Part VI: Governance, Risk, and Compliance

"Compliance is the floor, not the ceiling. Passing the audit is the minimum, not the goal."

For five parts you have built controls — firewalls, hardening baselines, identity, detection, response. Part VI asks the questions that turn a pile of controls into a program: Who decided these were the right controls? How do we know they address our actual risks? How do we prove it to a regulator? What about the risk we inherited from a vendor we don't control? And how do we get the one thing no tool can buy — a workforce that does not click the link? This is the part where security stops being a technical activity and becomes an organizational one. It is the spine that holds the rest upright, and at a regulated institution like Meridian it is not optional — it is examined.

Governance, risk, and compliance is where Theme 5 lives outright: compliance is the floor, not the ceiling. A defender who confuses passing PCI-DSS with being secure has missed the entire point of this book. Frameworks and audits set a baseline; real security goes beyond the checklist, driven by risk rather than by what an auditor will ask to see. These five chapters teach you to operate at both levels at once — to satisfy the regulator and to defend the bank — and to understand why those are not the same thing.

The part moves from the inside out. Governance establishes how security decisions get made and documented — the policy/standard/procedure hierarchy and the roles that own each control. Risk management formalizes the thing the whole book has been circling since Chapter 1: a repeatable process for identifying, assessing (qualitatively and quantitatively, with SLE/ARO/ALE), treating, and accepting risk. Compliance frameworks organize the alphabet soup — NIST CSF, ISO 27001, SOC 2, PCI-DSS, HIPAA, GDPR — and teach you to crosswalk controls so one piece of evidence satisfies many requirements. Third-party and supply-chain risk confronts the uncomfortable truth that your risk includes the risk of everyone you didn't build yourself. And security awareness training addresses Theme 3 head-on: the human is both the weakest link and, trained, the strongest sensor you have.

Two anchors converge here. SolarWinds and Log4Shell return in Chapter 29 as supply-chain lessons — proof that the most dangerous code in your environment is the code you trusted without verifying — and the Chapter 1 phishing near-miss becomes the seed of Meridian's awareness program in Chapter 30.

What you will learn

Chapter 26 — Security Governance. Distinguish policy, standard, procedure, and guideline; build a governance structure and document hierarchy; align security to the business with a framework; and define roles (RACI) and governance metrics.
Chapter 27 — Risk Management. Run a formal risk process (NIST 800-30 / ISO 27005), perform qualitative and quantitative analysis (SLE, ARO, ALE), choose treatment (mitigate/transfer/avoid/accept), and maintain a risk register and appetite statement.
Chapter 28 — Compliance Frameworks. Compare the major frameworks and regulations, crosswalk controls across them, prepare for audits and evidence, and explain precisely why compliance is not security.
Chapter 29 — Third-Party and Supply Chain Risk Management. Run a TPRM lifecycle, manage software supply-chain risk with SBOMs and provenance, set vendor security requirements, and respond to a vendor breach.
Chapter 30 — Security Awareness Training. Design an awareness program that changes behavior, run phishing simulations ethically and measure them, build a reporting culture, and tailor training by role.

Advancing the Meridian program

Part VI assembles the governance layer that makes Meridian's program presentable to an examiner and a board. Chapter 26 drafts the bank's information-security policy set and governance structure. Chapter 27 produces Meridian's enterprise risk assessment, risk register, and risk-appetite statement — the document the whole program is prioritized against. Chapter 28 maps Meridian's controls to its PCI-DSS and GLBA obligations via a crosswalk. Chapter 29 builds the third-party risk process and an SBOM requirement, applied to the bank's core-banking vendor. Chapter 30 turns the Chapter 1 near-miss into a measured awareness program. The bluekit toolkit gains compliance.py (policy_coverage, crosswalk, vendor_risk), extends riskcalc.py with ale and prioritize, and adds awareness.py (click_rate).

Prerequisites

Read Part I — especially Chapter 1 (risk vocabulary) and Chapter 3 (control taxonomy), which this part formalizes. Chapter 27 depends on Chapter 26; Chapter 28 on both; Chapter 29 on Chapters 27–28 (and draws on the appsec and vulnerability material of Chapters 12 and 23); Chapter 30 on Chapter 2 (threat actors and social engineering) and Chapter 26. You can read Part VI before Part V if your interest is primarily GRC, but the risk and compliance discussion is richer once you have seen the operational reality of Parts II–V.

Time investment

Chapter	Title	Estimated hours
26	Security Governance	5–6
27	Risk Management	6
28	Compliance Frameworks	6–7
29	Third-Party and Supply Chain Risk	5–6
30	Security Awareness Training	5
Part VI total		27–30

This part is the GRC track's core — GRC readers should work through all five in order and treat the Meridian policy, risk-register, and crosswalk deliverables as portfolio pieces. Engineering and SOC readers should not skip it: Chapter 27 (risk) and Chapter 29 (supply chain) directly shape what you build and patch, and every certification exam tests this material heavily.

Where this leads

With governance, risk, compliance, vendor management, and culture in place, Meridian has a complete, defensible program — for today's threats. But the field does not stand still. Part VII pushes into the advanced and emerging frontier: DevSecOps, zero-trust architecture, operational-technology defense, AI in security, and the threats now taking shape on the horizon.