Quiz: Security Governance

A 26-question self-check covering the document hierarchy, frameworks, roles and RACI, and the policy lifecycle. Several questions are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for the (ISC)² CISSP — so certification candidates can self-assess. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] A high-level, mandatory statement of management intent that is deliberately technology-neutral and approved at a senior level is a: A. standard B. procedure C. policy D. guideline

2. [Sec+] Which governance document is the only one that is not mandatory? A. policy B. standard C. procedure D. guideline

3. "All passwords must be at least 14 characters and checked against a breach corpus" is an example of a: A. policy B. standard C. procedure D. guideline

4. [CISSP] Setting organizational direction and providing oversight, as distinct from executing within that direction, defines: A. management B. governance C. operations D. administration

5. [Sec+] In a RACI matrix, how many roles should be marked Accountable for a single task? A. zero B. exactly one C. at least two D. as many as are involved

6. Which was newly added as a top-level Function in NIST CSF 2.0 relative to CSF 1.1? A. Identify B. Detect C. Govern D. Recover

7. [CISSP] ISO/IEC 27001 is best described as: A. a U.S. voluntary outcome framework B. a certifiable international standard for an information security management system C. a catalog of web-application vulnerabilities D. a U.S. federal regulation

8. The named individual accountable that a specific control is designed, operated, and remains effective — not necessarily the person who performs it — is the: A. data owner B. system administrator C. control owner D. auditor

9. [Sec+] Which lifecycle stage is most commonly neglected and is where stale documents originate? A. draft B. approve C. review & maintain D. publish

10. A foundational, board- or CEO-approved document that establishes the security program's authority, scope, mandate, and reporting lines is the: A. acceptable use policy B. security charter C. risk register D. statement of applicability

11. [CISSP] The amount and type of risk an organization is willing to accept in pursuit of its objectives, set by the board, is its: A. residual risk B. risk appetite C. risk register D. attack surface

12. Achieving framework coverage through a few broad policies (with detail pushed into standards and procedures) rather than a separate policy per topic is preferred mainly because it: A. looks more impressive to auditors B. reduces the maintenance/review burden and orphaned documents C. is required by ISO 27001 D. eliminates the need for procedures

13. [Sec+] Which document would specify the exact step-by-step instructions to disable a departed employee's accounts? A. policy B. standard C. procedure D. guideline

14. The most dangerous governance gap is usually: A. a missing guideline B. a policy with no standard beneath it (intent with no teeth) C. too many procedures D. an extra review cycle

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

15. "A guideline is a mandatory requirement that must be enforced like a standard."

16. [Sec+] "Adopting the NIST Cybersecurity Framework means an organization is secure."

17. "A policy that has been drafted but not formally approved is still binding on employees."

18. "The person who performs a control must always be the same person who is accountable for it."

19. [CISSP] "A program that forbids all policy exceptions is more secure than one with a governed exception process."

20. "Because the board sets risk appetite and approves policy, governance is the board's job and management merely executes it."

Section 3 — Fill in the blank (1 pt each)

21. From most abstract to most specific, the mandatory governance documents are policy, _, and _; the one non-mandatory tier is the __.

22. [Sec+] The six NIST CSF 2.0 Functions are Govern, _, Protect, _, Respond, and Recover.

23. In a RACI matrix, the four letters stand for Responsible, _, Consulted, and _.

Section 4 — Short answer (2 pts each)

24. [CISSP] Explain why governance is what lets a security program scale and survive turnover, using the distinction between a documented, owned control and an undocumented habit.

25. A standard at Meridian was last reviewed four years ago and still permits an obsolete cipher. Explain how this single stale document simultaneously harms (a) the auditor's view of the program, (b) the organization's actual security, and (c) the organization's own defenders.

26. [Sec+] Distinguish a control owner from a data owner or a system administrator, and explain what the examiner's question "who owns this control and when was it last reviewed?" is really testing.

Answer Key

Click to reveal answers and explanations 1. **C** — high-level, mandatory, technology-neutral, senior-approved = policy. 2. **D** — a guideline is recommended, not mandatory. 3. **B** — specific, testable, threshold-bearing = standard. 4. **B** — direction-setting + oversight = governance (vs. management/operations, which execute). 5. **B** — exactly one Accountable per task; zero or more than one breaks accountability. 6. **C** — Govern is the new sixth Function in CSF 2.0. 7. **B** — ISO/IEC 27001 is a certifiable international ISMS standard. 8. **C** — control owner (accountable for the control, not necessarily its operator). 9. **C** — review & maintain is the routinely skipped stage where staleness sets in. 10. **B** — the security charter grants the program its authority and scope. 11. **B** — risk appetite (board-set). 12. **B** — fewer documents means less to keep current and fewer orphans (coverage via hierarchy, not proliferation). 13. **C** — step-by-step task instructions = procedure. 14. **B** — a policy with no implementing standard is unenforceable intent; that gap (or a standard with no procedure) is the dangerous one. 15. **F** — a guideline is *recommended*, not mandatory; that is precisely what distinguishes it. 16. **F** — a framework is a checklist of topics, not proof of effective controls (compliance is the floor, not the ceiling). 17. **F** — an unapproved draft is not binding; approval at the right level is what makes a policy binding. 18. **F** — work delegates but accountability does not; the *Accountable* owner can differ from the *Responsible* performer. 19. **F** — forbidding all exceptions causes silent, untracked violations when reality cannot comply; a governed exception is a tracked, time-boxed, accepted residual risk and is more secure. 20. **F (mostly)** — the board *governs* (oversight, policy approval, appetite) and management *executes*, but management still *governs within its scope* (CISOs set standards, own program accountability); governance is layered, not solely the board's. 21. standard; procedure; guideline. 22. Identify; Detect. 23. Accountable; Informed. 24. A documented, owned control has a parent, a purpose, an owner, and a review date, so it survives the departure of whoever built it and applies automatically to everyone — an undocumented habit lives only in a person's head and leaves when they do; governance is the conversion of habits into durable, ownable, scalable rules. 25. (a) The auditor sees an unreviewed, obsolete-permitting document and raises a finding, doubting the whole program's currency; (b) the obsolete cipher the stale standard still blesses is a real exploitable weakness; (c) defenders enforcing the old standard enforce the *wrong* thing — permitting what is now dangerous and possibly blocking what is now safe. 26. The *control owner* is accountable for a control's design/operation/effectiveness; a *data owner* is accountable for a data set's classification and protection decisions; a *system administrator* operates a system day-to-day. The examiner's question tests **accountability and currency** — that a single named role answers for the control (governed, not orphaned) and that it has not gone stale (a tracked review date). **Topics to review by question:** missed 1–3, 13, 21 → §26.2; 4, 20, 24 → §26.1; 5, 23 (RACI), 8, 10, 26 → §26.4; 6, 7, 16, 22 → §26.3; 9, 17, 25 → §26.5; 11, 19 → §26.4–26.5; 12, 14 → §26.2, §26.6.