Professional Documents
Culture Documents
Organizational structure
The outcomes being experienced by organizations also reflect significant differences in how the information security and assurance function is organized, managed and operated by organizations. Those experiencing the best outcomes manage the information security function through a CISO, who reports to a Chief Risk Officer CRO), a Chief Compliance Officer (CCO), the senior leader of IT assurance or the Chief Information Officer (CIO) Most organizations posting normal results manage the information security function through a CSO or a manager of IT operations who reports to either the senior leader of IT operations or a CIO. Organizations experiencing the worst outcomes manage information security through a systems or network administrator who reports to a manager or director of IT operations, or the senior leader of IT operations.
Coverage
The findings covered by the benchmark report, Best Practices for Managing Information Security, are based on outcomes being experienced by organizations. The outcomes benchmarked include customer retention rates, revenue, profit, data loss and theft, business downtime due to IT failures
IT POLICY
COMPLIANCE
GROUP
FEBRUARY 2010
and disruptions, regulatory audit deficiency corrections needed in IT to pass audit and spend on audit. Management structures for information security are accompanied by differences in how organizations establish and manage information security objectives, manage the information security function and manage day-to-day operations, with detailed coverage of management and operational activities. The report also covers the role of standardized procedures and the specialization of labor, the impact of automation, reporting, quality improvement programs and where the information security function reports in organizations.