Information Security Department 2518

  • Hi,
    What is the opinion of this forum about information security? Should exist an exclusive department for that (like Internal Audit, reporting direct to the audit committee), or should this department be part of IT department?

  • Hi Ricardo - In my personal experiences, I’ve always seen IT security as part of the IT department itself.
    Some reasons might include:
    – IT security is more of an IT discipline and skill set.
    – IT security professionals must work closely with network and system administrators
    – I believe IT security is becoming ‘more of a business requirement’ (as without good security who will engage in e-commerce with a company). Thus, IT security must complement the implementation and project goals by IT itself.
    However, it is important for the manager of IT security to administratively report to a high level within IT (e.g., typically the CIO). There are elements of independance and neutrality, so that IT security can be effective for everyone concerned. For example, if the manager of IT security reported to the IT development manager, they might be overruled in suggesting control improments in favor of more specific project objectives.
    Also, it’s important to note that IT security must work and partner with the IT auditors occassionally in a logical fashion to improve security where it’s warrented.

Log in to reply