Which statement is NOT a component of a security governance program?

Security governance creates the oversight framework for protecting information assets. It covers defining policies, standards, and procedures; clearly assigning roles and responsibilities; managing risk; ensuring compliance; and providing measurement and a path for continuous improvement. Incident response planning, including playbooks and escalation paths, fits into governance because it establishes how the organization prepares for and coordinates responses to incidents. Auditing, monitoring, and compliance reporting likewise supply the ongoing assurance and visibility governance relies on to steer security efforts. Random access to systems, however, is not a governance component. Governance aims to prevent uncontrolled access by enforcing access controls, identity management, least privilege, and formal approval processes. So this element does not belong in the governance program components.