All about IT Governance

Short answer: Yes. 

Rather thoughtful answer: Yes and No.

Computing virtualization (as against storage virtualization from NetApp etc.) helps reducing outage and reduces your hurdles of hardware aging for scaling and growth.

 However, Virutualization has upfront investment including the multi-processing environment (Fijitsu, Sun or IBM blades) and eventually maintenance.

The TCO depends on

a. Mission critical appplications

b. High availability of these.

Do you need an application or a set of applications that is available 24×7x365? If yes, CoV (Computing virtualization) is worth exploring. If not, you are probably better off waiting for a couple of years for CoV to get better in scalability and coherence with mainstream business applications including ERP, CRM etc.

Security gears today including firewalls, IDS/IPS and IDMs are key components of Information security department however, it is a common observation that these network gears were inherited from another team or a predecessor and happens to have no common policy. The benefit of having a policy for these security gears is - scalability.

 The more the need for firewalls, the lesser the problem it would be if you have consistent policies - it is easy to push the same policy accross to newer locations and thus policy is a must.

What is the difference?
27001 says, how to build your Information security practice or department  while 27002 talks about the security best practices. ISO 27002 was formerly 17799 standard.

After SOX entered the frail of governance, several companies have recognized and reorganized - several companies have moved CIOs to report to CFO.

There is no right answer for this question - the answer to this question would depend on your industry risk and what ‘internal client’ are you serving primarily. If your CIO is primarily serving executive management initiatives, CIO may report to CEO directly however if the majority of IT delivery is focussed around Finance and your industry risk of inventory is less or zero, it makes sense for CIO to report to CFO. 

In my experence, high technology companies tend to have their CIO report to CEO than the CFO because, the CIO works closely with the CEO on scaling or run-transform-grow plans.