The security administrator had better come from the security office. Of course, both of them can come from the audit office, but the people in the audit office are not necessarily familiar with the affairs of the security office. Therefore, it is best for security officers to come from the security department, and they will know the complete security classification system. Only in this way can they avoid secret accidents.
As for auditing, of course, it is the audit bureau, because data auditing is a professional field. If you raise an ordinary employee to audit, how does he know how to audit? He doesn't even have the concept of auditing. The auditor is the last hurdle, which seems unremarkable, but if he muddles through the last hurdle, then the auditor's responsibility will be great, and how can ordinary people bear it?
Of course, if there are none of these, then remember, don't let irresponsible or irresponsible people take these two positions, because these two positions are relatively important, no matter which position has problems, it may become a big problem, so at least you must be responsible, so that even if you are not proficient in business, you can gradually become proficient, but once you are not responsible, you may face more than just business problems.