Who should measure the effectiveness of Information System security related controls in an organization?

A.
The local security specialist

B.
The business manager

C.
The systems auditor

D.
The central security manager

Explanation:
The function of the auditor is to come around periodically and make sure you are doing what you are supposed
to be doing. They ensure the correct controls are in place and are being maintained securely. The goal of the
auditor is to make sure the organization complies with its own policies and the applicable laws and regulations.
Organizations can have internal auditors and/or external auditors. The external auditors commonly work on
behalf of a regulatory body to make sure compliance is being met.
CobiT is a model that most information security auditors follow when evaluating a security program. The Control
Objectives for Information and related Technology (CobiT) is a framework and set of control objectives
developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute
(ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to
business needs.
Incorrect Answers:
A: A local security specialist could be hired to measure the effectiveness of Information System security related
controls in an organization. However, in doing so, the local security specialist would be performing the role of
systems auditor.
B: The business manager does not measure the effectiveness of Information System security related controls
in an organization.
D: The central security manager could measure the effectiveness of Information System security related
controls in an organization. However, in doing so, central security manager would be performing the role of
systems auditor.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 55, 125