I need some help on the following question:

The proper organizational position of the information systems security function is reporting to:

a. corporate security department
b. a person one level below the CIO
c. internal auditing department
d. the CIO or higher

Is anyone with practical experience on this issue tell me what the answer is ?

I think D is probably the answer they are looking for, but it there is no ONE answer. There are so many factors involed: size of the company, corporate culture, Technological savvy of the executives and managers.

Personally, I would like to see the ISO report to the CEO, but the reality is that CEOs rarely want that "direct report," so they give it to the CIO.

Some might suggest that this function belongs in/with Audit, but I do not think so. I see the ISO as a someone who "does" not someone who "talks about doing." If the ISO works for Audit, then who is going to perform the actual securty work?

Editorial: Where I work (at a bank), I have the CEO, CIO, IT Steering committee, Internal Auditors and the Federal Government (OTS) telling me how to do my job. But how many of them to you think actually help me do my job? None is the best answer.

Secruity has become so compliance oriented that the ISO and Technology departments often have more folks auditingthem than they do working to solve problems.

Compliance and Governance are vital to Information Security, but we have passed the saturation point and we now live and work in a world where Compliance has become more of a driving factor than the actual Security. As the "protectors of the realm," we have to understand this delima. We MUST comply and we MUST keep our companies secure. We can do both, but we do have to work harder at it.