Security and policy

Awqaf.docx

Home >Computer Science homework help >Security and policy

Pg. 08		Question One

Project-Phase_1

Deadline: Thursday 25/02/2021 @ 23:59

[Total Mark for this Phase is 5]

IT Security and Policies

IT409

College of Computing and Informatics

Instructions

To answer the questions effectively, please follow the below instructions:

· Each team might contains two or three students. Each student must conduct an interview with cybersecurity employee (or any person in charge of it) in the chosen a company or an organization as individual, which mean each group should have two or three filled questionnaires.

· Use your analysis skills to analyze all data collected by your team.

· It is possible to measure the significance of collected data by countering the frequency of each item (i.e. if the item frequent three times, this mean it is very significant)

· It is possible to measure the significance of collected data by calculating the frequency of each item (i.e. if the item appears many times within the data, this mean it is very significant)

· You should answer the questions in this research activity as a group.

______________________________________________________________________

Questionnaire
Learning Outcome(s):

LO 1, LO2, LO3, LO4, LO5, LO6

3 Marks

Section 1.0: Introduction

In this era, the revolution of information technology is changing several aspects of enterprises’ practices. One of these changes is many enterprises have made their systems available online. This most likely is encouraging cyber criminals to hack these systems. One of the approaches that help to mitigate cybersecurity risks is by adopting the Information Security Policy (ISP). However, it is not known to what extent the Saudi organizations are adopting ISP. This activity aims to discover the success factors for the adoption of ISP in Saudi organizations.

Section 2.0: Profile of Responding Manager or Owner

Please indicate

1. Your job role:

Owner

Chief Executive officer (CEO)

Manager

Other (Please specify):

2. Your gender:

Male

Female

3. How many years have you been working for the organization?

< 1 year

1 – 5 years

6 – 10 years

Over 10 years

Section 3.0: Profile of Responding Enterprise

1. Please indicate the sector of business area of your organization

Food & Drink

Entertainment/Culture

Retail/wholesale

Government Sector

Please specify: AWQAF Investment

Cleaning Services

Commercial & Creative Arts

Financial Broker Services

Information Technology

Furnishings/Home Products

Real Estate Services

Telecommunication

Automotive

Healthcare Services

Education/Training

Clothing, Fashion & Beauty

Professional Services

Hotels and resorts

Other: (Please specify)…………

Manufacturing

Employment Agency

2. Please indicate your organization’s approximate revenue (annually?)

< SAR 3 million

SAR 3 million - $40 million

SAR 40 million - SAR 200 million

3. Number of employees

0 – 5

6 – 49

over 50

Section 4.0: Information Security Policy (ISP)

1. Please indicate when did your enterprise adopt ISP

2. Please indicate how your enterprise developed the ISP

By internal team

By third party

By hiring a consultant

Other: (Please indicate ……………………………………………………………….……………..)

3. Please indicate which framework was used to develop your ISP

ISO 27002:2013

NIST 800-53

COBIT

PCI-DSS

National Cybersecurity Authority (NCA-KSA)

Other:

4. How often do your organization review the ISP?

Every three months

Every six months

Every year

Other: (Please indicate ……………………………………………………………….……………..)

5. Who authorizes ISP at your organization?

Board of directors

Information Security leader

Information security committee

Other: (Please indicate …………………………………………………………..…………………..)

Adoption Level Based on The Capability Maturity Model Scale

1. Please indicate your enterprise adoption level based on the Capability Maturity Model Scale

Level

State

Description

0

Non-Existent

The organization is unaware of need for policies and processes

1

Ad-hoc

There is no documented policy or process ; there is only sporadic activity.

2

Repeatable

Policies and processes are not fully documented; however, the activities occur on a regular basis.

3

Defined Process

Policies and processes are documented and standardized; there is an active commitment to implementation

4

Managed

Policies and processes are well defined, implemented, measured, and tested.

5

Optimized

Policies and process are well understood and have been fully integrated into the organizational culture.

Section 5.0: Success Factors of ISP Adoption in Saudi SMEs

1

2

3

4

5

Strongly Agree

Agree

Neutral

Disagree

Strongly Disagree

Please use the following scale to rate your answer:

Technological (T) Factors

1. Availability of Technical Expertise

· Availability of cybersecurity consultants facilitates the adoption of ISP in our enterprise

1

2

3

4

5

· Availability of IT staff trained in cybersecurity facilitates the adoption of ISP in our enterprise

1

2

3

4

5

2. Complexity

· Low level of complexity in cybersecurity systems facilitates the adoption of ISP in our enterprise

1

2

3

4

5

· Ease of using cybersecurity systems facilitates the adoption of ISP in our enterprise

1

2

3

4

5

3. Cybersecurity Systems Cost

· Low cost of cybersecurity systems facilitates the adoption of ISP in our enterprise

1

2

3

4

5

· Availability of cybersecurity systems vendors help to reduce the cost which in turn facilitates the adoption of ISP in our enterprise

1

2

3

4

5

Organizational (O) Factors

1. Security Concerns

· The powerful of cybersecurity systems facilitates the adoption of ISP in our enterprise

1

2

3

4

5

· Evaluation of cybersecurity risks encourages our enterprise to adopt ISP

1

2

3

4

5

· Presence of trust in enterprise’s cybersecurity systems help to adopt ISP

1

2

3

4

5

2. Training

· Availability of periodical cybersecurity training helps to adopt ISP

1

2

3

4

5

· Encourage our employees to get professional certificates in cybersecurity that facilitates the adoption of ISP

1

2

3

4

5

· Conducting cybersecurity training courses for non-IT employees ~~that~~ facilitates the adoption of ISP

1

2

3

4

5

3. Top management support

· Top management is committed to support cybersecurity adoption in our organization.

1

2

3

4

5

· Top management in our organization is fully aware about the importance of cybersecurity advantages which in turn facilitates the adoption of ISP

1

2

3

4

5

· Availability of technical background for the top management in our organization help the adoption of ISP

1

2

3

4

5

· The willingness of top management to develop our organization help the adoption of ISP

1

2

3

4

5

4. Organizational Awareness

· The high level of cybersecurity awareness of our employees helps to adopt ISP easily

1

2

3

4

5

5. Organizational Culture

· Emphasis growth through developing new ideas that facilitates the adoption of ISP

1

2

3

4

5

· Employee’s loyalty for our organization that facilitates the adoption of ISP

1

2

3

4

5

· Willingness of our organization to achieve its goals that facilitates the adoption of ISP

1

2

3

4

5

Environmental (E) Factors

1. Cybersecurity Law

· The presence of cybersecurity law in Saudi Arabia facilitates the adoption of ISP

1

2

3

4

5

· Our organization awareness about the cybersecurity law facilitates the adoption of ISP

1

2

3

4

5

2. External Pressure

· Competitors’ pressure encourages our organization to adopt ISP

1

2

3

4

5

· Customers’ pressure encourages our organization to adopt ISP

1

2

3

4

5

· Suppliers’ pressure encourages our organization to adopt ISP

1

2

3

4

5

· Government’s pressure encourages our organization to adopt ISP

1

2

3

4

5

Question One
2 Marks

Learning Outcome(s):

LO 2

Please indicate
1. Your job role:	Owner	Chief Executive officer (CEO)	Manager
Other (Please specify):
2. Your gender:	Male	Female
3. How many years have you been working for the organization?
	< 1 year	1 – 5 years	6 – 10 years	Over 10 years

1. Please indicate the sector of business area of your organization
Food & Drink	Entertainment/Culture	Retail/wholesale
Government Sector Please specify: AWQAF Investment	Cleaning Services	Commercial & Creative Arts
Financial Broker Services	Information Technology	Furnishings/Home Products
Real Estate Services	Telecommunication	Automotive
Healthcare Services	Education/Training	Clothing, Fashion & Beauty
Professional Services	Hotels and resorts	Other: (Please specify)…………
Manufacturing	Employment Agency
2. Please indicate your organization’s approximate revenue (annually?)
< SAR 3 million	SAR 3 million - $40 million	SAR 40 million - SAR 200 million
3. Number of employees
0 – 5	6 – 49	over 50

1. Please indicate when did your enterprise adopt ISP
2. Please indicate how your enterprise developed the ISP
By internal team	By third party	By hiring a consultant
Other: (Please indicate ……………………………………………………………….……………..)
3. Please indicate which framework was used to develop your ISP
ISO 27002:2013	NIST 800-53	COBIT	PCI-DSS
National Cybersecurity Authority (NCA-KSA)	Other:
4. How often do your organization review the ISP?
Every three months	Every six months		Every year
Other: (Please indicate ……………………………………………………………….……………..)
5. Who authorizes ISP at your organization?
Board of directors
Information Security leader
Information security committee
Other: (Please indicate …………………………………………………………..…………………..)

1. Please indicate your enterprise adoption level based on the Capability Maturity Model Scale
Level	State	Description
0	Non-Existent	The organization is unaware of need for policies and processes
1	Ad-hoc	There is no documented policy or process ; there is only sporadic activity.
2	Repeatable	Policies and processes are not fully documented; however, the activities occur on a regular basis.
3	Defined Process	Policies and processes are documented and standardized; there is an active commitment to implementation
4	Managed	Policies and processes are well defined, implemented, measured, and tested.
5	Optimized	Policies and process are well understood and have been fully integrated into the organizational culture.

1	2	3	4	5
Strongly Agree	Agree	Neutral	Disagree	Strongly Disagree

Technological (T) Factors
1. Availability of Technical Expertise
· Availability of cybersecurity consultants facilitates the adoption of ISP in our enterprise	1	2	3	4	5
· Availability of IT staff trained in cybersecurity facilitates the adoption of ISP in our enterprise	1	2	3	4	5
2. Complexity
· Low level of complexity in cybersecurity systems facilitates the adoption of ISP in our enterprise	1	2	3	4	5
· Ease of using cybersecurity systems facilitates the adoption of ISP in our enterprise	1	2	3	4	5
3. Cybersecurity Systems Cost
· Low cost of cybersecurity systems facilitates the adoption of ISP in our enterprise	1	2	3	4	5
· Availability of cybersecurity systems vendors help to reduce the cost which in turn facilitates the adoption of ISP in our enterprise	1	2	3	4	5

Organizational (O) Factors
1. Security Concerns
· The powerful of cybersecurity systems facilitates the adoption of ISP in our enterprise	1	2	3	4	5
· Evaluation of cybersecurity risks encourages our enterprise to adopt ISP	1	2	3	4	5
· Presence of trust in enterprise’s cybersecurity systems help to adopt ISP	1	2	3	4	5
2. Training
· Availability of periodical cybersecurity training helps to adopt ISP	1	2	3	4	5
· Encourage our employees to get professional certificates in cybersecurity that facilitates the adoption of ISP	1	2	3	4	5
· Conducting cybersecurity training courses for non-IT employees ~~that~~ facilitates the adoption of ISP	1	2	3	4	5
3. Top management support
· Top management is committed to support cybersecurity adoption in our organization.	1	2	3	4	5
· Top management in our organization is fully aware about the importance of cybersecurity advantages which in turn facilitates the adoption of ISP	1	2	3	4	5
· Availability of technical background for the top management in our organization help the adoption of ISP	1	2	3	4	5
· The willingness of top management to develop our organization help the adoption of ISP	1	2	3	4	5
4. Organizational Awareness
· The high level of cybersecurity awareness of our employees helps to adopt ISP easily	1	2	3	4	5

5. Organizational Culture
· Emphasis growth through developing new ideas that facilitates the adoption of ISP	1	2	3	4	5
· Employee’s loyalty for our organization that facilitates the adoption of ISP	1	2	3	4	5
· Willingness of our organization to achieve its goals that facilitates the adoption of ISP	1	2	3	4	5
Environmental (E) Factors
1. Cybersecurity Law
· The presence of cybersecurity law in Saudi Arabia facilitates the adoption of ISP	1	2	3	4	5
· Our organization awareness about the cybersecurity law facilitates the adoption of ISP	1	2	3	4	5
2. External Pressure
· Competitors’ pressure encourages our organization to adopt ISP	1	2	3	4	5
· Customers’ pressure encourages our organization to adopt ISP	1	2	3	4	5
· Suppliers’ pressure encourages our organization to adopt ISP	1	2	3	4	5
· Government’s pressure encourages our organization to adopt ISP	1	2	3	4	5

Security and policy

Project-Phase_1

Deadline: Thursday 25/02/2021 @ 23:59

Instructions

Questionnaire Learning Outcome(s): LO 1, LO2, LO3, LO4, LO5, LO6 3 Marks

Section 1.0: Introduction

Section 2.0: Profile of Responding Manager or Owner

Section 3.0: Profile of Responding Enterprise

Section 4.0: Information Security Policy (ISP)

Section 5.0: Success Factors of ISP Adoption in Saudi SMEs

Question One 2 Marks Learning Outcome(s): LO 2

Questionnaire
Learning Outcome(s):

LO 1, LO2, LO3, LO4, LO5, LO6

3 Marks

Question One
2 Marks

Learning Outcome(s):

LO 2