$2\mathrm{.}1$ Firstly, discuss the ideal information security governance structure by referring to the organisational hierarchy, information security positions it should comprise, reporting lines and where the office of the chief information officer should reside.

Secondly, critically analyse the information security governance structure of your organisation and make recommendations for its improvement, where applicable.

Use a diagram for the current and proposed structure of the case study organisation; and discuss and motivate your recommendations. Make sure that you indicate where the chief information security officer $($CISO$)$ should reside in the governance structure with proposed reporting lines and motivate your answer. Include aspects such as the position of the office, the roles, committees, reporting, other business units and the like to include in the structure. $($You must include the current and proposed structure diagrams $$ thus two diagrams$).$

$(20)$

$2\mathrm{.}2$ Develop an information security value, vision and mission statement for the information security office of your organisation by drafting your own statements of the following $($your statements should relate to information security in some way$)$:

$$

the value statement $($write one statement$)$

$$

the vision statement $($write one statement$)$

$$

the mission statement $($write one statement$)$

$$

two tactical statements

$$

select one of your tactical statements and write two operational plan statements based on it$.$

$(20)$

$2\mathrm{.}3$ Develop a job description for the CISO by including the following $($creating headings for each and list the aspects with bullets$)$:

$$

required qualifications

$$

experience required for CISO $($at least $10$ aspects$)$

$$

certifications

$$

soft skills $($e$.$g$.$ communication, team work, etc.$)(20)$

IRM$4815/101/0/2024$

$23$

$2\mathrm{.}4$ Discuss the six key positions of an ideal information security office. List the roles and give a description of the purpose of each position as well as three key performance indicators for each position. $($You can present it in a table$).$

The key performance indicators should be given in percentages, numbers and the like $$ they must be measurable, for example, $90\%$ of staff completed online information security training.

Note: Do not use the roles in your organisation$$s policy but refer to the ideal roles, listed in the prescribed textbook.

$(20)$

Refer to the rubric on myUnisa to see how marks will be allocated for this assessment.