Information Technology Reference
In-Depth Information
time employees to manage security who themselves might have other full-time functions in
the enterprise. It is also common to see consultants from outside the enterprise being used
as security specialist. Figure 7.2 shows a possible structure in a large enterprise with a full-
time security department headed by a director or manager.
The board which has overall responsibility for security might opt to appoint a committee of
the board to be in charge of security matters in the enterprise. The committee might com-
prise of members of the board and some senior management officials. The security com-
mittee should have clear terms of reference and mandate from the board. In order to ensure
that the committee has control of the security function, all reports and feedback to the board
should be through the security committee. Different reporting lines would create parallel
structures and cause conflicts in the management of security in the enterprise.
Figure 7.2 Information Security Organisation
The IS auditor should take particular interest in how the board and security committee con-
duct its business of ensuring security for the enterprise. The IS auditor should arrange inter-
views with members of the board or security committee so that he can have a good under-
standing of the intentions of the board regarding security. The IS auditor can also conduct
some fact-finding by reviewing previous board and committee documentation.
The IS auditor should also review the terms of reference of the security committee. The
committee might be handicapped if it does not have full authority to act or make decisions
on behalf of the board. Security can be a fluid activity, and decisions in many cases need to
be made in a timely manner in order to protect and secure enterprise resources. The com-
mittee should also be in a position to receive timely information which it can use to make
decisions.
The security committee is in between the board and the management. Senior management
reports to the board on all matters of the business and also has representation on the security
committee which is a subcommittee of the board. In some enterprises, senior management
might have its own security team within the senior management team. This is largely ap-
plicable in large enterprises where senior management has more involvement in security
matters. In another scenario, senior management might have members sitting on the secur-
ity committee instead of the having a security team at senior-management level.
Search WWH ::
Custom Search