Chief information security officer
            Responsibility for the overall security strategy within an organization resides with the chief information
            security officer (CISO), who creates the information security management system (ISMS) required to
            implement the strategy.

            The reporting structure surrounding the CISO will vary from one organization to the next, depending on
            organizational needs. The CISO may report to the chief information officer (CIO), chief operations officer,
            or chief risk officer. In some instances, the CISO may also wear the hat of a CIO or chief security officer.


            Security manager

            The security manager is responsible for oversight of security operations within an organization. The
            security manager directly manages the daily activities of the security team. The security manager often
            works with the CISO in implementing the security strategy.


            Security engineer

            Creating and maintaining the enterprise security architecture (ESA) within an organization is the
            responsibility of the security engineer, who designs and builds security systems to implement the
            security strategy.


            Security analyst
            The security analyst detects, investigates, and responds to security incidents within the organization.
            This individual often works with the security engineer in planning and implementing preventive security
            controls. The security analyst may also play a lead role in conducting vulnerability assessments and
            penetration tests.




            Logical access controls

            Risks associated with logical access have grown as entities have become more reliant on systems and
            technologies, and those systems have expanded their connectivity (for example, remote access, World
            Wide Web, and internet). Thus, every IT audit would include a thorough understanding, analysis, and
            evaluation of logical access and, at some point, internal IT reviews would as well.

            There are a number of tools used to implement logical access controls. In general, the riskier a specific
            access is, the greater the scope or strength of the control, and access control is generally multifactor. If
            the access is of a high risk, the employee may be assigned a separate set of login credentials for that
            particular access. Or that access may be controlled by a temporary PIN, swipe card, biometric, or other
            secondary access control mechanism.


            A fact about access control effectiveness is that the closer the access control is to the data, the more
            effective the access control; there are layers to access, and access controls could be implemented in
            more than one layer. Access can be viewed by these layers, shown in exhibit 1-3.



            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-10