Governance Playbook | Cybersecurity

Overview

Security data governance requires heightened controls compared to general IT asset management. The data in this schema directly impacts organizational risk posture, regulatory compliance status, and incident response capabilities. Inaccurate vulnerability data leads to missed SLAs, compliance failures, and potential breaches.

What This Playbook Establishes

Security data ownership matrix for all five object types
Data quality rules specific to security data (CVE validation, CVSS ranges, remediation SLAs)
Review cadences for vulnerability management, risk assessments, and compliance
RACI matrix for security operations
Escalation procedures for critical vulnerabilities and potential breaches
Audit readiness for security and compliance data

Security Governance Structure

The Security Data Governance Committee

Security data requires a dedicated governance structure that operates alongside the CMDB Governance Board.

Role	Responsibility	Meeting Attendance
CISO (Chair)	Strategic direction, risk appetite decisions	All meetings
Vulnerability Management Lead	Vulnerability data accuracy, SLA compliance	All meetings
GRC Manager	Compliance tracking, control assessment	All meetings
Security Operations Manager	Asset inventory, scanner integration	All meetings
Risk Manager	Risk register accuracy, treatment oversight	All meetings
Internal Audit Representative	Audit readiness, evidence collection	Quarterly

Meeting Cadence

Weekly: Vulnerability triage meeting (Vulnerability Management Lead chairs)
Monthly: Security Data Governance Committee (CISO chairs)
Quarterly: Joint session with CMDB Governance Board

Data Ownership Matrix

Security Asset Ownership

Aspect	Owner	Details
Data Steward	Security Operations Manager	Accountable for inventory completeness
Source Systems	Discovery tools, EDR agents, Cloud APIs	Multiple authoritative sources
Update Authority	Automated import; Security Engineers	Manual updates require justification
Archive Authority	Security Operations Manager	Approve status changes to Decommissioned

Vulnerability Ownership

Aspect	Owner	Details
Data Steward	Vulnerability Management Lead	Accountable for data accuracy and SLA compliance
Source Systems	Vulnerability scanners	Scanner is authoritative for technical findings
Update Authority	Automated import; Analysts for status	Status changes follow defined workflow
Archive Authority	Vulnerability Management Lead	Approve False Positive and Accepted Risk

Data Quality Rules

CVE Validation Rules

Rule	Validation	Action on Failure
CVE ID format valid	`CVE-\d{4}-\d{4,}`	Reject import; flag for review
CVE exists in NVD	API lookup to NVD	Warn; allow import with flag
CVSS matches NVD	Compare to NVD base score	Update to NVD value; log discrepancy

Remediation SLA Rules

SLAs are calculated based on Vulnerability Severity and Asset Criticality:

	Critical Asset	High Asset	Medium Asset	Low Asset
Critical Vuln	1 day	3 days	7 days	14 days
High Vuln	3 days	7 days	14 days	30 days
Medium Vuln	7 days	14 days	30 days	60 days
Low Vuln	14 days	30 days	60 days	90 days

Review Cadences

Daily Operations

Activity	Owner	Deliverable
New vulnerability review	Vulnerability Management Lead	Triage decisions, assignments
SLA breach monitoring	Security Operations	Breach alerts, escalations
Critical vulnerability alert	Security Operations	Immediate escalation
Scanner import validation	Security Engineer	Import success report

Weekly Reviews

Activity	Day	Deliverable
Vulnerability triage meeting	Monday	Prioritized remediation queue
Remediation progress review	Wednesday	Status report, blockers identified
SLA compliance report	Friday	Weekly SLA metrics

Monthly Reviews

Week 1: Security Data Governance Committee meeting
Week 2: Risk register review with updated scores
Week 3: Control assessment cycle
Week 4: Security asset inventory audit

Escalation Procedures

Vulnerability Escalation Levels

Level	Authority	Response Time
L1	Remediation Assignee	Within SLA
L2	Vulnerability Management Lead	4 hours (Critical), 1 day (High)
L3	Security Operations Manager	1 day
L4	CISO	2 days

Risk Acceptance Approval Thresholds

Residual Score	Approval Authority	Documentation Required
1-5 (Low)	Security Operations Manager	Business justification, compensating controls
6-11 (Medium)	Security Operations Manager	Justification, controls, expiration date
12-19 (High)	CISO	Formal memo, controls, quarterly review
20-25 (Critical)	Governance Committee	Executive memo, board notification, monthly review

Audit Readiness

Pre-Audit Checklist

Verify all control Evidence Locations are accessible
Confirm control-to-requirement mappings are complete
Run data quality scans and remediate critical findings
Generate 12-month vulnerability metrics (MTTR, SLA compliance)
Export risk register with treatment status
Compile risk acceptance decisions from period
Verify scanner import logs are retained
Update ownership matrix with current assignments
Brief Data Stewards on audit scope

Evidence Collection by Audit Type

Vulnerability Management Audit:

Scanner configuration and scan schedules
Vulnerability import logs (last 12 months)
SLA compliance metrics by severity and period
False positive and risk acceptance approvals

Compliance Audit (SOC 2, ISO 27001, PCI-DSS):

Control inventory with implementation status
Control-to-requirement mappings
Assessment schedules and results
Evidence links for each implemented control
Gap remediation tracking

RACI Matrix

Vulnerability Management

Activity	Vuln Lead	Sec Ops Mgr	CISO	Assigned To
Scanner configuration	C	A	I	-
Vulnerability import	R	A	I	-
Triage and prioritization	R	A	I	-
Remediation execution	I	I	I	R
Risk acceptance approval	C	C	A	R

Legend: R = Responsible, A = Accountable, C = Consulted, I = Informed

Previous Document

← Best Practices Guide

Next Document

Forms Specification →

Cybersecurity Governance Playbook