Information Technology Security and Policies
Instructions
To answer the questions effectively, please follow the below instructions:
· Each team might contain two or three students. Each student must conduct an interview with a cybersecurity employee (or any person in charge of it) in the chosen company or an organization as an individual, which means each group should have two or three filled questionnaires.
Questionnaire
Section 1.0: Introduction
In this era, the revolution of information technology is changing several aspects of enterprises’ practices. One of these changes is many enterprises have made their systems available online. This most likely is encouraging cyber criminals to hack these systems. One of the approaches that help to mitigate cybersecurity risks is by adopting the Information Security Policy (ISP). However, it is not known to what extent the Saudi organizations are adopting ISP. This activity aims to discover the success factors for the adoption of ISP in Saudi organizations.
Section 2.0: Profile of Responding Manager or Owner
| Please indicate | ||||
| 1. Your job role: | Owner | Chief Executive officer (CEO) | Manager | |
| Other (Please specify): | ||||
| 2. Your gender: | Male | Female | ||
| 3. How many years have you been working for the organization? | ||||
| < 1 year | 1 – 5 years | 6 – 10 years | Over 10 years |
Section 3.0: Profile of Responding Enterprise
| 1. Please indicate the sector of business area of your organization | ||
| Food & Drink | Entertainment/Culture | Retail/wholesale |
| Government Sector
Please specify: AWQAF Investment |
Cleaning Services | Commercial & Creative Arts |
| Financial Broker Services | Information Technology | Furnishings/Home Products |
| Real Estate Services | Telecommunication | Automotive |
| Healthcare Services | Education/Training | Clothing, Fashion & Beauty |
| Professional Services | Hotels and resorts | Other: (Please specify)………… |
| Manufacturing | Employment Agency | |
| 2. Please indicate your organization’s approximate revenue (annually?) | ||
| < SAR 3 million | SAR 3 million – $40 million | SAR 40 million – SAR 200 million |
| 3. Number of employees | ||
| 0 – 5 | 6 – 49 | over 50 |
Section 4.0: Information Security Policy (ISP)
| 1. Please indicate when did your enterprise adopt ISP | |||
| 2. Please indicate how your enterprise developed the ISP | |||
| By internal team | By third party | By hiring a consultant | |
| Other: (Please indicate ……………………………………………………………….……………..) | |||
| 3. Please indicate which framework was used to develop your ISP | |||
| ISO 27002:2013 | NIST 800-53 | COBIT | PCI-DSS |
| National Cybersecurity Authority (NCA-KSA) | Other: | ||
| 4. How often do your organization review the ISP? | |||
| Every three months | Every six months | Every year | |
| Other: (Please indicate ……………………………………………………………….……………..) | |||
| 5. Who authorizes ISP at your organization? | |||
| Board of directors | |||
| Information Security leader | |||
| Information security committee | |||
| Other: (Please indicate …………………………………………………………..…………………..) |
| Adoption Level Based on The Capability Maturity Model Scale |
| 1. Please indicate your enterprise adoption level based on the Capability Maturity Model Scale | ||
| Level | State | Description |
| 0 | Non-Existent | The organization is unaware of need for policies and processes |
| 1 | Ad-hoc | There is no documented policy or process ; there is only sporadic activity. |
| 2 | Repeatable | Policies and processes are not fully documented; however, the activities occur on a regular basis. |
| 3 | Defined Process | Policies and processes are documented and standardized; there is an active commitment to implementation |
| 4 | Managed | Policies and processes are well defined, implemented, measured, and tested. |
| 5 | Optimized | Policies and process are well understood and have been fully integrated into the organizational culture. |
Section 5.0: Success Factors of ISP Adoption in Saudi SMEs
| 1 | 2 | 3 | 4 | 5 |
| Strongly Agree | Agree | Neutral | Disagree | Strongly Disagree |
Please use the following scale to rate your answer:
| Technological (T) Factors | |||||
| 1. Availability of Technical Expertise | |||||
| · Availability of cybersecurity consultants facilitates the adoption of ISP in our enterprise | 1 | 2 | 3 | 4 | 5 |
| · Availability of IT staff trained in cybersecurity facilitates the adoption of ISP in our enterprise | 1 | 2 | 3 | 4 | 5 |
| 2. Complexity | |||||
| · Low level of complexity in cybersecurity systems facilitates the adoption of ISP in our enterprise | 1 | 2 | 3 | 4 | 5 |
| · Ease of using cybersecurity systems facilitates the adoption of ISP in our enterprise | 1 | 2 | 3 | 4 | 5 |
| 3. Cybersecurity Systems Cost | |||||
| · Low cost of cybersecurity systems facilitates the adoption of ISP in our enterprise | 1 | 2 | 3 | 4 | 5 |
| · Availability of cybersecurity systems vendors help to reduce the cost which in turn facilitates the adoption of ISP in our enterprise | 1 | 2 | 3 | 4 | 5 |
| Organizational (O) Factors | |||||
| 1. Security Concerns | |||||
| · The powerful of cybersecurity systems facilitates the adoption of ISP in our enterprise | 1 | 2 | 3 | 4 | 5 |
| · Evaluation of cybersecurity risks encourages our enterprise to adopt ISP | 1 | 2 | 3 | 4 | 5 |
| · Presence of trust in enterprise’s cybersecurity systems help to adopt ISP | 1 | 2 | 3 | 4 | 5 |
| 2. Training | |||||
| · Availability of periodical cybersecurity training helps to adopt ISP | 1 | 2 | 3 | 4 | 5 |
| · Encourage our employees to get professional certificates in cybersecurity that facilitates the adoption of ISP | 1 | 2 | 3 | 4 | 5 |
| · Conducting cybersecurity training courses for non-IT employees |
1 | 2 | 3 | 4 | 5 |
| 3. Top management support | |||||
| · Top management is committed to support cybersecurity adoption in our organization. | 1 | 2 | 3 | 4 | 5 |
| · Top management in our organization is fully aware about the importance of cybersecurity advantages which in turn facilitates the adoption of ISP | 1 | 2 | 3 | 4 | 5 |
| · Availability of technical background for the top management in our organization help the adoption of ISP | 1 | 2 | 3 | 4 | 5 |
| · The willingness of top management to develop our organization help the adoption of ISP | 1 | 2 | 3 | 4 | 5 |
| 4. Organizational Awareness | |||||
| · The high level of cybersecurity awareness of our employees helps to adopt ISP easily | 1 | 2 | 3 | 4 | 5 |
| 5. Organizational Culture | |||||
| · Emphasis growth through developing new ideas that facilitates the adoption of ISP | 1 | 2 | 3 | 4 | 5 |
| · Employee’s loyalty for our organization that facilitates the adoption of ISP | 1 | 2 | 3 | 4 | 5 |
| · Willingness of our organization to achieve its goals that facilitates the adoption of ISP | 1 | 2 | 3 | 4 | 5 |
| Environmental (E) Factors | |||||
| 1. Cybersecurity Law | |||||
| · The presence of cybersecurity law in Saudi Arabia facilitates the adoption of ISP | 1 | 2 | 3 | 4 | 5 |
| · Our organization awareness about the cybersecurity law facilitates the adoption of ISP | 1 | 2 | 3 | 4 | 5 |
| 2. External Pressure | |||||
| · Competitors’ pressure encourages our organization to adopt ISP | 1 | 2 | 3 | 4 | 5 |
| · Customers’ pressure encourages our organization to adopt ISP | 1 | 2 | 3 | 4 | 5 |
| · Suppliers’ pressure encourages our organization to adopt ISP | 1 | 2 | 3 | 4 | 5 |
| · Government’s pressure encourages our organization to adopt ISP | 1 | 2 | 3 | 4 | 5 |
Question One
2 Marks
Learning Outcome(s):
LO 2