ABSTRACT
Most organizations have realized the need for a senior position within the organization to be accountable for information security. While the job description and even the placement within the organization will differ in each industry and each organization, a familiar set of responsibilities are typically associated with this role. These responsibilities include establishing information security program strategy, assessment of the current information security program, and ensure appropriate governance of the security controls. There are several approaches to identify and prioritize the organizational security initiatives to be funded. Each of these approaches is discussed briefly in this chapter. An information security audit is an external review of current information security controls against organizational security policies or an established standard. When security risk assessment is used as the basis for security decisions, the quality of the security risk assessment becomes critical. Even the most carefully constructed information security program requires a periodic review.
