The board of directors is discussing the organization of security function and its relation with the audit function. Which of the following is the most accepted practice? (Wentz QOTD)
A. The security function should comprise internal audits
B. The audit function should include the security function
C. The audit committee shall govern the security function
D. The security function may be managed by engineers or other staff

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. The security function may be managed by engineers or other staff.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

A function produces value by conducting activities that transform inputs into useful results. An organization typically comprises line functions and staff to support operations and deliver values.

The security function at the organization level can be conducted by employees at any rank, depending on the size, scale, security awareness of the organization in question. Large companies may establish a dedicated department headed by a CISO or manager to take care of information security, while small companies that have few resources may simply assign an IT engineer or any employee to handle information security affairs.

The audit function is typically directed by the audit committee under the board of directors. It’s an independent organizational unit that ensures compliance and provides assurance. The audit function doesn’t include or govern the security function to maintain its independence and objectivity.

The security function shall ensure the effectiveness of information security and comply with requirements such as laws, regulations, industrial standards, contracts, organizational policies, code of ethics, etc.; it is typically separated from the audit function.

Reference

• Staff and line
• Line and Staff Organization
• Formal Organization – Line Organization
• Line Organisation: Meaning, Types, Merits and Demerits
• Internal Audit Function
• Building the internal-audit function of the future
• AS 2605: Consideration of the Internal Audit Function
• Audit Department
• What is Security Function
• security function
• Information Security Functions & Responsibilities

---

董事會正在討論安全職能(security function)的組織及其與審計職能(audit function)的關係。 以下哪個是最被接受的做法？ (Wentz QOTD)
A. 安全功能應包括內部審計(internal audits)
B. 審計功能應包含安全功能
C. 審計委員會應負責治理(govern)安全功能
D. 安全功能可由工程師或其他人員(staff)管理