Pg. 09		Question One

 

 

Project-Phase_1

Deadline: Thursday 25/02/2021 @ 23:59

[Total Mark for this Phase is 5]

 

IT Security and Policies

IT409

 

 

College of Computing and Informatics

 

 

Instructions

 

 

 

 

 

 

 

 

 

To answer the questions effectively, please follow the below instructions:

· Each team might contains two or three students. Each student must conduct an interview with cybersecurity employee (or any person in charge of it) in the chosen a company or an organization as individual, which mean each group should have two or three filled questionnaires.

· Use your analysis skills to analyze all data collected by your team.

· It is possible to measure the significance of collected data by countering the frequency of each item (i.e. if the item frequent three times, this mean it is very significant)

· It is possible to measure the significance of collected data by calculating the frequency of each item (i.e. if the item appears many times within the data, this mean it is very significant)

· You should answer the questions in this research activity as a group.

______________________________________________________________________

 

Questionnaire

Learning Outcome(s):

LO 1, LO2, LO3, LO4, LO5, LO6

 

 

 

 

 

 

 

 

3 Marks

Section 1.0: Introduction

In this era, the revolution of information technology is changing several aspects of enterprises’ practices. One of these changes is many enterprises have made their systems available online. This most likely is encouraging cyber criminals to hack these systems. One of the approaches that help to mitigate cybersecurity risks is by adopting the Information Security Policy (ISP). However, it is not known to what extent the Saudi organizations are adopting ISP. This activity aims to discover the success factors for the adoption of ISP in Saudi organizations.

 

Section 2.0: Profile of Responding Manager or Owner

Please indicate
1. Your job role:	Owner	Chief Executive officer (CEO)	Manager
Other (Please specify):
2. Your gender:	Male	Female
3. How many years have you been working for the organization?
	< 1 year	1 – 5 years	6 – 10 years	Over 10 years

 

Section 3.0: Profile of Responding Enterprise

1. Please indicate the sector of business area of your organization
Food & Drink	Entertainment/Culture	Retail/wholesale
Government Sector Please specify……………..	Cleaning Services	Commercial & Creative Arts
Financial Broker Services	Information Technology	Furnishings/Home Products
Real Estate Services	Telecommunication	Automotive
Healthcare Services	Education/Training	Clothing, Fashion & Beauty
Professional Services	Hotels and resorts	Other: (Please specify)…………
Manufacturing	Employment Agency
2. Please indicate your organization’s approximate revenue (annually?)
< SAR 3 million	SAR 3 million – $40 million	SAR 40 million – SAR 200 million
3. Number of employees
0 – 5	6 – 49	over 50

 

 

 

 

Section 4.0: Information Security Policy (ISP)

1. Please indicate when did your enterprise adopt ISP
2. Please indicate how your enterprise developed the ISP
By internal team	By third party	By hiring a consultant
Other: (Please indicate ……………………………………………………………….……………..)
3. Please indicate which framework was used to develop your ISP
ISO 27002:2013	NIST 800-53	COBIT	PCI-DSS
National Cybersecurity Authority (NCA-KSA)	Other:
4. How often do your organization review the ISP?
Every three months	Every six months		Every year
Other: (Please indicate ……………………………………………………………….……………..)
5. Who authorizes ISP at your organization?
Board of directors
Information Security leader
Information security committee
Other: (Please indicate …………………………………………………………..…………………..)

 

Adoption Level Based on The Capability Maturity Model Scale

1. Please indicate your enterprise adoption level based on the Capability Maturity Model Scale
Level	State	Description
0	Non-Existent	The organization is unaware of need for policies and processes
1	Ad-hoc	There is no documented policy or process ; there is only sporadic activity.
2	Repeatable	Policies and processes are not fully documented; however, the activities occur on a regular basis.
3	Defined Process	Policies and processes are documented and standardized; there is an active commitment to implementation
4	Managed	Policies and processes are well defined, implemented, measured, and tested.
5	Optimized	Policies and process are well understood and have been fully integrated into the organizational culture.

 

Section 5.0: Success Factors of ISP Adoption in Saudi SMEs

1	2	3	4	5
Strongly Agree	Agree	Neutral	Disagree	Strongly Disagree

Please use the following scale to rate your answer:

Technological (T) Factors
1. Availability of Technical Expertise
· Availability of cybersecurity consultants facilitates the adoption of ISP in our enterprise	1	2	3	4	5
· Availability of IT staff trained in cybersecurity facilitates the adoption of ISP in our enterprise	1	2	3	4	5
2. Complexity
· Low level of complexity in cybersecurity systems facilitates the adoption of ISP in our enterprise	1	2	3	4	5
· Ease of using cybersecurity systems facilitates the adoption of ISP in our enterprise	1	2	3	4	5
3. Cybersecurity Systems Cost
· Low cost of cybersecurity systems facilitates the adoption of ISP in our enterprise	1	2	3	4	5
· Availability of cybersecurity systems vendors help to reduce the cost which in turn facilitates the adoption of ISP in our enterprise	1	2	3	4	5

 

Organizational (O) Factors
1. Security Concerns
· The powerful of cybersecurity systems facilitates the adoption of ISP in our enterprise	1	2	3	4	5
· Evaluation of cybersecurity risks encourages our enterprise to adopt ISP	1	2	3	4	5
· Presence of trust in enterprise’s cybersecurity systems help to adopt ISP	1	2	3	4	5
2. Training
· Availability of periodical cybersecurity training helps to adopt ISP	1	2	3	4	5
· Encourage our employees to get professional certificates in cybersecurity that facilitates the adoption of ISP	1	2	3	4	5
· Conducting cybersecurity training courses for non-IT employees that facilitates the adoption of ISP	1	2	3	4	5
3. Top management support
· Top management is committed to support cybersecurity adoption in our organization.	1	2	3	4	5
· Top management in our organization is fully aware about the importance of cybersecurity advantages which in turn facilitates the adoption of ISP	1	2	3	4	5
· Availability of technical background for the top management in our organization help the adoption of ISP	1	2	3	4	5
· The willingness of top management to develop our organization help the adoption of ISP	1	2	3	4	5
4. Organizational Awareness
· The high level of cybersecurity awareness of our employees helps to adopt ISP easily	1	2	3	4	5

 

5. Organizational Culture
· Emphasis growth through developing new ideas that facilitates the adoption of ISP	1	2	3	4	5
· Employee’s loyalty for our organization that facilitates the adoption of ISP	1	2	3	4	5
· Willingness of our organization to achieve its goals that facilitates the adoption of ISP	1	2	3	4	5
Environmental (E) Factors
1. Cybersecurity Law
· The presence of cybersecurity law in Saudi Arabia facilitates the adoption of ISP	1	2	3	4	5
· Our organization awareness about the cybersecurity law facilitates the adoption of ISP	1	2	3	4	5
2. External Pressure
· Competitors’ pressure encourages our organization to adopt ISP	1	2	3	4	5
· Customers’ pressure encourages our organization to adopt ISP	1	2	3	4	5
· Suppliers’ pressure encourages our organization to adopt ISP	1	2	3	4	5
· Government’s pressure encourages our organization to adopt ISP	1	2	3	4	5

Question One

2 Marks

Learning Outcome(s):

LO 2

 

 

 

 

 

 

 

 

Write down in more details, how did each member of your team select the participating company?

[Each team member writes at least one paragraph]