Phase 0: Govern
Establish security governance, risk appetite, roles, supply chain security, and security culture.
Purpose
The Govern phase establishes the security governance foundation. Before identifying threats or implementing protections, you need to define your organization's security policies, risk appetite, roles and responsibilities, supply chain requirements, and culture initiatives.
Skills
Security Policy
/security:security-policy <topic>Develops comprehensive security policies for the organization. Covers acceptable use, data handling, incident reporting, access management, and enforcement procedures.
Output: Security policy framework with enforcement guidelines → .metapowers/security/<topic>/00-govern.md
Risk Appetite
/security:risk-appetite <topic>Defines the organization's risk appetite and tolerance levels. Establishes risk categories, acceptable thresholds, escalation criteria, and risk acceptance processes.
Output: Risk appetite statement with tolerance thresholds → .metapowers/security/<topic>/00-govern.md
Security Roles
/security:security-roles <topic>Maps security roles and responsibilities across the organization. Defines RACI matrices, security champions, escalation paths, and reporting structures.
Output: Security roles matrix with RACI assignments → .metapowers/security/<topic>/00-govern.md
Supply Chain Security
/security:supply-chain-security <topic>Establishes supply chain security requirements. Covers vendor security assessments, third-party risk management, software bill of materials (SBOM), and dependency policies.
Output: Supply chain security framework with vendor requirements → .metapowers/security/<topic>/00-govern.md
Security Culture
/security:security-culture <topic>Designs security culture initiatives for the organization. Covers awareness programs, phishing simulations, security champions programs, and metrics for measuring cultural maturity.
Output: Security culture plan with awareness program design → .metapowers/security/<topic>/00-govern.md
Next Phase
After Govern, proceed to Identify to discover assets, model threats, and assess vulnerabilities.