In an organization, an Information Technology security function should:

A.
Be a function within the information systems function of an organization.

B.
Report directly to a specialized business unit such as legal, corporate security or insurance.

C.
Be led by a Chief Security Officer and report directly to the CEO.

D.
Be independent but report to the Information Systems function.

Explanation:
A Chief Security Officer (CSO) reports directly to the Chief Executive Officer (CEO). IT Security should be led
by a CSO.
The chief security officer (CSO) is responsible for understanding the risks that the company faces and for
mitigating these risks to an acceptable level. This role is responsible for understanding the organization’s
business drivers and for creating and maintaining a security program that facilitates these drivers, along with
providing security, compliance with a long list of regulations and laws, and any customer expectations or
contractual obligations.
Incorrect Answers:A: The IT security function should not be a function within the information systems function of an organization.
B: The IT security function should not report directly to a specialized business unit such as legal, corporate
security or insurance.
D: The IT security function should be independent but should not report to the Information Systems function.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 119