Is there a charter or policy/policies within the enterprise that clearly define(s) the role/authority of security?