SkarpChapter 20 of 25
Governance, Risk, and Compliance: Foundations of Security Oversight
Shift from tools to strategy by understanding how governance, risk, and compliance shape every security decision and exam scenario in the oversight domain.
Why GRC Matters For Security+ And Real Jobs
Zooming Out From Tools
You have learned what to do during incidents and how to secure environments. Now we zoom out: who decides what “secure enough” means, and how? That is the world of governance, risk, and compliance.
Core Definition
By definition, governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.
Where It Shows Up On Security+
GRC appears most directly in Security Program Management and Oversight but affects all domains: General Security Concepts, Threats, Vulnerabilities, and Mitigations, Security Architecture, and Security Operations.
The Rules Of The Game
Governance: who sets direction. Risk: which threats matter most. Compliance: which laws, regulations, and contracts we must obey. Together, they explain why specific controls are chosen.
Exam Angle
Expect scenarios about committees, policies, or regulations and questions like: what document is this, who should decide, or which control best satisfies a governance, risk, or compliance requirement?
Security Governance: Who Is In Charge And How It Is Structured
What Is Security Governance?
Security governance is the system of management, roles, and processes used to direct and control an organization’s security program so it supports business goals.
Role Of Senior Leadership
The board and senior executives set risk appetite, approve major policies and budgets, and receive high-level risk and incident reports. They own the direction, not just IT.
CISO And Security Leadership
The CISO translates business goals and legal obligations into a security strategy and runs the security program, reporting up to senior leadership.
Steering Committees
Security steering or governance committees bring IT, security, legal, HR, and business units together to review initiatives, exceptions, and risk decisions.
Charters And Programs
Charters define a team’s purpose, authority, and responsibilities. The security program is the set of policies, processes, and controls that implement governance decisions.
Policies, Standards, Guidelines, and Procedures (PSGP)
Why PSGP Matters
CompTIA frequently tests if you can distinguish policies, standards, guidelines, and procedures. Each has a different level and purpose in the governance stack.
Policy
Policy is high-level, management-approved direction. It is stable and technology-agnostic, like “All company laptops must be encrypted and protected by strong authentication.”
Standard
Standards are mandatory, specific requirements that support policies. Example: “Use AES-256 full-disk encryption with TPM-based key storage on all laptops.”
Guideline
Guidelines are recommended, not mandatory best practices. They suggest ways to meet policies and standards, such as preferring long passphrases.
Procedure
Procedures are detailed, step-by-step instructions, often role-specific, like the exact steps to enroll and encrypt a new laptop in the environment.
Common Exam Clues
Step-by-step = procedure; recommended = guideline; mandatory and specific = standard; broad management direction = policy.
PSGP In Action: A Mini Case Study
Scenario Setup
A laptop was stolen. Leadership wants to ensure it never happens again. You, as a security analyst, watch how this desire becomes concrete documents.
Policy Response
The CISO updates the Endpoint Security Policy to require encryption and secure authentication on all endpoints. The steering committee and CEO approve this high-level rule.
Standards Response
Security architects define an Endpoint Configuration Standard with exact settings: BitLocker with TPM and AES-256, FileVault, and screen lock after 10 minutes.
Guidelines Response
Awareness staff create User Device Security Guidelines: tips for strong passphrases, safe travel, and secure use of public Wi-Fi. Helpful but not enforced.
Procedures Response
IT writes a Laptop Provisioning Procedure with step-by-step instructions and screenshots to configure laptops consistently and document compliance.
Exam Mapping
Approvals and direction = governance/policy; technical requirements = standards; recommendations = guidelines; detailed steps = procedures.
Risk Management Basics Within Governance
Why Risk Management Matters
Risk management sits under governance. Leadership defines how much risk is acceptable, and the security program manages risk to stay within that boundary.
Risk Building Blocks
Asset: value. Threat: potential harm. Vulnerability: weakness. Risk: likelihood a threat exploits a vulnerability and the impact if it does.
Appetite And Tolerance
Risk appetite is the overall risk the organization is willing to accept. Risk tolerance is more specific, such as limits on downtime or data loss.
Risk Treatment Options
Avoid risk by not doing the activity, mitigate via controls, transfer via contracts or insurance, or accept it and document the decision.
Qualitative vs Quantitative
Qualitative risk uses labels like High/Medium/Low and is common on Security+. Quantitative uses numbers like expected annual loss.
Governance Link
Executives set appetite; security assesses and recommends; policies and standards encode decisions. Meetings choosing to accept or mitigate risk are governance in action.
Compliance: Laws, Regulations, Standards, And Contracts
What Is Compliance?
Compliance is meeting external and internal obligations. Governance sets direction, risk prioritizes, and compliance ensures you follow the rules that apply.
Laws And Regulations
Examples include GDPR in the EU, CCPA/CPRA in California, and HIPAA in US healthcare. They can require breach notifications and impose fines.
Industry Standards
PCI DSS governs payment card data, ISO/IEC 27001 guides security management, and NIST frameworks offer widely used best practices.
Contracts And Internal Policies
Contracts and SLAs can mandate specific controls. Internal policies, once approved, become mandatory internal requirements.
Compliance Activities
Teams identify applicable rules, map them to controls, monitor and audit, and report compliance status to leadership and regulators.
Exam Clues
Mentions of audits, regulators, fines, or mandatory external rules point to compliance. Internal direction and structure point to governance.
From Governance To Controls: Security Control Types
Controls Implement GRC
Governance, risk, and compliance decisions become real through security controls. You must understand how high-level requirements map to specific control types.
Security Control Types
Memorize all 10: technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.
Managerial And Directive Examples
A password policy approved by leadership is a directive, managerial control. An incident response plan with lessons learned is managerial, corrective, and directive.
Technical, Operational, Physical
Firewall rules for PCI DSS are technical, preventive. Awareness training is operational and directive. CCTV cameras are physical, deterrent, and detective.
Compensating Controls
When a legacy system cannot support MFA, strong monitoring and frequent access reviews can act as compensating controls to provide similar protection.
Exam Shortcuts
Policies and risk assessments = managerial; hardware/software mechanisms = technical; people-driven processes = operational.
Thought Exercise: Mapping A GRC Requirement To Controls
Work through this scenario mentally. You do not need to write anything down, but pause and genuinely answer each question.
Scenario
Your company processes online payments. A recent internal audit found that database backups containing cardholder data are stored unencrypted on a file server. The company must comply with PCI DSS.
- Governance question
- Who should ultimately approve the decision about how to handle cardholder data backups?
- Think: board, CEO, CISO, security engineer, or database admin?
- Risk question
- What are the main assets, threats, vulnerabilities, and risks in this situation?
- Asset: what is valuable?
- Threat: who or what could cause harm?
- Vulnerability: what weakness exists?
- Risk: what bad outcome could realistically happen?
- Compliance question
- Which type of requirement is PCI DSS in this context: law, regulation, industry standard, or contract-driven requirement?
- How does that affect how “optional” it is?
- Control selection
- List at least one control of each type that could address this:
- Managerial: for example, a new or updated policy
- Technical: for example, encryption or access control
- Operational: for example, backup handling procedures
- Physical: for example, protections for backup servers or tapes
- Prioritization
- If you can only implement one technical control this month, which would you choose and why?
- How might you document any accepted or temporary risk while you work toward full compliance?
After you think it through, quickly compare your choices to the patterns you have learned: governance sets direction, risk frames the problem, compliance makes it mandatory, and controls implement the solution.
Quiz 1: Governance Structures And Documents
Check your understanding of governance roles and PSGP documents.
A company wants to formalize the authority and responsibilities of its new Security Steering Committee. Which document should be created or updated FIRST to clearly define this?
- A detailed incident response procedure
- A committee charter approved by senior leadership
- A password complexity guideline for all employees
- A firewall configuration standard for perimeter devices
Show Answer
Answer: B) A committee charter approved by senior leadership
A committee charter approved by senior leadership defines the purpose, authority, and responsibilities of the Security Steering Committee, which is a core part of governance. Procedures, guidelines, and technical standards do not define a committee’s mandate.
Quiz 2: Policies, Risk Treatment, And Control Types
Apply what you learned about PSGP, risk, and controls.
Management decides that the organization will continue using a legacy application that does not support multi-factor authentication, but they require additional logging and weekly access reviews to compensate. Which TWO concepts are best illustrated?
- Risk avoidance and technical control
- Risk acceptance and compensating control
- Risk transfer and physical control
- Risk mitigation and compensating control
Show Answer
Answer: D) Risk mitigation and compensating control
Continuing to use the legacy application means the organization is not avoiding the risk; instead, it is mitigating the risk by adding extra logging and frequent reviews. Because these extra controls are used in place of the preferred control (MFA), they are compensating controls. So this is risk mitigation plus compensating control.
Key GRC Terms Review
Use these flashcards to reinforce core GRC definitions and distinctions.
- governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.
- Security governance
- The system of management, roles, and processes used to direct and control an organization’s security program so it supports business goals.
- Policy
- A high-level, management-approved statement of intent or rules that sets direction and expectations, typically technology-agnostic and stable over time.
- Standard
- A specific, mandatory requirement that supports policies, often technical and measurable (for example, exact encryption algorithms or configurations).
- Guideline
- A recommended, non-mandatory best practice that helps people meet policies and standards while allowing flexibility.
- Procedure
- A detailed, step-by-step set of instructions that describes exactly how to perform a task or process.
- Risk appetite
- The overall amount and type of risk an organization is willing to accept in pursuit of its objectives.
- Risk treatment options
- Avoid, mitigate, transfer, and accept: the four basic ways an organization can respond to identified risks.
- Compliance
- The practice of meeting applicable laws, regulations, industry standards, contracts, and internal policies, often verified through audits and reporting.
- Security control types (all 10)
- technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive
Putting It All Together: GRC Across The Security+ Domains
GRC Touches Every Domain
GRC is not isolated. It shapes how you apply the CIA triad, AAA functions, and other core ideas across all Security+ domains.
Threats And Risk Decisions
Risk management ranks threats and vulnerabilities. Governance and compliance decide which risks to avoid, mitigate, transfer, or accept.
Architecture And Zero Trust
Governance and risk appetite influence architectures like zero trust, which assumes no implicit trust and requires continuous verification with least access.
Operations Under Governance
Incident response, change management, and vulnerability management are operational controls that execute governance and risk decisions day to day.
Program Management Focus
Leadership, committees, charters, metrics, and audits live in Security Program Management and Oversight, where GRC is most explicit on the exam.
Your Next Study Moves
Use the diagnostic, mock exams, spaced review, and gap guide to find and strengthen GRC weak spots, especially in long, business-heavy scenarios.
Key Terms
- Risk
- The combination of the likelihood that a threat will exploit a vulnerability and the impact if it does.
- Policy
- A high-level, management-approved statement of intent or rules that sets direction and expectations, typically technology-agnostic and stable over time.
- Standard
- A specific, mandatory requirement that supports policies, often technical and measurable.
- Guideline
- A recommended, non-mandatory best practice that helps people meet policies and standards while allowing flexibility.
- Procedure
- A detailed, step-by-step set of instructions that describes exactly how to perform a task or process.
- Compliance
- The practice of meeting applicable laws, regulations, industry standards, contracts, and internal policies, often verified through audits and reporting.
- Zero trust
- Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
- Risk appetite
- The overall amount and type of risk an organization is willing to accept in pursuit of its objectives.
- Risk treatment
- The set of options for responding to risk: avoid, mitigate, transfer, or accept.
- Hybrid environment
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
- Security governance
- The system of management, roles, and processes used to direct and control an organization’s security program so it supports business goals.
- Security control types
- The CompTIA Security+ control categories: technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.
- governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.