Description and Instructions
Project Description:
This project is an opportunity for you to practice your knowledge and skills by assessing the actual information security practice in Saudi companies/organizations based on the information security capability maturity model (ISCMM).
• Total Marks = 14
Project Report Presentation
10 marks 4 marks

• Group Size = 2- 3 members.
• Each student must visit a chosen company/organization to interview a cybersecurity representative (i.e., each group should have two or three filled checklists based on the number of team members).
• You should answer the questions in this research activity as a group.
• One group member (group leader) should submit all files: Project Report and Presentation Slides on Blackboard. Marks will be given based on your submission and the quality of the content.
Project Report
• Each Project Report will be evaluated according to the marking criteria in each question section.
Presentation
Grading Criteria:
Complete content (Introduction, body, and conclusion) 2 mark
Effective use of time (max. 8-10 minutes) 1 mark
Voice projection and loudness/ Eye contact/ Confidence and attitude 1 mark

Information Security capability maturity (ISCMM) levels
For this project, you will use the following levels of the information security capability maturity model (ISCMM) as guiding principles for your journey to assess the maturity of the chosen company/organization regarding information security.

Question One
Use the following checklist to fill out during the meeting with the chosen company/organization cybersecurity representative. Provide the filled checklists for each team member.
ISCMM Levels Indicators Tick the applicable indicators

Enhanced
1. You actively explore opportunities to enhance information security as part of your continuous improvement program for security
2. Information security measures are responsive, adaptable, efficient, robust, and benefit from strategic intent.

Managed 1. You have mechanisms to assess and manage requirements for protecting, sharing, and assuring information. These mechanisms are well understood and updated as required.
2. You have proportionate measures in place to prevent, detect, and respond to unauthorized or inappropriate access to information and ICT systems, including during systems development and throughout the information lifecycle.
3. You clearly understand where and how information and data assets are shared with service providers.
4. You appropriately archive or otherwise dispose of information holdings when they are no longer required.
5. Mobile devices and remote working solutions are managed securely.
6. Information or other assets you hold are consistently classified, marked, accessed, and handled in line with the Saudi Government Security Classification System.
7. Your systems ensure access controls are updated when your people change roles or leave your organization.
8. You ensure changes made to information management measures are consistent with your security risk profile and wider protective security policies. Changes are promptly communicated
9. You periodically conduct both scheduled and unannounced tests and audits of information security.
10. When appropriate, your access controls enforce segregation of duties to reduce opportunities for unauthorized or unintentional access to or misuse of information assets.

Basic 1. People most directly responsible for protective security understand the information security lifecycle.
2. You have a certification and accreditation program in place for new and existing ICT systems; however, it is inconsistently followed.
3. You have simple information security measures in place for areas holding physical records, ICT equipment, and basic ICT system access controls.
4. You have pockets of good information security awareness and practice, but standards aren’t applied consistently across your information holdings, and your overall compliance is poorly understood. This may be particularly true when external suppliers hold or manage your information.
5. You have some security mechanisms in place for ICT systems development.
6. You have a limited understanding of where and how information or data assets are shared with service providers.
7. You understand emerging cyber intrusions and threats and have put in place simple information security measures to mitigate targeted cyber intrusions.

Informal 1. You have limited understanding of your information assets and don’t proactively assess the information assets you most need to protect
2. You have limited information security measures in place to protect your information assets and ICT system development
3. You do not have a certification and accreditation program in place for new or existing ICT systems.
4. You can’t be confident you would detect unauthorized access to, or the compromise of, electronic or physical information holdings
5. You don’t usually assess whether information or other assets require a national security classification. You also can’t be confident that classified resources are managed correctly
6. You can’t be confident you implement measures for information assets that are proportional to their value, importance, and sensitivity
7. You have limited information security measures in place for targeted cyber intrusions and have a reactive approach to emerging cyber intrusions and threats
8. You do not understand where and how your information or data assets are shared with service providers.

Question Two
Summarize the key findings of your participating companies/organizations in light of ISCMM levels. (Maximum 250 words).

Question Three
From your point of view, what are the main recommendations for participating companies/organizations to upgrade their level in ISCMM.

Published by
Medical
View all posts