IT Security organizational structure

["Jason Chung-Tung" <jason.chung-tung () rogers com>]

Hi everyone -

I am interested to know how large enterprises are approaching security in 
their organizational structure. I have seen several models so far. One model 
consists of having a centralized group (IT Security group) which owns its 
own technical resources (i.e. network, systems, servers, application, 
physical, human resources, etc.). These resources have the dedicated 
responsibility to develop policies, standards, guidelines and procedures, as 
well as, define architectural designs.  However, it is not always practical 
is large organizations, as the resources may be under-utilized.

On the other hand, I have also seen organization charts which distribute the 
security function across all departmental domains. For example, the Network 
Engineering and Planning dept would have dedicated resources to look after 
policies, standards, guidelines and procedures, as well as, define 
architectural designs. The IT operations group would have dedicated 
resources to provide the following functions: implementation, management, 
monitoring, and maintenance.

Can anyone point me in the right direction where I can find a detailed 
analysis of the pros and cons of doing business in each way? Is there any 
study done by research organizations (like Gartner Group) on this subject? 
How is it handled in your organization?

Thanks in advance for your insight.

Jason.