Information Technology Responsibility

IT departments in organizations are often expected to define a company’s information security policy. Although much of the security that needs to be added into an organization may reside in IT, all of the departments are involved in implementing the policies.
Which department in an organization do you believe should be responsible for the company’s information security and why? What are some advantages and disadvantages of your choice? What tools would an information security manager need to properly implement the necessary security within an organization?
Sources: Dhillon, G. S. (2018). Information Security: Text and cases (Edition 2.0). Burlington, VT: Prospect Press. Chapter 5, Planning for Information System Security”
PCI Security Standards Council. (2018, May). Payment Card Industry (PCI) Data Security Standard: Requirements and security assessment procedures (Version 3.2.1). Retrieved from https://www.pcisecuritystandards.org/document_library Web Resource Computer Fraud and Abuse Act, 18 U.S.C. §1030 (1986). Retrieved from http://energy.gov/sites/prod/files/cioprod/ documents/ComputerFraud-AbuseAct.pdf