Security Governance Memo (Capital One 2019)¶

Use this to define or clarify security governance: roles, committees, escalation paths, and accountability; ensures “who decides what” is clear.

Hallucinated writing examples¶

Scenario. In October 2020, two months after the OCC Consent Order (August 6, 2020) (time), the Chief Information Security Officer (role) must issue an internal security governance memo (type) to leadership and the OCC examiner (audience) that defines roles, committees, escalation paths, and accountability for security. It must align with the Consent Order's governance requirements and the post–July 2019 incident structure.

SECURITY GOVERNANCE MEMO

To: Executive Leadership, Security Leadership, Audit
From: Chief Information Security Officer
Date: October 1, 2020
Subject: Security Governance — Roles, Committees, and Escalation (Post–July 2019 Incident; OCC Consent Order)

Purpose. This memo defines the Bank's security governance structure following the July 2019 cybersecurity incident and the Consent Order and Civil Money Penalty issued by the Office of the Comptroller of the Currency on August 6, 2020 (OCC NR 2020-98). The incident involved unauthorized access to customer data in our AWS-hosted infrastructure; the Consent Order required the Bank to strengthen board and management oversight of cybersecurity, risk management, and reporting. This memo clarifies who decides what and how security is overseen so that we meet regulatory expectations and maintain clear accountability.

Governance model. The Board of Directors delegates oversight of technology and cybersecurity risk to the Board Audit Committee. The Committee receives quarterly reports on security program status, key risks, Consent Order progress, and key metrics. The CISO reports to [designated executive]. Security leadership participates in [committee name] for operational risk. Charters and reporting lines are documented; the Audit Committee charter and org chart (security reporting line) are maintained and available for examiner review.

Roles and escalation. The CISO is accountable for security strategy, policy, standards, and control implementation; authority includes approval of security exceptions within policy limits and escalation to the Board for material risk acceptances. Material incidents are escalated to the CISO and [executive] immediately; Board notification per incident policy. Risk acceptances require CISO approval with revisit date; material or enterprise-wide acceptances are reported to the Audit Committee. Policies and standards are approved by [authority]; the CISO organization maintains standards and updates them per [cadence]. This governance structure is reviewed annually and has been strengthened per the Consent Order.

Official document (governance in regulatory context)¶

The OCC consent order required Capital One to strengthen board and management oversight of cybersecurity. 10-K Item 1C and proxy disclosures describe how the board oversees cyber risk—the public analogue to an internal governance memo.

OCC Consent Order (2020): OCC Consent Order and Civil Money Penalty against Capital One — required governance improvements: board reporting, management accountability, risk management.
Capital One 10-K: Capital One 10-K — Item 1C describes board and committee oversight, management roles, and reporting.
SEC Disclosure Guidance: SEC Cybersecurity Disclosure Guidance — governance disclosure expectations.

Governance memos are usually internal; the consent order and 10-K show how regulators expect roles and oversight to be documented.

Writing analysis¶

How security governance memos are typically structured

Purpose — Why governance is being defined or updated.
Governance model — Board/committee structure; reporting lines.
Roles — CISO, security leadership, risk owners, and their authority.
Committees — Security/risk committee charter, membership, and cadence.
Escalation — When and how issues escalate (incidents, risk, exceptions).
Policies and standards — How they are set, approved, and updated.
Review cycle — How often governance is reviewed and by whom.

What to emulate

Align with charters, org design, and policy approval records so the memo is evidence of oversight.
Clear escalation paths (incident, risk acceptance, exception) so “who decides what” is unambiguous.
One-page summary plus appendix (charters, org chart) so leadership and auditors can use it quickly.

What to improve

Avoid vague "committee oversees security"; name the committee, cadence, and deliverables.
Tie governance to evidence (minutes, charters, approval dates) so "tone at the top" is demonstrable.