Information Security Department 2518
Ricardo last edited by
What is the opinion of this forum about information security? Should exist an exclusive department for that (like Internal Audit, reporting direct to the audit committee), or should this department be part of IT department?
harrywaldron last edited by
Hi Ricardo - In my personal experiences, I’ve always seen IT security as part of the IT department itself.
Some reasons might include:
– IT security is more of an IT discipline and skill set.
– IT security professionals must work closely with network and system administrators
– I believe IT security is becoming ‘more of a business requirement’ (as without good security who will engage in e-commerce with a company). Thus, IT security must complement the implementation and project goals by IT itself.
However, it is important for the manager of IT security to administratively report to a high level within IT (e.g., typically the CIO). There are elements of independance and neutrality, so that IT security can be effective for everyone concerned. For example, if the manager of IT security reported to the IT development manager, they might be overruled in suggesting control improments in favor of more specific project objectives.
Also, it’s important to note that IT security must work and partner with the IT auditors occassionally in a logical fashion to improve security where it’s warrented.