Which term represents an overarching governance mechanism for security strategy, typically enacted by senior leadership?

Governance of security strategy is established through formal directives that express the organization’s principles, objectives, and rules. A policy serves as that overarching mechanism, created and approved by senior leadership to set the direction for how security is managed across the enterprise. It defines why protections exist, what must be achieved, and who is accountable, providing a foundation from which standards, procedures, and controls are derived. With a policy in place, the organization can align security efforts with business goals and risk appetite, ensuring consistency and accountability across all units. The other terms describe specific concepts or conditions rather than a governing directive. Privacy shield refers to a privacy framework for data transfers, which is a domain-specific compliance mechanism rather than a governance instrument for the entire security program. Penetration testing is an assessment activity used to identify vulnerabilities, not a governance tool. Legacy IT systems denote outdated technology that can drive risk, but they do not serve as the overarching governance mechanism for security strategy.