In an organization, an Information Technology security function should:
Click on the arrows to vote for the correct answer
A. B. C. D.C.
In order to offer more independence and get more attention from management, an IT security function should be independent from IT and report directly to the CEO.
Having it report to a specialized business unit (e.g.
legal) is not recommended as it promotes a low technology view of the function and leads people to believe that it is someone else's problem.
Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.
An Information Technology (IT) security function is responsible for safeguarding an organization's information assets, systems, and technology from unauthorized access, use, disclosure, disruption, modification, or destruction. It is essential for ensuring that the organization's data and operations remain confidential, available, and reliable.
Answer A suggests that the IT security function should be a part of the information systems function of an organization. This implies that IT security should be integrated into the broader IT department and not be an independent entity. While this can be an effective approach, it may also create conflicts of interest between the IT security function and other IT functions, such as system administration or network engineering.
Answer B suggests that the IT security function should report directly to a specialized business unit such as legal, corporate security, or insurance. This can be an effective approach, as it ensures that the IT security function is closely aligned with the organization's risk management and compliance objectives. However, this approach may also limit the IT security function's visibility and influence within the organization.
Answer C suggests that the IT security function should be led by a Chief Security Officer and report directly to the CEO. This can be an effective approach, as it ensures that the IT security function is a high-level strategic function that is closely aligned with the organization's overall business objectives. This approach also ensures that the IT security function has the necessary visibility and influence within the organization to be effective.
Answer D suggests that the IT security function should be independent but report to the information systems function. This approach ensures that the IT security function is not conflicted by other IT functions and has the necessary autonomy to be effective. However, this approach may also limit the IT security function's visibility and influence within the organization.
In summary, while each answer has its advantages and disadvantages, answer C is the most comprehensive and effective approach to organizing an IT security function in an organization. It ensures that IT security is closely aligned with the organization's business objectives, has the necessary visibility and influence, and is led by a high-level security executive.