Systems Security Certified Practitioner – SSCP – Question0356 - Systems Security Certified Practitioner

In an organization, an Information Technology security function should:

A. Be a function within the information systems function of an organization.
B. Report directly to a specialized business unit such as legal, corporate security or insurance.
C. Be lead by a Chief Security Officer and report directly to the CEO.
D. Be independent but report to the Information Systems function.

Correct Answer: C

Explanation:

In order to offer more independence and get more attention from management, an IT security function should be independent from IT and report directly to the CEO. Having it report to a specialized business unit (e.g. legal) is not recommended as it promotes a low technology view of the function and leads people to believe that it is someone else’s problem. Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.