IT Security and Policies
|
Pg. 01 |
|
Special Instructions |
|
|
|
|
( Project Deadline: Tuesday 31/03/2020 @ 23:59 [Total Mark for this Project is 9 ] ) ( IT Security and Policies IT409 )
( Instructions: You must submit two separate copies (one Word file and one PDF file) using this Template on Blackboard via the allocated folder. These files must not be in compressed format . It is your responsibility to check and make sure that you have uploaded both the correct files. Zero mark will be given if you try to bypass the SafeAssign (e.g. misspell words, remove spaces between words, hide characters, use different character sets or languages other than English or any kind of manipulation). Email submission will not be accepted. You are advised to make your work clear and well-presented. This includes filling your information on the cover page. You must use this template, failing which will result in zero mark. You MUST show all your work, and text must not be converted into an image, unless specified otherwise by the question. Late submission will result in ZERO mark. The work should be your own, copying from students or other resources will result in ZERO mark. Use Times New Roman font for all your answers. ) ( Student Details: Name: ### CRN : ### ID: ### Group : ### )
College of Computing and Informatics
|
|
|
|
|
|
|
|
Special Instructions
To answer the questions effectively, please follow the below instructions:
· Each team might contain three students. Each student must conduct an interview with cybersecurity employee in the chosen company as individual, which mean each group should have three filled questionnaires .
· Use your analysis skills to analyze all data collected by your team.
· It is possible to measure the significance of collected data by countering the frequency of each item (i.e. if the item frequent three times, this mean it is very significant)
· You should answer the questions in this research activity as group.
______________________________________________________________________
( Learning Outcome(s): LO 1, LO2, LO3, LO4, LO5, LO6 ) ( 4 Marks )Questionnaire
Section 1.0: Introduction
In this era, the revolution of information technology is changing several aspects of enterprises’ practices. One of these changes is many enterprises make their systems available online. This most likely is encouraging cyber criminals to hack these systems. One of the approaches that help to mitigate cybersecurity risks is adopting of Information Security Policy (ISP). However, it is not known to what extent the enterprises in Saudi Arabia are adopting Information Security Policy in general, and in small and medium enterprises’ (SMEs) in particular. This research project aims to discover the success factors for the adoption of Information Security Policy in Saudi SMEs.
Section 2.0: Profile of Responding Manager or Owner
|
Please indicate |
||||
|
1. Your job role: |
Owner |
Chief Executiveofficer (CEO) |
Manager |
|
|
Other (Please specify): |
||||
|
2. Your gender: |
Male |
Female |
||
|
3. How many years have you been working for the organization? |
||||
|
|
< 1 year |
1 – 5 years |
6 – 10 years |
Over 10 years |
Section 3.0: Profile of Responding Enterprise
|
1. Please indicate the sector of business area of your organization |
||
|
Food & Drink |
Entertainment/Culture |
Retail/wholesale |
|
Restaurants |
Cleaning |
Commercial & Creative Arts |
|
Financial Broker Services |
Information Technology |
Furnishings/Home Products |
|
Real Estate Services |
Telecommunication |
Automotive |
|
Health & Caring Services |
Education/Training |
Clothing, Fashion & Beauty |
|
Professional Services |
Retail/wholesale |
Other: (Please specify) |
|
Entertainment/Culture |
Employment Agency |
|
|
2. Please indicate your organization’s approximate revenue |
||
|
<SAR3 million |
SAR3 million - $40 million |
SAR40 million - SAR200 million |
|
3. Number of employees |
||
|
0 – 5 |
6 – 49 |
50 - 249 |
Section 4.0: Information Security Policy (ISP)
|
1. Please indicate when did your enterprise adopt ISP |
|
||
|
2. Please indicate how your enterprise developed the ISP |
|||
|
By internal team |
By third party |
By hiring a consultant |
|
|
Other:(Please indicate ……………………………………………………………….……………..) |
|||
|
3. Please indicate which framework was used to develop your ISP |
|||
|
ISO 27002:2013 |
NIST 800-53 |
COBIT |
PCI-DSS |
|
National Cybersecurity Authority(NCA-KSA) |
Other: |
||
|
4. How often do your enterprise review the ISP? |
|||
|
Every three months |
Every six months |
|
Every year |
|
Other:(Please indicate ……………………………………………………………….……………..) |
|||
|
5. Who Authorizes Information Security Policy at your organization? |
|||
|
Board of directors |
|||
|
Information Security leader |
|||
|
Information security committee |
|||
|
Other: (Please indicate …………………………………………………………..…………………..) |
|||
|
6. Please indicate your enterprise adoption level based on the Capability Maturity Model Scale |
|||
|
Level |
State |
Description |
|
|
0 |
Non-Existent |
The organization is unaware of need for policies and processes |
|
|
1 |
Ad-hoc |
There are no documented policies or processes; there is sporadic activity. |
|
|
2 |
Repeatable |
Policies and processes are not fully documented; however, the activities occur on a regular basis. |
|
|
3 |
Defined Process |
Policies and processes are documented and standardized; there is an active commitment to implementation |
|
|
4 |
Managed |
Policies and processes are well defined, implemented, measured, and tested. |
|
|
5 |
Optimized |
Policies and process are well understood and have been fully integrated into the organizational culture. |
Section 5.0: Success Factors of ISP Adoption in Saudi SMEs
|
1 |
2 |
3 |
4 |
5 |
|
Strongly Agee |
Agree |
Neutral |
Disagree |
Strongly disagree |
Please use the following scale to rate your answer:
|
Technological (T) Factors |
|||||
|
1. Availability of technical Expertise |
|||||
|
· Availability of cybersecurity consultant facilities the adoption of ISP in our enterprise |
1 |
2 |
3 |
4 |
5 |
|
· Availability of IT staff trained in cybersecurity facilities the adoption of ISP in our enterprise |
1 |
2 |
3 |
4 |
5 |
|
2. Complexity |
|||||
|
· Perceived low level of complexity in cybersecurity systems facilities the adoption of ISP in our enterprise |
1 |
2 |
3 |
4 |
5 |
|
· Ease of using cybersecurity systems facilities the adoption of ISP in our enterprise |
1 |
2 |
3 |
4 |
5 |
|
3. Cybersecurity systems Cost |
|||||
|
· Low cost of cybersecurity systems facilities the adoption of ISP in our enterprise |
1 |
2 |
3 |
4 |
5 |
|
· Availability of cybersecurity systems vendors help to reduce the cost which in turn facilities the adoption of ISP in our enterprise |
1 |
2 |
3 |
4 |
5 |
|
Organizational (O) Factors
|
|||||
|
1. Security Concerns |
|||||
|
· The powerful of cybersecurity systems facilities the adoption of ISP in our enterprise |
1 |
2 |
3 |
4 |
5 |
|
· Perceived cybersecurity risks encourage our enterprise to adopt ISP |
1 |
2 |
3 |
4 |
5 |
|
· Presence of trust in enterprise’s cybersecurity systems help to adopt ISP |
1 |
2 |
3 |
4 |
5 |
|
2. Training |
|||||
|
· Availability of periodical cybersecurity training help to adopt ISP |
1 |
2 |
3 |
4 |
5 |
|
· Encourage our employees to get professional certificates in cybersecurity that facilitates the adoption of ISP |
1 |
2 |
3 |
4 |
5 |
|
· Conducting cybersecurity training courses for non-IT employee that facilitates the adoption of ISP |
1 |
2 |
3 |
4 |
5 |
|
3. Top management support |
|||||
|
· Top management committed to support cybersecurity adoption in our company (enterprise) |
1 |
2 |
3 |
4 |
5 |
|
· Top management in our company(enterprise) is fully aware about the importance of cybersecurity advantages which in turn facilitatesthe adoption of ISP |
1 |
2 |
3 |
4 |
5 |
|
· Availability of technical background for the top management in our company help the adoption of ISP |
1 |
2 |
3 |
4 |
5 |
|
· The willingness of top management to develop our companyhelp the adoption of ISP |
1 |
2 |
3 |
4 |
5 |
|
4. Organizational Awareness
|
|||||
|
· The high level of cybersecurity awareness of our employeeshelpsto adopt ISP easily |
1 |
2 |
3 |
4 |
5 |
|
5. Organizational Culture |
|||||
|
· Emphasis growth through developing new ideasthat facilitates the adoption of ISP |
1 |
2 |
3 |
4 |
5 |
|
· Employee’s loyalty for our company(enterprise)that facilitates the adoption of ISP |
1 |
2 |
3 |
4 |
5 |
|
· Willingness of our company (enterprise)to achieve its goalsthat facilitates the adoption of ISP |
1 |
2 |
3 |
4 |
5 |
|
Environmental (E) Factors |
|||||
|
1. Cybersecurity Law |
|||||
|
· The presence of cybersecurity law in Saudi Arabiafacilitatesthe adoption of ISP |
1 |
2 |
3 |
4 |
5 |
|
· Our company(enterprise) awareness about the cybersecurity lawfacilitates the adoption of ISP
|
1 |
2 |
3 |
4 |
5 |
|
2. External Pressure |
|||||
|
· Competitors’ pressure encourages our company to adopt ISP |
1 |
2 |
3 |
4 |
5 |
|
· Customers’ pressure encourages our company to adopt ISP |
1 |
2 |
3 |
4 |
5 |
|
· Suppliers’ pressure encourages our company to adopt ISP |
1 |
2 |
3 |
4 |
5 |
|
· Government’s pressure encourages our company to adopt ISP |
1 |
2 |
3 |
4 |
5 |
|
Other: Please indicate …. |
( 1 Marks )Q ( Learning Outcome(s): LO 2 )uestion One
Write down in more details, how did each member of your team select the participating company?
( 2 Marks ) ( Learning Outcome(s): LO 4 )Question Two
Based on your analysis for section 2, 3, and 4 of all questionnaires that were collected by your team, what are the significant items? Support your answer by providing an example from your collected data.
( 2 Marks ) ( Learning Outcome(s): LO 5 )Question Three
Identify the significant factors in section 5 of the questionnaires collected by your team? Discuss the findings from your point of view?