We have an ISO at our institution. He reports to the head of information systems, with a quarterly report to the audit committee (for independence sake). I think he should be reporting directly to someone other than the head of systems. Maybe Risk Management?? What are your thoughts and what have you seen in the past?