Module 6
Security Program Management and Oversight
Purpose
After this module, you will understand that cybersecurity is not just a configuration of tools. An organization needs policies, risk owners, procedures, audits, compliance, training and supplier controls.
After the module you should be able to:
- distinguish policy, standard, procedure and guideline
- explain governance and its role in security
- understand risk management as a process
- distinguish between risk appetite and risk tolerance
- choose a risk response strategy
- perform simple SLE, ARO and ALE calculations
- explain BIA, RTO, RPO, MTTR and MTBF
- recognize risks related to suppliers
- select SLA, MOU, NDA and right-to-audit clause for the scenario
- distinguish compliance from security
- explain due diligence and due care
- understand the types of audits and assessments
- design a basic security awareness program.
Introduction
In previous modules we discussed the following techniques: controls, vulnerabilities, architecture, monitoring and incident response. This module answers the question: How does an organization manage security as a program rather than as a collection of individual tools?
On the Security+ exam, questions in this domain often look less technical, but are very important. You might get a script about a supplier, an audit, a policy, a risk, personal data, a phishing training or a business decision. The best answer will often not be a tool, but a process, document, role or risk strategy.

1. Governance
Problem
Without governance, an organization has random security decisions. One team requires MFA, the other does not. One system has a backup, the other does not. The provider has access without a contract. Employees don't know how to report incidents. There are no risk owners.
Explanation from scratch
Governance is a way of supervising and directing security in an organization. It includes policies, responsibilities, decisions, roles, reporting and compliance of activities with business goals.
Governance answers your questions:
- who makes security decisions
- who owns the risk
- what rules apply
- how we measure compliance
- how we report risk
- how we enforce policies
- how we combine security with organizational goals.
- Policy, standard, procedure, guideline
This is a very important examination distinction.
Document Meaning Example
| Policy A high-level organizing principle. | “All systems that process confidential data must be protected.” |
|---|---|
| Standard A specific technical or organizational requirement. | "Password must be at least 14 characters long." |
| Procedure Step-by-step instructions. | “How to report a security incident.” |
| Guideline Recommendation or good practice. | "Using a password manager is recommended." |
How it works step by step
Management determines goals and the level of acceptable risk.
The organization creates policies.
Standards translate policies into specific requirements.
Procedures show how to perform actions.
The guidelines help to apply good practices.
Audits and monitoring check whether the rules are being followed.
The results feed into reporting and management decisions.
Practical example
The policy says: "Access to critical systems must be limited and monitored."
The standard says: "Administrative access requires MFA and PAM."
The procedure says: "The administrator submits a request in the PAM system, selects a resource, justifies access, and obtains approval."
Guideline says: “Privileged access should be granted for the shortest period of time possible.”
Exam example
Scenario
The company wants to describe step by step how an employee should report a suspicious email. What document is best?
Correct answer:
Procedure because it describes specific action steps.
Not to be confused with this
Don't confuse policy with standard. Policy says "what and why" at a high level. The standard says "what specific requirement must be met."
Common mistakes
A common mistake is creating policies without procedures. Employees then know the general rule but don't know what exactly to do.
A definition to remember
Governance is a system of rules, responsibility and supervision that ensures that security is managed consciously, measurably and in accordance with the organization's goals.
2. Risk management
Problem
An organization cannot remove all risks. It has limited budget, time, people and technology. It must decide which risks are most important and how to respond to them.
Explanation from scratch
Risk management is the process of identifying, assessing, prioritizing and managing risks.
Risk in security usually arises from the relationship:
resource + threat + vulnerability + impact = risk
Example: a public web application is a resource, a cybercriminal is a threat, lack of updates is a vulnerability, and a possible data leak is an impact.
How it works step by step
You identify resources.
You identify threats.
You identify vulnerabilities.
You estimate the probability.
You evaluate the impact.
You give priority.
You choose your response strategy.
You document the risk in the risk register.
You monitor risk over time.
Risk register
Risk register is a register of risks. Usually contains:
- risk description
- risk owner
- probability
- influence
- risk level
- response strategy
- action plan
- deadline
- status
- residual risk.
Practical example
Risk: “An outdated HR system can be used to leak employee data.”
Owner: HR director or system owner.
Probability: medium.
Impact: high.
Strategy: mitigate through updating, segmentation and monitoring.
Status: in progress.
Exam example
Scenario
The organization wants to track risks, owners, mitigation plans and the status of activities. What tool or document does he need?
Correct answer:
Risk register.
Not to be confused with this
Risk management does not automatically mean eliminating every risk. Sometimes risk is accepted, transferred or avoided.
Common mistakes
A common mistake is to manage risk solely by the IT department. The owner of the risk should often be the business owner, because it is the business that bears the consequences.
A definition to remember
Risk management is the process of consciously identifying, assessing, documenting and managing risks in accordance with the organization's goals.
3. Risk appetite and risk tolerance
Problem
Two organizations may have the same risk but make different decisions. A bank, hospital, startup and manufacturing company have different levels of acceptable risk.
Explanation from scratch
Risk appetite is the overall level of risk that an organization is willing to accept in pursuit of its goals.
Risk tolerance is a more specific tolerance limit for a given risk, process or indicator.
It can be simplified like this:
- risk appetite = the organization's general attitude towards risk
- risk tolerance = a specific limit that we do not want to cross.
How it works step by step
Management determines the overall risk approach.
It sets acceptable thresholds for specific areas.
Teams design controls that meet these thresholds.
Monitoring checks whether the risk does not exceed tolerance.
Violations are reported and escalated.
Practical example
The organization has a low tolerance for customer data loss. It may accept the short-term unavailability of the information portal, but it will not accept public access to personal data. This affects investments in encryption, DLP, monitoring and access reviews.
Exam example
Scenario
The management board determined that the company can accept a maximum of 30 minutes of unavailability of the sales system. What is this?
Best answer
Risk tolerance or a specific operational threshold related to availability.
Not to be confused with this
Risk appetite is not the same as lack of control. It is not "how much risk we ignore", but a conscious determination of the level of risk accepted by the organization.
Common mistakes
A common mistake is not linking risk appetite with technical decisions. If an organization has a low tolerance for downtime, it must invest in high availability, monitoring and tested recovery.
A definition to remember
Risk appetite is the overall readiness of the organization to accept risk, and risk tolerance is the specific limit of acceptable deviation.
4. Risk response strategies
Problem
Once a risk is identified, the organization must decide what to do about it. Not every risk needs to be addressed immediately, but every significant risk should have an informed decision.
Explanation from scratch
Top strategies:
Strategy Meaning Example
| Accept Acceptance of risk. | The company accepts low risk because the cost of control is greater than the possible loss. |
|---|---|
| Avoid Avoiding risks. | The company abandons a project that would pose too much risk. |
| Transfer Transfer of part of the risk. | Cyber insurance or service outsourcing. |
| Mitigate Risk reduction. | MFA, segmentation, patching, backup, monitoring. |
How it works step by step
The risk is assessed.
The organization compares them with appetite and tolerance.
The risk owner chooses the strategy.
The decision is documented.
Actions are being implemented.
Residual risk is monitored.
Practical example
The company is at risk of phishing. He can't avoid it completely because he needs the mail. It can mitigate them through training, email security, MFA, reporting of suspicious messages and phishing simulations.
Exam example
Scenario
The company purchased cyber insurance to limit the financial impact of a potential incident. What's the strategy?
Correct answer:
Transfer.
Not to be confused with this
Transfer does not remove risk. Insurance can reduce the financial impact, but the company still needs to have safety controls in place.
Common mistakes
A common mistake is accepting risk without a formal decision. “We did nothing” is not a valid acceptance of risk if there is no owner and documentation.
A definition to remember
The risk response strategy determines whether the organization accepts, avoids, transfers or mitigates the risk.
5. BIA, RTO, RPO, MTTR and MTBF
Problem
Not all systems have the same validity. Without Business Impact Analysis, an organization may misalign recovery priorities: restore an unimportant system before a critical one, or back up too infrequently.
Explanation from scratch
Business Impact Analysis (BIA) is an analysis of the impact of an interruption in the operation of a system or process on the organization.
Key concepts
Concept Meaning
RTO Recovery Time Objective - How quickly the system needs to recover.
RPO Recovery Point Objective - Maximum amount of data that can be lost, measured in time.
MTTR Mean Time to Repair - the average time to repair.
MTBF Mean Time Between Failures - Mean time between failures.
These concepts are mentioned in the official objectives of Domain 5.2 in the context of Business Impact Analysis.
How it works step by step
The organization identifies the business process.
Indicates the systems supporting it.
Determines the effects of downtime.
Establishes RTO and RPO.
Selects backup, replication and recovery.
Testing the plan.
Updates BIA after changes.
Practical example
The sales system has RTO = 1 hour and RPO = 15 minutes. This means the organization wants to restore it within an hour and will accept a maximum loss of 15 minutes of data. A simple once-a-day backup will not meet RPO.
Exam example
Scenario
The company may lose a maximum of 30 minutes of transaction data. Which indicator describes this?
Correct answer:
Ombudsman.
Not to be confused with this
RTO and RPO are very often confused. RTO refers to unavailability time. RPO deals with data loss.
Common mistakes
A common mistake is to set an ambitious RTO/RPO without checking whether the architecture actually meets them. Declaration is not enough - recovery must be tested.
A definition to remember
BIA determines the impact of interruptions on the business, RTO tells you how quickly to recover, RPO tells you how much data can be lost, MTTR measures the time to recovery, and MTBF measures the time between failures.

6. SLE, ARO and ALE
Problem
Sometimes risk needs to be expressed numerically. This allows you to compare the cost of the inspection with the potential loss.
Explanation from scratch
Single Loss Expectancy (SLE) is the expected loss from a single event.
Annualized Rate of Occurrence (ARO) is the expected frequency of an event in a year.
Annualized Loss Expectancy (ALE) is the expected annual loss.
Pattern:
BUT = SLE × ARO
How it works step by step
You determine the value of a single loss.
You estimate how often an event occurs in a year.
You multiply SLE by ARO.
You compare the result with the cost of the inspection.
You decide whether control makes economic sense.
Practical example
One failure costs the company PLN 50,000. Estimated frequency is twice a year.
SLE = PLN 50,000
ARO = 2
BUT = PLN 100,000 per year
If the inspection costs PLN 30,000 per year and significantly reduces the risk, it may be justified.
Exam example
Scenario
SLE is PLN 20,000, ARO is 0.5. How much is BUT?
Correct answer:
PLN 10,000.
Not to be confused with this
Don't confuse SLE with ALE. SLE refers to a single event. BUT refers to the expected annual loss.
Common mistakes
A common mistake is to treat calculations as an accurate prediction. In practice, these are estimates to help you make a decision, not a guarantee of the future.
A definition to remember
SLE is the loss per event, ARO is the annual event rate, and ALE is the expected annual loss calculated as SLE × ARO.
7. Third-party risk management
Problem
An organization may have good internal security but still be exposed to vendors. The provider may process customer data, have VPN access, host an application, provide software, or operate the cloud.
Explanation from scratch
Third-party risk management is the process of assessing and supervising the risks arising from cooperation with suppliers, partners, subcontractors and external services.
Includes:
- vendor assessment
- due diligence
- due care
- supply chain analysis
- right-to-audit clause
- supplier monitoring
- contracts and security requirements
- supplier offboarding.
The official 5.3 domain covers processes related to third party risk assessment and management.
How it works step by step
The organization identifies the supplier and service.
Checks what data and systems will be available to the supplier.
Assesses vendor security.
Sets requirements in the contract.
Implements controlled access.
Monitors compliance and incidents.
Re-assesses periodically.
After completing the cooperation, it revokes access and confirms the deletion or return of data.
Documents and clauses
Item When to use
Service-Level Agreement (SLA) When you need to specify service levels, e.g. availability, response time.
Memorandum of Understanding (MOU) When parties describe an agreement or cooperation, often less formally than a contract.
Non-Disclosure Agreement (NDA) When you need to protect the confidentiality of information.
Right-to-audit clause When the organization wants to have the right to audit the supplier.
Rules of engagement When testing security to define scope and rules.
Practical example
The company outsources the operation of its HR system to an external supplier. The supplier has access to employee data. The company should review the vendor's security, sign an NDA, define an SLA, require incident reporting, and have a process for terminating access at the end of the contract.
Exam example
Scenario
The company wants to have the right to check whether the supplier meets the security requirements specified in the contract. What should be included in the contract?
Correct answer:
Right-to-audit clause.
Not to be confused with this
Don't confuse SLA with NDA. SLA determines the level of service. An NDA protects the confidentiality of information.
Common mistakes
A common mistake is to evaluate the supplier only before signing the contract. The supplier's risk must be monitored throughout the cooperation.
A definition to remember
Third-party risk management is the assessment, control and monitoring of risks arising from access, services and dependence on suppliers.

8. Compliance and privacy
Problem
An organization may have good technical security measures but still violate laws, contracts, industry standards, or internal policies. On the other hand, compliance alone does not mean complete security.
Explanation from scratch
Compliance means compliance with requirements: legal, regulatory, contractual, industry or internal.
Privacy concerns the protection of personal data and the rights of data subjects.
Concepts of privacy often include:
- Concept Meaning
- Data subject The data subject.
- Data controller The entity that decides why and how data is processed.
- Data processor An entity that processes data on behalf of the administrator/controller.
How it works step by step
The organization identifies requirements.
Maps requirements to controls.
Implements policies, procedures and safeguards.
Documents compliance.
Monitors violations.
Prepares reports.
Responds to discrepancies.
Practical example
The company uses a cloud provider to process customer data. The company can be the controller and the supplier the processor. The agreement should specify how data is protected, where it is processed, who has access and how incidents are reported.
Exam example
Scenario
The organization decides why and how customer data is processed. What role does it play?
Correct answer:
Data controller.
Not to be confused with this
Compliance is not the same as security. An organization may meet the minimum audit requirements but still have risks that were not covered by the audit.
Common mistakes
A common mistake is to treat compliance as the end goal. Compliance is important, but security requires continuous risk management.
A definition to remember
Compliance means meeting formal requirements, and privacy focuses on protecting personal data and the rights of data subjects.
9. Due diligence and due care
Problem
After an incident, an organization can be judged not only on whether a problem occurred, but also on whether it took reasonable steps to prevent it.
Explanation from scratch
Due diligence is careful checking before making a decision. Example: Supplier security assessment before signing a contract.
Due care is reasonable, ongoing actions taken to protect an organization. Example: regular updates, access reviews and training.
How it works step by step
Before making a decision, the organization checks the risk - due diligence.
After making a decision, it implements and maintains controls - due care.
Documents activities.
Monitors effectiveness.
Improves processes.
Practical example
The company selects a payment service provider. Due diligence involves checking its security, certification, incident history and contract terms. Due care means subsequent monitoring of SLAs, incidents, accesses and changes to the service.
Exam example
Scenario
Before signing a contract, the company checks the supplier's security and audit reports. What does it do?
Correct answer:
Due diligence.
Not to be confused with this
Due diligence is usually "before", due care is "during". Both are needed.
Common mistakes
A common mistake is to do due diligence once and then not do due diligence. Supplier and risk change over time.
A definition to remember
Due diligence is careful review before a decision, and due care is judiciously maintaining coverage after a decision is made.
10. Audits and assessments
Problem
The organization must verify that controls are in place and operational. Without audits and assessments, security is based on declarations.
Explanation from scratch
An audit is a formal assessment of compliance with requirements, policies, standards or regulations.
Assessment is an assessment of the state of security, risk or maturity. It may be less formal than an audit.
Types:
- Type Meaning
- Internal audit An audit performed internally by the organization.
- External audit Audit performed by an external entity.
- Self-assessment Self-assessment of an organization or team.
- Independent third-party assessment Assessment by an independent third party.
- Attestation Formal confirmation of compliance with requirements or control status.
Domain 5.5 covers the types and purposes of audits and assessments.
How it works step by step
The scope is established.
Criteria are selected.
Evidence is being collected.
The actual situation is compared with the requirements.
Findings shall be documented.
A recovery plan is being created.
The implementation of activities is checked.
Practical example
The audit detects that former employees' accounts are not deleted in a timely manner. Finding goes into the report. The recovery plan includes deprovisioning automation, HR-IAM reports and periodic account reviews.
Exam example
Scenario
The company needs independent confirmation that its controls meet the customer's requirements. What will be most suitable?
Correct answer:
External audit or independent third-party assessment, depending on the answers available in the question.
Not to be confused with this
An audit is not the same as a penetration test. An audit assesses compliance or controls. A penetration test checks whether specific weaknesses can be exploited within a controlled range.
Common mistakes
A common mistake is to treat an audit as a "hunt for the guilty". A well-conducted audit should improve control, transparency and accountability.
A definition to remember
An audit formally checks compliance and operation of controls, while an assessment assesses the state of security, risk or maturity.
11. Security awareness
Problem
Even the best technical controls can be compromised by human error: clicking a phishing scam, using a weak password, connecting an unknown medium, sharing data, ignoring a procedure, or letting someone in without ID.
Explanation from scratch
Security awareness is a program for building security awareness among employees and co-workers. It is not about one-time training, but about a repeatable process of teaching, reminding, measuring and improving behavior.
The official target of 5.6 includes, among others: phishing campaigns, phishing recognition, responding to reported suspicious messages, anomalous behavior recognition, user guidance and training, insider threat, password management, removable media, social engineering, operational security, hybrid/remote work and initial and recurring reporting and monitoring.
How it works step by step
The organization identifies risky behaviors.
Creates materials and procedures.
Conducts initial training.
Sends reminders and micro-training.
Organizes simulations, e.g. phishing campaigns.
Measures reports, clicks and reactions.
Adapts the program to the results.
Repeats the cycle.
Practical example
After an increase in phishing, the company launches a campaign: training, simulated messages, a "report phishing" button, instructions for users and reports for the security team. The goal is not to shame those who clicked, but to improve organizational behavior.
Exam example
Scenario
The company wants to improve employees' ability to recognize and report suspicious messages. What is the best approach?
Correct answer:
Security awareness program with phishing campaigns, reporting instructions and periodic monitoring of results.
Not to be confused with this
Security awareness does not replace technical controls. User training should work in conjunction with MFA, email security, DLP, monitoring and procedures.
Common mistakes
A common mistake is one-off training once a year without measuring effectiveness. The second mistake is penalizing users for reporting or making mistakes, which discourages reporting.
A definition to remember
Security awareness is a continuous program of shaping safe behaviors through training, communication, exercises, reporting and monitoring.

Key concepts
Concept Meaning
Governance Governance, policies, responsibilities and security reporting.
Policy A high-level organizing principle.
Standard A specific requirement that must be met.
Procedure Step-by-step instructions.
Guideline Recommendation or good practice.
Risk management The process of identifying, assessing and managing risks.
Risk register Register of risks, owners, activities and statuses.
Risk appetite The overall readiness of an organization to accept risk.
Risk tolerance A specific limit of acceptable risk or deviation.
Accept Acceptance of risk.
Avoid Avoiding risk by refraining from taking action.
Transfer Transfer of part of the effects of risk, e.g. insurance.
Mitigate Reducing risk through controls.
BIA Business Impact Analysis, business impact analysis.
RTO Maximum acceptable unavailability time.
RPO The maximum acceptable data loss, measured in time.
MTTR Average repair time.
MTBF Mean Time Between Failures.
SLE Expected loss from a single event.
ARO Annual event rate.
BUT Expected annual loss.
Third-party risk Risk arising from suppliers and partners.
SLA Service Level Agreement.
NDA Confidentiality Agreement.
MOU Agreement between the parties.
Right-to-audit Supplier audit right.
Compliance Compliance with requirements.
Due diligence Careful checking before making a decision.
Due care Reasonable ongoing concern for safety.
Audit A formal assessment of compliance or control.
Assessment Assessment of security, risk or maturity status.
Security awareness Security awareness building program.
Examples
Example 1: Policy, standard, procedure and guideline
The company wants to improve password security.
Policy: "User accounts must be protected from unauthorized access."
Standard: "Passwords must be a minimum of 14 characters and remote access requires MFA."
Procedure: "How a user resets their password and confirms their identity."
Guideline: "Use a password manager and avoid password reuse."
Example 2: Supplier risk
The payment system provider will process customer data. The company should perform due diligence, sign an NDA, establish an SLA, require incident reporting, record a right-to-audit and monitor the supplier throughout the contract period.
Example 3: BIA and RTO/RPO
The procurement system is critical. BIA shows that an hour of unavailability causes large losses. The company sets RTO = 1 hour and RPO = 15 minutes, so it needs frequent replication, recovery testing and monitoring.
Example 4: Security awareness
The company is seeing an increase in phishing reports. It runs training, simulations, a simple reporting procedure and measures how many employees report messages instead of clicking links. The results are used to improve the program.
Practical applications
Creating a hierarchy of security documents.
Maintaining a risk register.
Prioritize security investments.
Determining RTO and RPO for systems.
Evaluation of suppliers before signing the contract.
Preparation for the audit.
Building a security awareness program.
Connecting technical security with business decisions.
Common mistakes
Wrong Why is it wrong Correct understanding
| “Policy and procedure are the same.” | The policy is general, the procedure is step by step. | Policy says what, procedure says how. |
|---|---|---|
| “Compliance means complete security.” | Compliance may only cover part of the risks. | Security requires continuous risk management. |
| “Transfer removes risk.” | Transfer reduces some of the impact, usually financial. | Risks still need to be controlled. |
| “RTO and RPO are the same thing.” | RTO refers to time of unavailability, RPO for data loss. | RTO = how to return quickly; RPO = how much data can be lost. |
| “The cheapest supplier is the best.” | The supplier may increase the risk. | Security and contracts need to be assessed. |
| “NDA determines service availability.” | An NDA protects confidentiality. | SLA determines the level of service. |
| "Audit is a penetration test." | The audit assesses compliance, the pentest checks the possibility of exploiting weaknesses. | These are different types of assessment. |
| “Security awareness is a one-time training.” | An effective program is cyclical and measured. | Awareness requires repetition and monitoring. |
Common mistakes
No risk owner
The risks are known, but no one is responsible for the decision.
Documents without enforcement
The policy exists, but no one checks compliance.
Acceptance of risk without a formal decision
Inaction is not the same as approved acceptance.
BIA without playback testing
RTO and RPO are written down, but the organization has not checked whether it can meet them.
One-time supplier assessment
The supplier is checked before the contract, but no one monitors changes afterwards.
Compliance as the only goal
The organization "passes the audit" but does not improve real safety.
Training without measuring effectiveness
No data on reports, clicks or behavior change.
What you need to know for the exam
In the 5.0 domain you need to be particularly able to:
- distinguish between policy, standard, procedure and guideline
- explain governance
- indicate the elements of risk management
- distinguish between risk appetite and risk tolerance
- choose accept, avoid, transfer or mitigate
- understand BIA, RTO, RPO, MTTR and MTBF
- calculate ALE from SLE and ARO
- recognize suppliers' documents: SLA, NDA, MOU, right-to-audit
- explain due diligence and due care
- recognize controller, processor and data subject
- distinguish audit from assessment
- select awareness training for the scenario.
Checklist
User should be able to:
- Explain governance.
- Distinguish between policy, standard, procedure and guideline.
- Describe the risk management process.
- Explain risk register.
- Distinguish risk appetite from risk tolerance.
- Choose an accept, avoid, transfer or mitigate strategy.
- Explain BIA, RTO, RPO, MTTR and MTBF.
- Calculate ALE = SLE × ARO.
- Explain third-party risk management.
- Distinguish between SLA, MOU, NDA and right-to-audit.
- Explain compliance and privacy.
- Distinguish between data subject, controller and processor.
- Explain due diligence and due care.
- Distinguish audit from assessment.
- Design a simple security awareness program.
- Review questions
- What is governance?
- What is the difference between policy and standard?
- What is the difference between a procedure and a guideline?
- What does the risk register contain?
- What is the difference between risk appetite and risk tolerance?
- What is the difference between accept and avoid?
- What is the difference between transfer and mitigation?
- What does BIA mean?
- What is the difference between RTO and RPO?
- What is the difference between MTTR and MTBF?
- How is ALE calculated?
- What is the difference between SLA and NDA?
- Why is the right-to-audit clause used?
- What is the difference between due diligence and due care?
- What is the difference between a data controller and a data processor?
- Why does compliance not mean full security?
- What is the difference between audit and assessment?
- What elements should a security awareness program have?
- Answers with explanations
- Governance is the supervision, rules and responsibilities related to security.
- It helps you manage safety as a program rather than a set of random activities.
- A policy is a high-level rule and a standard is a specific requirement.
- The procedure describes the steps and the guideline gives recommendations.
- The risk register contains risks, owners, probability, impact, strategy, status and actions.
- Risk appetite is the general willingness to accept risk, and risk tolerance is the specific acceptance threshold.
- Accept means to consciously accept the risk, avoid means to give up the action that creates the risk.
- Transfer transfers some of the effects of risk, mitigates risk through controls.
- BIA is Business Impact Analysis, i.e. analysis of the impact of a disruption on business.
- The RTO tells you how quickly the system must recover, and the RPO tells you how much data can be lost.
- MTTR measures the mean time to repair and MTBF the mean time between failures.
- BUT = SLE × ARO.
- If SLE = PLN 50,000 and ARO = 2, ALE = PLN 100,000.
- SLA determines the level of service, NDA protects the confidentiality of information.
- The right-to-audit clause gives the right to check the supplier in terms of requirements.
- Due diligence is careful checking before a decision, due care is reasonable protective measures during.
- The controller decides on the purpose and method of processing, the processor processes the data on its behalf.
- Compliance means compliance with requirements, but the requirements may not cover all risks.
- An audit is a formal assessment of compliance, assessment assesses the state of security, risk or maturity.
- The awareness program should include initial training, periodic reminders, phishing campaigns, a reporting procedure, measurement of results and program improvement.
- Practical tasks
- Laboratory 1: Policy, standard, procedure, guideline
Purpose:
Learn to distinguish governance documents.
Context:
The company wants to clean up its password and MFA policies.
Steps:
- Write a short policy regarding account protection.
- Write three technical standards.
- Write a 5-step password reset procedure.
- Write two guidelines for users.
- Indicate which documents are mandatory and which are recommended.
Expected result:
Four different documents or fragments of documents.
Pass criteria:
- Policy is high-level.
- The standards are specific and measurable.
- The procedure has steps.
- Guideline is a recommendation.
- Policy and procedure were not confused.
Only perform this exercise in a legal, controlled laboratory environment. Don't use it on other people's systems, networks or accounts.
Laboratory 2: Risk register and response strategy
Purpose:
Practice documenting risks.
Context:
- Risk Example
- User phishing Possible account takeover.
- No backup of the sales system. Possible long-term unavailability.
- The provider has 24/7 VPN access. Abuse or hijacking of access is possible.
- Old legacy system without patches Vulnerability impossible to quickly fix.
Steps:
- For each risk, indicate the owner.
- Rate the likelihood and impact: low/medium/high.
- Select a strategy: accept, avoid, transfer or mitigate.
- Suggest actions.
- Indicate the residual risk.
Expected result:
Simple risk register.
Pass criteria:
- Every risk has an owner.
- The strategy fits the script.
- Compensatory control was considered for the legacy system.
- Access restriction is included for the provider.
- Lack of action was not treated as formal acceptance.
Only perform this exercise in a legal, controlled laboratory environment. Don't use it on other people's systems, networks or accounts.
Lab 3: BIA and ALE calculation
Purpose:
Combine business impact with simple quantitative analysis.
Context:
The ordering system generates PLN 20,000 in revenue per hour. The failure lasts on average 3 hours. It happens about twice a year. The company wants to reduce the loss by investing in an HA solution costing PLN 50,000 per year.
Steps:
- Calculate SLE.
- Establish ARO.
- Calculate BUT.
- Compare ALE to the cost of control.
- Identify additional factors that the numbers alone do not show.
Expected result:
- SLE = PLN 60,000.
- ARO = 2.
- BUT = PLN 120,000.
- An inspection worth PLN 50,000 may be justified if it actually reduces losses.
Pass criteria:
- SLE was calculated correctly.
- ARO was correctly indicated.
- BUT was calculated correctly.
- It is included that the numbers are an estimate.
- Reputation, customers and SLA are included as additional factors.
Only perform this exercise in a legal, controlled laboratory environment. Don't use it on other people's systems, networks or accounts.
Mini-test
Question 1
Which document describes a high-level organizing principle?
A. Policy
B.Procedure
C.Packet capture
D.NetFlow
Correct answer:
A
Explanation:
Policy describes a high-level policy.
Why the other answers are worse:
- B: Procedure describes the steps.
- C and D: These are technical data sources, not governance documents.
- Question 2
The company wants to set a specific requirement: "password must be a minimum of 14 characters." What is this?
A.Standard
B.Guideline
C. BIA
D.DLP
Correct answer:
A
Explanation:
The standard defines a specific requirement that can be checked.
Why the other answers are worse:
- B: Guideline is a recommendation.
- C: BIA analyzes business impact.
- D: DLP protects against data leakage.
- Question 3
RTO specifies:
- A. How much data can be lost at most
- B. How quickly the system must recover after an interruption
- C. Vulnerability number
- D. Confidentiality agreement
Correct answer:
B
Explanation:
RTO refers to the maximum acceptable unavailability time.
Why the other answers are worse:
- A: It's the Ombudsman.
- C: It's a CVE.
- D: It's an NDA.
- Question 4
SLE is PLN 10,000, ARO is 3. How much is ALE?
A. PLN 3,000
B. PLN 10,003
C. PLN 30,000
D. PLN 300,000
Correct answer:
C
Explanation:
ALE = SLE × ARO = 10,000 × 3 = PLN 30,000.
Why the other answers are worse:
- A, B, D: They do not result from the correct formula.
- Question 5
The company buys cyber insurance. What is the risk response strategy?
A. Transfer
B. Avoid
C. Eradication
D.Deprovisioning
Correct answer:
A
Explanation:
Insurance transfers part of the financial consequences of the risk.
Why the other answers are worse:
- B: Avoid means giving up risky actions.
- C: Eradication is the incident response stage.
- D: Deprovisioning applies to accounts.
- Question 6
Which document protects the confidentiality of information provided to the supplier?
A.NDA
B.SLA
C. Ombudsman
D. MTBF
Correct answer:
A
Explanation:
NDA stands for Non-Disclosure Agreement, i.e. a confidentiality agreement.
Why the other answers are worse:
- B: SLA determines the level of service.
- C: RPO covers data loss.
- D: MTBF refers to failure rate.
- Question 7
The company wants to have the right to check the supplier's security. What should she add to the contract?
A. Right-to-audit clause
B. Data masking
C.Tailgating
D. Password spraying
Correct answer:
A
Explanation:
The right-to-audit clause gives the right to audit the supplier.
Why the other answers are worse:
- B: This is a data protection method.
- C: It's a technique of physically getting behind someone.
- D: It's a password attack.
- Question 8
The organization decides why and how to process customer data. What role does it play?
A. Data controller
B. Data subject
C. Packet broker
D. Cold site
Correct answer:
A
Explanation:
The controller decides on the purpose and method of data processing.
Why the other answers are worse:
- B: Data subject is the person to whom the data relates.
- C and D: They do not concern privacy.
- Question 9
Before signing a contract, the company checks the supplier's security. What does it do?
A. Due diligence
B. Due care
C. Recovery
D. Tokenization
Correct answer:
A
Explanation:
Due diligence is careful checking before making a decision.
Why the other answers are worse:
- B: Due care is ongoing reasonable action.
- C: Recovery is the recovery of the operation.
- D: Tokenization is data protection.
- Question 10
The best description of security awareness is:
- A. One-time training without measurement
- B. A cyclical program of teaching, practicing, reporting and improving behavior
- C. Server disk encryption
- D. Disabling logs
Correct answer:
B
Explanation:
Awareness should be cyclical, measured and adjusted to risks.
Why the other answers are worse:
- A: One-time training is not enough.
- C: This is a technical inspection.
- D: Deteriorates safety.
- Flashcards
- Front of the index card. Back of the index card
| What is governance? | Safety supervision, rules and responsibilities. |
|---|---|
| Policy vs standard? | The policy is general; a standard is a specific requirement. |
| Procedure vs guideline? | Procedure is steps; guideline is a recommendation. |
| What is risk register? | Register of risks, owners, activities and statuses. |
| Risk appetite vs risk tolerance? | Appetite is general; tolerance is a specific threshold. |
| Accept vs avoid? | Accept accepts risk; avoid refrains from an action that creates risk. |
| Transfer vs mitigate? | Transfer transfers some of the effects; mitigate reduces the risk of inspections. |
| What does BIA mean? | Business Impact Analysis, business impact analysis. |
| RTO vs RPO? | RTO = how to return quickly; RPO = how much data can be lost. |
| MTTR vs MTBF? | MTTR = mean time to repair; MTBF = mean time between failures. |
| What does SLE mean? | Expected loss from one event. |
| What does ARO mean? | Annual event rate. |
| What does BUT mean? | Expected annual loss: SLE × ARO. |
| What is third-party risk? | Risks arising from suppliers and partners. |
| SLA vs NDA? | SLA determines the level of service; An NDA protects confidentiality. |
| What is an MOU? | Memorandum of Understanding, agreement between the parties. |
| What does the right-to-audit clause provide? | The right to audit the supplier. |
| Due diligence vs due care? | Diligence = checking before; care = ongoing care. |
| Data subject vs controller? | Subject is a person; controller decides on processing. |
| Controller vs processor? | The controller decides; processor processes on its behalf. |
| Compliance vs security? | Compliance is compliance; security is real risk management. |
| Audit vs assessment? | An audit formally checks compliance; assessment assesses the condition or risk. |
| What is security awareness? | A cyclical program for building safe behaviors. |
Images to generate
IMG_M06_S01_GRC_OVERVIEW
Place in the material:
"Introduction" section.
Image Purpose:
Show how governance, risk and compliance combine into a security program.
Description of the image to generate:
Diagram with three pillars: Governance, Risk Management, Compliance. Under Governance: policy, standard, procedure, roles. Under Risk Management: risk register, appetite, tolerance, treatment. Under Compliance: audits, legal/regulatory requirements, privacy. Above the pillars: Security Program Management. Below: continuous improvement.
Style:
Organizational infographic/GRC diagram.
Mandatory elements:
- governance
- risk management
- compliance
- policies
- standards
- procedures
- risk register
- audits
- privacy
- continuous improvement.
Elements to avoid:
- irrelevant decorations
- too many shortcuts
- illegible icons.
- IMG_M06_S02_RISK_BIA_METRICS
- Place in the material:
- "BIA, RTO, RPO, MTTR and MTBF" section.
Image Purpose:
Explain the difference between RTO, RPO, MTTR and MTBF.
Description of the image to generate:
Timeline showing the crash. Before the failure, the point of the last copy of the data described as RPO. From the moment of failure to system restoration, RTO arrow. Separately show MTTR as mean time to repair and MTBF as mean time between failures. Add a short box: "BIA determines business impact".
Style:
Timeline diagram/educational infographic.
Mandatory elements:
- outage
- last backup/recovery point
- Commissioner for Human Rights
- RTO
- MTTR
- MTBF
- BIA.
Elements to avoid:
- complicated patterns
- too long descriptions
- random icons.
- IMG_M06_S03_VENDOR_RISK_FLOW
- Place in the material:
- "Third-party risk management" section.
Image Purpose:
Demonstrate the supplier evaluation and supervision process.
Description of the image to generate:
Process diagram: identify vendor → data/system access analysis → due diligence → contract requirements → SLA/NDA/right-to-audit → controlled onboarding → monitoring → reassessment → offboarding/access removal/data return. Add a side label: supply chain risk.
Style:
Supplier management process diagram.
Mandatory elements:
- vendor identification
- due diligence
- contract requirements
- SLA
- NDA
- right-to-audit
- monitoring
- reassessment
- offboarding
- access removal.
Elements to avoid:
- names of real companies
- legal details
- excess text.
- IMG_M06_S04_SECURITY_AWARENESS_CYCLE
- Place in the material:
- "Security awareness" section.
Image Purpose:
Show awareness as a cycle, not a one-time training.
Description of the image to generate:
Cyclic diagram: identify risky behaviors → develop training → initial training → phishing campaign/simulation → reporting suspicious activity → measure results → targeted reinforcement → recurring training. Inside: "behavior change, not one-time training."
Style:
Diagram of the educational cycle.
Mandatory elements:
- initial training
- recurring training
- phishing campaign
- suspicious message reporting
- metrics
- reinforcement
- hybrid/remote work
- insider threat awareness.
Elements to avoid:
- shaming users
- punishment symbols
- excessive text.
- Coverage of exam requirements
- SY0-701 Exam Requirement Where It Is Covered Level of Coverage Notes
- 5.1 Summarize elements of effective security governance Governance; policy/standard/procedure/guideline Full Documents, roles, responsibilities and governance discussed.
- 5.2 Explain elements of the risk management process Risk management; appetite/tolerance; BIA; SLE/ARO/ALE Full Includes risk strategies, risk register, BIA and metrics.
- 5.3 Explain third-party risk assessment and management Third-party risk management Full Due diligence, SLA, MOU, NDA, right-to-audit and monitoring are included.
- 5.4 Summarize elements of effective security compliance Compliance and privacy Full Includes compliance, privacy, controller, processor and data subject.
- 5.5 Explain types and purposes of audits and assessments Audits and assessments Full Internal/external audit, self-assessment, independent assessment and attestation are discussed.
- 5.6 Given a scenario, implement security awareness practices Security awareness Full Includes phishing campaigns, anomalous behavior, user guidance, reporting and monitoring.
- Which is worth repeating before moving on
- Policy vs standard vs procedure vs guideline.
- Risk appetite vs risk tolerance.
- Accept vs avoid vs transfer vs mitigate.
- RTO vs. RPO.
- MTTR vs MTBF.
- SLE, ARO, BUT.
- SLA vs NDA vs MOU.
- Due diligence vs. due care.
- Controller vs processor vs data subject.
- Audit vs assessment.
- Awareness as a cycle.
- Module completeness check
Scope from outline covered:
- governance
- policies, standards, procedures and guidelines
- risk management
- risk register
- risk appetite and risk tolerance
- risk response strategies
- BIA, RTO, RPO, MTTR, MTBF
- SLE, ARO, ALE
- third-party risk management
- SLA, MOU, NDA and right-to-audit
- compliance and privacy
- due diligence and due care
- audits and assessments
- security awareness
- exercises, mini-test, flashcards, images and coverage of requirements.
Scope requiring deepening:
- more scenario questions from documents and risk strategies will appear in module 7
- BIA connection with technical disaster recovery can be repeated together with module 3
- awareness can be additionally practiced through phishing scenarios in the exam module.
Most important things to remember:
- Governance gives direction and responsibility.
- Risk management requires ownership, assessment, decisions and monitoring.
- RTO is about recovery time, RPO is about data loss.
- BUT = SLE × ARO.
- Third-party risk must be monitored throughout the entire cooperation cycle.
- Compliance does not equal complete security.
- Awareness works when it is cyclical, measured and supported by procedures.
Is the material sufficient to master this part:
Yes, as a complete introduction to the 5.0 Security Program Management and Oversight domain at the Security+ SY0-701 level.
Potential vulnerabilities:
- It is worth doing an additional review of the SLE/ARO/ALE calculations.
- It is worth practicing scenarios with the selection of documents: SLA, NDA, MOU, policy, standard, procedure.
- It is worth combining this module with module 7 through best answer exam questions.
- Explanation depth control
- Important concepts are developed, not just mentioned.
- Key concepts show the problem, mechanism, practical example, exam scenario, mistakes and definition.
- Added checklist, control questions, answers, labs, mini-test, flashcards and image descriptions.
- The exercises are defensive and designed in a legal, controlled environment.
- The structure corresponds to the principles of generating appropriate training material.