) that covers its risk without over-documenting. For each, name the owner and the CSF Function it maps to. Justify why you stopped where you did rather than adding more.
Part E — Map controls to a framework ⭐⭐
21.† Map controls to a framework. You are given Meridian controls and a slice of CSF Functions. Match each control to the Function it best satisfies, then name which Function is left with no control (the gap).
Controls: CSF Functions (slice):
- Asset inventory (Ch.1) GOVERN (roles, policy, oversight)
- Phishing-resistant MFA (Ch.16) IDENTIFY (assets, risk)
- Centralized SIEM (Ch.21) PROTECT (safeguards)
- IR plan + playbooks (Ch.24) DETECT (find anomalies)
- (no governance roles defined) RESPOND (act on incidents)
22. Using the policy_coverage logic from this chapter's checkpoint, suppose controls covers
framework items {PR.AA, DE.CM, RS.MA} and the framework requires [GV.RR, ID.AM, PR.AA, DE.CM, RS.MA].
By hand, list the covered items, the gaps, and the coverage percentage (one decimal place).
23.† A program scores 100% coverage on a framework slice, yet is breached the next month. Explain how both facts can be simultaneously true, and what coverage does and does not measure.
Part F — Analyze this (governance failures) ⭐⭐
24.† Analyze this. An examiner reviews Meridian's patching standard and finds: last reviewed 41 months ago; still permits a patch SLA of "within 180 days for critical vulnerabilities"; owner field reads "Security Team." Identify three separate governance defects and the lifecycle stage each one maps to. Which defect would an attacker most directly benefit from?
25. Analyze this. A new analyst finds two Meridian documents that contradict each other: the Data Classification Policy says "Confidential data may be stored in approved cloud services," while a three-year-old Cloud Usage Standard says "No bank data may be stored in any cloud service." Explain the root governance failure, which document should win, and the process that should have prevented this.
26. Respond to this. A business unit tells you, "We're just going to ignore the new MFA standard because our legacy trading terminal can't support it." You have no exception process. Walk through, in steps, how you convert this silent violation into a governed, tracked, time-boxed accepted risk. What compensating controls might you require?
Part G — CTF-style challenge ⭐⭐⭐
27.† The phantom control. During an audit, Meridian proudly presents a "Vendor Offboarding Procedure" as evidence that departed-vendor access is promptly revoked. The auditor asks four questions: (1) Who is the named owner? (2) When was it last reviewed? (3) Show me the last three times it was executed, with evidence. (4) Show me the standard and policy it implements. Meridian can answer none of the four. Diagnose precisely what is wrong — is the document the problem, or the governance around it? — and write the minimum set of fixes that would turn this phantom control into a real one. (Hint: the document may be fine; revisit every stage of the lifecycle and every RACI letter.)
Part H — Interleaved & forward-looking ⭐⭐
28. (Interleaved with Ch.3.) Governance assigns roles to enforce separation of duties. Take the Meridian wire-transfer dual-control example and express it across all four document tiers: what would the policy, standard, procedure, and a relevant guideline each say?
29. (Interleaved with Ch.1.) Map the five rows of Meridian's first risk register (Chapter 1's case study: credential attack, orphaned accounts, weak CDE segmentation, untested backups, guest WiFi) to the policies in §26.6 that would govern each. Which risk reveals a policy that was missing from your map?
30. ⭐⭐⭐ (Forward-looking to Ch.27.) This chapter introduced risk appetite as a board decision. Write two sentences predicting how a stated risk appetite (e.g., "near-zero tolerance for customer-funds integrity risk; moderate tolerance for internal-efficiency risk") would change the thresholds you write into a standard. Revisit this after Chapter 27.
31. (Interleaved with Ch.24.) Chapter 24 produced an IR plan and playbooks. In the §26.6 hierarchy, are those policies, standards, or procedures? Justify the classification and name the parent policy they sit beneath.
Part I — Open reflection ⭐⭐⭐
32. The chapter argues a control you cannot point to in a document, attach to an owner, and show a review date for "is not a control you actually have." Find one real control in your own life or organization that fails this test (something you do but have never written down or assigned). What would it take to govern it, and is governing it worth the cost? (Sometimes the honest answer is no — say so and explain.)
33. ⭐⭐⭐ Some practitioners deride governance as "paperwork that doesn't stop attackers." Steelman that view in a paragraph, then rebut it using at least two specific failures from this chapter where the absence of governance — not a missing tool — was the root cause of a breach or finding.
Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor.