Project-Report

Deadline: 15/04/2021 @ 23:59
[Total Mark for this Phase is 10]

IT Security and Policies

IT409

College of Computing and Informatics

Instructions

To answer the questions effectively, please follow the below instructions:
To answer the questions effectively, please follow the below instructions: 
· Each team might contain two or three students.
· Each student must interview a cybersecurity employee (or any person in charge of it) in the chosen company or an organization as an individual, which means each group should have two or three filled questionnaires. 
· Use your analysis skills to analyze all data collected by your team.
· It is possible to measure the significance of collected data by countering the frequency of each item (i.e. if the item frequent three times, this mean it is very significant)  
· It is possible to measure the significance of collected data by calculating the frequency of each item (i.e. if the item appears many times within the data, this mean it is very significant)  
· You should answer the questions in this research activity as a group. 

Phase 1

Part 1: Data collection Phase
Learning Outcome(s):

3 Marks

Section 1.0: Introduction
In this era, the revolution of information technology is changing several aspects of enterprises’ practices. One of these changes is many enterprises have made their systems available online. This most likely is encouraging cyber criminals to hack these systems. One of the approaches that help to mitigate cybersecurity risks is by adopting the Information Security Policy (ISP). However, it is not known to what extent the Saudi organizations are adopting ISP. This activity aims to discover the success factors for the adoption of ISP in Saudi organizations

Please indicate

1. Your job role:

Owner

Chief Executive officer
(CEO)

Manager

Other (Please specify):

2. Your gender:

Male

Female

3. How many years have you been working for the organization?

< 1 year 1 – 5 years 6 – 10 years Over 10 years Section 2.0: Profile of Responding Manager or Owner Section 3.0: Profile of Responding Enterprise 1. Please indicate the sector of business area of your organization Food & Drink Entertainment/Culture Retail/wholesale Government Sector Please specify…………….. Cleaning Services Commercial & Creative Arts Financial Broker Services Information Technology Furnishings/Home Products Real Estate Services Telecommunication Automotive Healthcare Services Education/Training Clothing, Fashion & Beauty Professional Services Hotels and resorts Other: (Please specify)………… Manufacturing Employment Agency 2. Please indicate your organization’s approximate revenue (annually?) < SAR 3 million SAR 3 million - $40 million SAR 40 million - SAR 200 million 3. Number of employees 0 – 5 6 – 49 over 50 Section 4.0: Information Security Policy (ISP) 1. Please indicate when did your enterprise adopt ISP 2. Please indicate how your enterprise developed the ISP By internal team By third party By hiring a consultant Other: (Please indicate ……………………………………………………………….……………..) 3. Please indicate which framework was used to develop your ISP ISO 27002:2013 NIST 800-53 COBIT PCI-DSS National Cybersecurity Authority (NCA-KSA) Other: 4. How often do your organization review the ISP? Every three months Every six months Every year Other: (Please indicate ……………………………………………………………….……………..) 5. Who authorizes ISP at your organization? Board of directors Information Security leader Information security committee Other: (Please indicate ………………………………………………………….…………………..) 1. Please indicate your enterprise adoption level based on the Capability Maturity Model Scale Level State Description 0 Non-Existent The organization is unaware of need for policies and processes 1 Ad-hoc There is no documented policy or process ; there is only sporadic activity. 2 Repeatable Policies and processes are not fully documented; however, the activities occur on a regular basis. 3 Defined Process Policies and processes are documented and standardized; there is an active commitment to implementation 4 Managed Policies and processes are well defined, implemented, measured, and tested. 5 Optimized Policies and process are well understood and have been fully integrated into the organizational culture. Section 5.0: Success Factors of ISP Adoption in Saudi SMEs 1 2 3 4 5 Strongly Agree Agree Neutral Disagree Strongly Disagree Please use the following scale to rate your answer: Technological (T) Factors 1. Availability of Technical Expertise · Availability of cybersecurity consultants facilitates the adoption of ISP in our enterprise 1 2 3 4 5 · Availability of IT staff trained in cybersecurity facilitates the adoption of ISP in our enterprise 1 2 3 4 5 2. Complexity · Low level of complexity in cybersecurity systems facilitates the adoption of ISP in our enterprise 1 2 3 4 5 · Ease of using cybersecurity systems facilitates the adoption of ISP in our enterprise 1 2 3 4 5 3. Cybersecurity Systems Cost · Low cost of cybersecurity systems facilitates the adoption of ISP in our enterprise 1 2 3 4 5 · Availability of cybersecurity systems vendors help to reduce the cost which in turn facilitates the adoption of ISP in our enterprise 1 2 3 4 5 Organizational (O) Factors 1. Security Concerns · The powerful of cybersecurity systems facilitates the adoption of ISP in our enterprise 1 2 3 4 5 · Evaluation of cybersecurity risks encourages our enterprise to adopt ISP 1 2 3 4 5 · Presence of trust in enterprise’s cybersecurity systems help to adopt ISP 1 2 3 4 5 2. Training · Availability of periodical cybersecurity training helps to adopt ISP 1 2 3 4 5 · Encourage our employees to get professional certificates in cybersecurity that facilitates the adoption of ISP 1 2 3 4 5 · Conducting cybersecurity training courses for non-IT employees that facilitates the adoption of ISP 1 2 3 4 5 3. Top management support · Top management is committed to support cybersecurity adoption in our organization. 1 2 3 4 5 · Top management in our organization is fully aware about the importance of cybersecurity advantages which in turn facilitates the adoption of ISP 1 2 3 4 5 · Availability of technical background for the top management in our organization help the adoption of ISP 1 2 3 4 5 · The willingness of top management to develop our organization help the adoption of ISP 1 2 3 4 5 4. Organizational Awareness · The high level of cybersecurity awareness of our employees helps to adopt ISP easily 1 2 3 4 5 5. Organizational Culture · Emphasis growth through developing new ideas that facilitates the adoption of ISP 1 2 3 4 5 · Employee’s loyalty for our organization that facilitates the adoption of ISP 1 2 3 4 5 · Willingness of our organization to achieve its goals that facilitates the adoption of ISP 1 2 3 4 5 Environmental (E) Factors 1. Cybersecurity Law · The presence of cybersecurity law in Saudi Arabia facilitates the adoption of ISP 1 2 3 4 5 · Our organization awareness about the cybersecurity law facilitates the adoption of ISP 1 2 3 4 5 2. External Pressure · Competitors’ pressure encourages our organization to adopt ISP 1 2 3 4 5 · Customers’ pressure encourages our organization to adopt ISP 1 2 3 4 5 · Suppliers’ pressure encourages our organization to adopt ISP 1 2 3 4 5 · Government’s pressure encourages our organization to adopt ISP 1 2 3 4 5 Part 1: Data collection Phase 2 Marks Learning Outcome(s): LO 2 Q1) Write down in more details, how did each member of your team select the participating company? [Each team member writes at least one paragraph] Phase 2 Part 2: Analysis Phase 3 Marks Learning Outcome(s): LO 1, LO3 Question 1) Based on your analysis for sections 2, 3, and 4 of all questionnaires that were collected by your team, what are the significant items? Support your answer by providing an example from your collected data. Part 2: Analysis Phase 2 Marks Learning Outcome(s): LO1, LO3 Q2) Identify the significant factors in section 5 of the questionnaires collected by your team? Discuss the findings from your point of view?