ابدأ بالتواصل مع الأشخاص وتبادل معارفك المهنية

أنشئ حسابًا أو سجّل الدخول للانضمام إلى مجتمعك المهني.

متابعة

Why Information Security is not reporting to Head of IT?

user-image
تم إضافة السؤال من قبل Syed Muhammad Azhar , Head of IT Security Risk Management , Faysal Bank Ltd
تاريخ النشر: 2013/06/12
Hussein Bahgat
من قبل Hussein Bahgat , Information Security manager , Standard Chartered Bank –

IT focus on the performance and excellence of operations (also COO levels) in esense Information security handles the risk resulting from this performance (and security) accordingly the pressure of performance and delivery in IT operations will create a tidal wave against security concerns and who manages it (ISO or CISO) , and this exactly what is meant by segregation of duties in information security, The horse runs but needs a good knight to keep it from hitting the wall ! my regards and respect still for all CIOs & COOs whom can handle this stressful conflict of interest !

Mughis Tahir
من قبل Mughis Tahir , ISP Business Systems – SAP , City of Bradford Metropolitan District Council

Simple - Conflict of Interest, you cannot judge your own performance.

مستخدم محذوف‎
من قبل مستخدم محذوف‎

IT Security is about securing the technology. Information Security is about securing all information that is important for the business/organisation. 

Different companies or organisations have different perspectives and importance for security (be it Info Sec or IT Security) and the team alignment is set accordingly. The reporting of the security team has its influence on the security focus/posture itself most of the time.

The best practice is always to have an independent function (may not be as independent as an Audit team) and the team be empowered to have its own directives from risk management.

The CEO most of the time is the owner of the risk management in a company - (first delegation of financial risk management goes to the CFO)

Pradipna Gautam
من قبل Pradipna Gautam , Security and Compliance Manager , Verisk Information Technologies

There would be lots of answers for that but the bottom line is that Information Security has to audit lots of IT work and it does not make sense reporting to the department you have to audit.

Saud Al-Malki
من قبل Saud Al-Malki , Senior Officer , Bank Al-Bilad

We are audit of IT and we are who the writing the policy for IT

Nader Hasawi
من قبل Nader Hasawi , CIO Chief Information Officer , Siemens

InfoSec is not an auditing function.
It reports to CFO, in many organizations, in order to give it its required priority and attention.
If it reports to the IT head then it's in the same pool as other vertical IT topics.
InfoSec is a horizontal IT function.
It's not more important than any other function in IT but it has higher priority.
However, the InfoSec officer is always someone in the IT organization so his/her disciplinary manager is the IT head, but they report functionally to the CFO in InfoSec topics.

مستخدم محذوف‎
من قبل مستخدم محذوف‎

The answer to it is there would be a conflict of interest and violates segregation of duties.As an IT personnel you will be discharging the duties of custodion of an IT assest on behalf of the the IT/Information owner.Information security personnel will be acting on behalf of owner to provide assurance that the assest or information is rightly used and protected as accpected by owner .As IT is the custodion and information security will act an independent assurance function to the owner.Hence Info sec will not report to an IT head as it would need to provide independent assurance to the owner that IT is functioning as accpected by the owner of IT/information

Muraleedharan Karumathil
من قبل Muraleedharan Karumathil , Operation Manager , SBM NAUVATA SBM Nauvata Indi

As rightly pointed out by Hussein Bhagat, information security is not restricted to IT security.
It spans across various domains like physical, IT, people, media, information exchange etc..
Scope of information security is much larger than IT security..

Syed Muhammad Azhar
من قبل Syed Muhammad Azhar , Head of IT Security Risk Management , Faysal Bank Ltd

IT security plays role of Implementation of security whereas IS audit is a different domain.

Hesham Youssef
من قبل Hesham Youssef , Information Security Governance Unit Head , Confidential

I see good points related to conflict of interest and segregation of duties, but also I see that most of comments speaks about information security as IT security, information security has much more into it than just IT, information security is a horizontal function that integrate with IT, HR, facilities, legal and all business functions with an aim on protecting confidentiality, integrity and availability of information assets

Sameer Paradia
من قبل Sameer Paradia , Associate Partner , IBM

Because maker and checker they are two different distinct roles. IT head is maker of information and Information security is checker of information generated. Hence it is not advisable to have Information security role to report into It head. 

المزيد من الأسئلة المماثلة