Security & Privacy Governance
Security and privacy governance is the operating model that connects executive obligations, regulatory drivers, internal controls, evidence, risk decisions, privacy obligations, and assurance reporting. In CloudSignals+RiskOps, governance is anchored by the Unified Control Baseline — an internal control intelligence layer that allows organizations to maintain one control baseline while mapping to many frameworks, laws, regulations, customer obligations, and audit expectations.
- Security governance leaders
- Compliance managers
- Privacy officers and DPOs
- GRC analysts
- Internal auditors
- MSP governance operators
- Risk leaders responsible for executive reporting
- Basic familiarity with security controls and compliance frameworks
- Basic understanding of privacy obligations (GDPR, CCPA/CPRA, HIPAA, or ISO 27701)
- Access to a CloudSignals+RiskOps tenant with Governance & Assurance enabled
What you will be able to do
- Explain the difference between a framework checklist and a unified internal control baseline.
- Describe how UCB domains, principles, controls, mappings, evidence, risks, and assessment objectives relate.
- Navigate Governance & Assurance workspaces to review baseline, control, domain, framework, privacy, and reporting data.
- Explain why Prowler scanner mappings remain metadata and not governance source of truth.
- Interpret ISO 27701, GDPR, CCPA/CPRA, and HIPAA Privacy readiness from UCB mappings and tenant assurance state.
- Evaluate evidence lineage, evidence freshness, and assurance status.
- Use Vision to generate advisory governance narratives while preserving human validation.
- Produce a security and privacy governance executive brief.
Governance Operating Model
15 min • Governance & Assurance Overview • Explain control intelligence and assurance operating model
From box-checking to a control intelligence operating model
Security and privacy governance is not the act of checking boxes against a framework. A mature governance program defines what the organization believes, what it must do, who owns it, how it proves it, how often it tests it, and how it responds when reality drifts away from the intended state.
In CloudSignals+RiskOps, this model is represented as a control intelligence graph. Each element has a defined role: Domains explain the governance area (Identity, Data Protection, Infrastructure, etc.). Principles explain why the controls exist. Controls define the expected behavior. Assessment Objectives define how assurance is tested. Evidence Requirements define what proof is expected. Risks define what exposure exists when the control fails. Reports communicate readiness, gaps, and executive impact.
Unified Control Baseline
20 min • UCB Overview, Control Library • Describe UCB objects and source-of-truth boundaries
What the UCB stores
The Unified Control Baseline is the governance source of truth in AiVRIC CloudSignals+RiskOps. It is built from source-attributed ontology data and stores: domains, principles, authoritative sources, canonical controls, framework mappings, privacy principles, assessment objectives, evidence requirements, risk scenarios, tenant baselines, assurance signals, evidence artifacts, AI recommendations, and reports.
The UCB is organized in a three-level hierarchy. Domains are the major security and privacy areas. Principles are the governing intent within a domain — the "why" that makes controls non-negotiable. Controls are the specific, testable requirements that implement each principle. Each control can map to multiple authoritative sources across different frameworks simultaneously.
The most important architectural rule: scanner findings are not the UCB source of truth
Prowler scanner findings can support evidence — but Prowler findings do not define compliance status. Scanner metadata is an input to the governance layer, not the authority. This protects the governance program from scanner-specific assumptions and allows CloudSignals+RiskOps to support multi-framework assurance without locking into any single scanner's opinion of what "compliant" means.
When a scanner finding passes a check, it is an evidence signal. When an assessor asks whether you comply with a specific framework control, the answer must come from the UCB — your internal baseline with source-attributed mappings, human-reviewed evidence, and Assessment Objective results — not from a scanner score.
Framework & Source Governance
20 min • Framework Explorer, Source Registry • Interpret source-attributed framework mappings
Framework Explorer: one control, many authoritative sources
Framework Explorer helps you understand how one UCB control can support many authoritative sources. When a governance analyst opens Framework Explorer and selects ISO 27001 Annex A, they see which UCB controls map to each ISO control — with the source attribution that confirms the mapping is based on the standard itself, not a vendor's interpretation. The same UCB control may simultaneously satisfy SOC 2 CC6.1, PCI DSS Requirement 7, and NIST CSF PR.AC-4.
The output of Framework Explorer is not a certification statement. It is a source-attributed governance view that supports readiness analysis and audit preparation. Use it to answer: Which frameworks are represented? Which control domains have the most coverage? Which mappings are source-attributed? Which references are grouped by framework family? Which controls have weak or missing mappings? Which mappings need human review?
Source Registry: the provenance layer behind framework mappings
The Source Registry is the authoritative record of where each framework mapping came from — the specific standard version, publication date, and control reference. It is what transforms a mapping from "we think this control satisfies ISO 27001 A.9.4.1" to "this mapping is attributed to ISO/IEC 27001:2022 Clause A.9.4.1 as of [date], imported [date]." This provenance is what auditors need to verify that mappings are legitimate, not vendor opinion.
Privacy Governance
25 min • Privacy Explorer, Reports • Review privacy readiness and obligations lifecycle
Privacy as a governance lifecycle, not a technical control set
Privacy governance uses UCB privacy principles and framework mappings to support ISO 27701, GDPR, CCPA/CPRA, HIPAA Privacy, and related obligations. CloudSignals+RiskOps does not treat privacy as a purely technical control set. Many privacy obligations require documentary evidence, manual attestation, workflow records, and policy review — none of which a scanner can produce.
Learners should understand privacy as a lifecycle with distinct obligation types at each stage:
- Lawful basis and consent: documented basis for processing, consent records, withdrawal mechanisms
- Purpose limitation: documented purpose statements, data flow records
- Data minimization: data inventory, retention reviews, collection justifications
- Retention and deletion: retention schedules, deletion confirmation records
- Subject rights: request handling workflows, response timelines, access/erasure/portability records
- Transfer governance: transfer mechanisms, Standard Contractual Clauses, adequacy decisions
- Processor and vendor governance: DPAs, vendor assessments, sub-processor records
- Privacy incident evidence: breach notification records, DPA communications, risk assessments
- DPIA and privacy-by-design workflows: impact assessments, design decisions, architectural reviews
Privacy readiness vs. privacy compliance
Privacy readiness means you can demonstrate evidence of controls for applicable obligations. Having a privacy policy posted on your website is not readiness. Having documented lawful basis records, DSAR response procedures with timestamps, and vendor DPAs for all processors — and evidence that these exist and operate — is readiness. The Privacy Explorer scores readiness on this evidenced basis.
Evidence & Risk Traceability
25 min • Evidence Fabric, Risk Mapping • Connect control failure, evidence, and risk exposure
Evidence as reusable governance objects
Evidence should be reusable. A single policy, screenshot, log export, architecture diagram, vendor attestation, or ticket can satisfy multiple controls and frameworks — if it has the right provenance, freshness, trust level, validation status, and reviewer metadata. The Evidence Fabric in CloudSignals+RiskOps turns isolated artifacts into reusable assurance objects that persist across assessment periods, frameworks, and audit engagements.
Good evidence has eight metadata properties that make it audit-ready:
| Property | What it answers |
|---|---|
| Source | Which system or person produced the artifact? |
| Provenance | How was it collected — automated scan, manual export, attestation? |
| Timestamp | When was it collected? |
| Freshness | Is it within the control's assessment cycle window? |
| Trust level | Automated (consistent) vs. manual/attestation (context-dependent)? |
| Reviewer | Who validated it? |
| Validation status | Has a named reviewer attested to its accuracy? |
| Mapped controls / AOs | Which controls and Assessment Objectives does it satisfy? |
Risk traceability: why evidence and risk are inseparable
Risk traceability explains why evidence matters operationally. If a control fails, the organization should know: what risk exists, what business process or asset is affected, what remediation is planned, and whether an exception or compensating control is acceptable. Without this chain, risk management is reactive — findings accumulate without governance context, and the AO cannot make a defensible residual risk decision.
In CloudSignals+RiskOps, Risk Mapping connects control failures to the risk register. When a control has degraded evidence, its linked risks surface in the risk register with updated residual risk assessments. This is the governance chain: control → evidence → assurance confidence → residual risk → treatment decision.
AI-Assisted Governance
15 min • Vision, Reports • Use AI safely for explanations, narratives, and executive reporting
What Vision can and cannot do in governance
Vision can explain controls, summarize evidence, identify gaps, draft POA&Ms, generate audit narratives, and prepare executive reports. However, Vision should not certify compliance. It is an advisory tool — it accelerates governance work without replacing the human judgment and accountability that makes governance defensible.
A good AI governance workflow in CloudSignals+RiskOps stores these elements alongside every AI-generated output: assumptions (what data did the model use?), linked evidence (which artifacts support the output?), linked controls (which UCB controls are referenced?), linked risks (which risk register entries are relevant?), rationale (why did the model reach this conclusion?), confidence (how certain is the output?), and a human validation recommendation (what must a reviewer verify before accepting this output?).
Certification: AiVRIC CloudSignals Security & Privacy Governance Practitioner
Completing all six modules makes you eligible for the practitioner certification exam.
| Exam domain | Weight |
|---|---|
| Governance operating model | 20% |
| UCB object model and source boundaries | 25% |
| Framework and privacy readiness | 20% |
| Evidence and risk traceability | 20% |
| AI-assisted governance controls | 15% |
Capstone practical scenario
A healthcare SaaS tenant must prepare for ISO 27701 readiness while also addressing GDPR and HIPAA Privacy obligations. The tenant has cloud findings, incomplete evidence, stale policies, and several control exceptions. Your task:
- Review relevant UCB domains and privacy principles.
- Identify required and recommended controls.
- Identify evidence gaps — distinguishing technical gaps from documentary gaps.
- Explain how findings become evidence signals without defining compliance.
- Draft an executive readiness summary using Vision, with your reviewer attestation.