Auditing the IT security function

The audit of the IT security function is the same as the audit of any other line function. A number of aspects should be examined. The first is to see whether the IT security function's approach is aligned with the five key pointers for effectiveness. From the management perspective, it is should be determined whether the IT security function is effectively communicating IT security policies and requirements to the organization as a whole. On the technical side, the IT security function's responsibilities for security products, both hardware and software should be examined. It must also be seen how effectively the function has defined its requirements, evaluated and selected products, and implemented them. Also, the public face of the IT security function should be examined to see how outward facing the function is. Finally, aspects such as internal controls, cost-effectiveness and value-for-money should be considered.