Security Governance Memo (Altaba / Yahoo SEC (2018))¶
Use this to define or clarify security governance: roles, committees, escalation paths, and accountability; ensures “who decides what” is clear.
Purpose¶
This memo clarifies governance roles, escalation triggers, and reporting responsibilities needed to manage risks surfaced by Altaba / Yahoo SEC (2018). It ensures that leadership, legal, and security functions operate under a common accountability model.
Hallucinated writing examples¶
Scenario: In an illustrative period following the SEC April 2018 cease-and-desist order on delayed breach disclosure (time), the Chief Information Security Officer (role) prepares a security governance memo (type) for Executive Leadership, Security Leadership, Disclosure and Audit Stakeholders (audience).
SECURITY GOVERNANCE MEMO
Purpose: This memo defines governance responsibilities for incident escalation, disclosure-control coordination, and security oversight following SEC findings on delayed cybersecurity disclosure. It ensures consistent ownership and traceable decisions between security, legal, and finance functions.
Governance Model: Governance committees and disclosure leadership receive recurring reports on escalation timing, control-test exceptions, and unresolved high-risk findings. Charters, reporting lines, and review records are maintained to support examination and audit needs.
Roles and Escalation: The CISO owns security governance policy and coordinates with legal/finance for disclosure-sensitive events. Material incidents and policy exceptions escalate through defined governance paths. Risk acceptances require documented approvals, mitigation commitments, and periodic review.
Document-type guide: Security Governance Memo
Writing tips: Writing best practices — Security Governance Memo