catch - agreed - however we would presume that there is such a department. Well here there is, or something like it called Corporate Security and also IT Security. However, IT Security is still reporting through IT here and Corporate Security, unfortunately, does not know what IT seems to be doing for the most part - we are working to change that so we can work better to protect our assets; and again unfortunately, I believe politics is coming into play as some responsibilities may be consolidated or certain empires hindered in their growth.
I have seen this arrangement go back and forth since Rome formed its first legion. IT wants to have IT security because they are afraid (with some justification) that security pukes will interfere with getting work done and security wants IT security (with some justification) to ensure that there actually is some IT security. It can work either way, but my experience is that the temptation to yield to users is often too strong in the production environment to allow for adequate security. It seems to be a fashion thing, sort of like wide ties. It might be useful to discuss experiences in one model or the other, upsides, downsides, etc.