Skip to content

Security Governance Memo (Capital One 2019)

Use this to define or clarify security governance: roles, committees, escalation paths, and accountability; ensures “who decides what” is clear.

Purpose

This memo clarifies governance roles, escalation triggers, and reporting responsibilities needed to manage risks surfaced by Capital One 2019. It ensures that leadership, legal, and security functions operate under a common accountability model.

Hallucinated writing examples

Scenario: In an illustrative period following the 2019 Capital One cloud breach and related enforcement and litigation tracks (time), the Chief Information Security Officer (role) prepares a security governance memo (type) for Executive Leadership, Security Leadership, Audit (audience).

SECURITY GOVERNANCE MEMO

To: Executive Leadership, Security Leadership, Audit
From: Chief Information Security Officer
Date: October 1, 2020
Subject: Security Governance — Roles, Committees, and Escalation (Post–July 2019 Incident; OCC Consent Order)

Purpose: This memo defines the Bank's security governance structure following the July 2019 cybersecurity incident and the Consent Order and Civil Money Penalty issued by the Office of the Comptroller of the Currency on August 6, 2020 (OCC NR 2020-98). The incident involved unauthorized access to customer data in our AWS-hosted infrastructure; the Consent Order required the Bank to strengthen board and management oversight of cybersecurity, risk management, and reporting. This memo clarifies who decides what and how security is overseen so that we meet regulatory expectations and maintain clear accountability.

Governance Model: The Board of Directors delegates oversight of technology and cybersecurity risk to the Board Audit Committee. The Committee receives quarterly reports on security program status, key risks, Consent Order progress, and key metrics. The CISO reports to [designated executive]. Security leadership participates in [committee name] for operational risk. Charters and reporting lines are documented; the Audit Committee charter and org chart (security reporting line) are maintained and available for examiner review.

Roles and Escalation: The CISO is accountable for security strategy, policy, standards, and control implementation; authority includes approval of security exceptions within policy limits and escalation to the Board for material risk acceptances. Material incidents are escalated to the CISO and [executive] immediately; Board notification per incident policy. Risk acceptances require CISO approval with revisit date; material or enterprise-wide acceptances are reported to the Audit Committee. Policies and standards are approved by [authority]; the CISO organization maintains standards and updates them per [cadence]. This governance structure is reviewed annually and has been strengthened per the Consent Order.

Document-type guide: Security Governance Memo

Writing tips: Writing best practices — Security Governance Memo

© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: 2026 April 17 9:37 AM