This free survey is powered by QUESTIONPRO.COM
0%
 

1. About Your Organisation




Please answer the questions below so we can classify your organisation.

Please indicate the size of your organisation.
 
Micro firm (up to 10 employees)
 
Small firm (11 to 50 employees)
 
Medium firm (51 to 250 employees)
 
Large firm (more than 250 employees)
 

Please indicate the nature of your organisation below.
 
Production & Tooling Sector Engineering Firm
 
Other Engineering Firm
 
Service Firm
 
Other
 
 
 
Please briefly describe your principal business activity.
   
 
 

2. About You




Please indicate the nature of your job role, so we can classify survey responses.



Which of the following best describes your role?
 
Owner or Director
 
Senior Manager
 
Production Specialist
 
IT Specialist
 
Office / Clerical
 
Consultant
 
Other (please list)
 
 
 

3. Computer Asset Classification and Control




Does your organisation keep records on the hardware and software that it uses? Please tick those items which apply.
Actually Done
An inventory of software is kept

An inventory of hardware is kept

Unlicensed or illegal software tracked and deleted

Access control records (who is allowed access to what) are kept

 
 

4. Risk Management




Does your organisation conduct formal risk management?

We conduct formal risk management
Yes No Do Not Know
 


If you conduct formal information security risk management process please tick those items which apply.
Actually Done
Have vulnerable assets been identified?

Have threats to vulnerable assets been identified?

Are information security risks quantified?

 
 

5. Information Security Policy




Does your organisation have a formal (i.e. written) information security policy?

We have an information security policy
Yes No Do Not Know
 
If you have an information security policy who was involved in its development? Please tick all that apply.





Who helped to develop your information security policy?
 
Security specialists
 
Technical staff
 
Management
 
Bought the policy in
 
Other (please list)

 
Will your organisation get an information security policy?


Yes No Do Not Know
Do you intend to develop an information security policy?
Do you intend to purchase an information security policy?
Are you aware of ISO/IEC 17799?
 

Does your organisation have a nominated individual (or individuals) with responsibility for information security?




Nominated individual(s) with responsibility for information security
Yes No Do Not Know
 
 

6. Personnel Security






Please indicate how strongly you agree or disagree with the following statements.

Strongly Agree Slightly Agree Slightly Disagree Strongly Disagree
Written job descriptions must include responsibility for information security

It is necessary for the organisation to conduct background checks on staff

Staff must sign a confidentiality agreement

It is essential to provide staff training on information security policies and procedures

There must be formal procedures for reporting information security incidents

There must be a formal disciplinary process for staff who violate information security policies and procedures

Employees must be involved in the formulation of information security policies in order to encourage a sense of ownership

 
 

7. Physical and Environmental Security






Please indicate how well or badly your organisation tackles the following aspects of physical security.
Very Well Satisfactorily Very Badly
Is your computer equipment physically secured?

Is physical access to computer equipment controlled?

Are visitors and contractors supervised?

Does authorisation and checking occur on equipment entering or leaving your site?

 

Which of the following physical or environmental security controls does your organisation a) Have in Place or b) Aspire To? Please tick all that apply.
Have in Place Aspire To
Equipment sited or protected to reduce environmental threats or hazards.

Equipment sited or protected to reduce opportunities for unauthorised access.

Equipment protected from power failures and surges.

Equipment correctly maintained to ensure continued availability and integrity.

Fully compliant with insurance policy requirements.

Security risks are considered for off-site working.

Sensitive data and licensed software removed from data-storage equipment prior to disposal.

 
 

8. Secure Computer Management






Which of the following secure computer management procedures does your organisation have in place? Please tick all that apply.





Documented Operating Procedures


Do you have documented operating procedures that address:
 
Contacts for when outages and faults occur
 
System start-up and close-down procedures
 
Emergency contacts

Operational Change Control

Do you have change control procedures that address:
 
Authorisation for significant data changes
 
Network, firewall and intrusion detection functions documented
 
Network, firewall and intrusion detection functions tested

Incident Management Procedures

Do you have documented incident management procedures that address:
 
Web site failure
 
Denial of service attacks
 
Hacking or intrusion detection
 
Firewall log ambiguities

Other Documented Procedures

Do you have other documented procedures:
 
Additional documented security procedures (please list below)

 
 

9. Secure Systems Development




Does your organisation develop software systems or write programs?

We develop systems or write programs
Yes No Do Not Know
 

If your organisation develops systems or writes programs which of the following development procedures are used? Please tick all that apply.



Requirements Capture


When capturing requirements for systems:
 
Are security requirements documented?
 
Are security requirements derived from a business risk assessment?

Design Issues

When designing systems/programs:
 
Are security components (e.g. authentication, encryption and firewalls) taken into account?
 
Are the limitations of security components considered?
 
Are the security aspects of the deployment environment considered?

Build Issues

When building systems/writing programs:
 
Are systems built taking account of known patches or solutions to known vulnerabilities?

Security Testing

When testing systems/programs:
 
Are systems/programs subject to a security assessment?
 
Are systems/programs subject to penetration testing?

Deployment

When deploying systems/programs:
 
Are systems subject to a security assessment and/or penetration testing in the deployed environment?

Maintenance

When maintaining systems:
 
Are ongoing risk reviews conducted?

Other Secure Systems Development Procedures

In your overall development process:
 
Are there additional secure systems development procedures (please list below)

 
 

10. Access Control






Which of the following access control procedures have been adopted by your organisation use? Please tick all that apply.


Business Rules

In your organisation:
 
Are access control rules and rights for each user or user group clearly documented?
 
Is a strong password (e.g. 8-characters, mixed alpha-numeric, no names, etc) policy enforced?
 
Are non-essential services disabled on servers?
 
Is encryption used between servers and administrative staff?
 
Are secure login methods used on firewalls and intrusion detection systems?

Monitoring

In your organisation:
 
Are users access attempts logged?
 
Are firewall logs pro-actively monitored and logged?
 
Are intrusion detection logs proactively logged?
 
Is web site usage monitored??

Managing User Access

In your organisation:
 
Is there a formal user registration procedure
 
Is there a formal user deregistration procedure
 
Are 'least-privilege' user access policies enforced?
 
Are users informed of their responsibility to keep passwords secure??

Other Access Control Procedures

In your organisation:
 
Are there additional access control procedures? (please list below)

 
 

11. Encryption and Authentication Technologies





Which of the following encryption or authentication technologies are used by your organisation?
Used Not Used Do Not Know
Message authentication. This establishes the message says what it is supposed to say and comes from where it purports to come from.

User authentication. This establishes that system users are who they say they are.

Encryption. This protects data by converting it into an unreadable form, except by those who have decryption keys.

 
 
 
 
   
 
 

13. Survey Completed




This completes the survey. Thank-you for your time and responses.


A sample of survey respondents will be invited to participate in more detailed research.


Would you be interested in participating?

I would be interested in participating further in this research
Yes No Perhaps
 
Please contact [email protected] or click here if you have any questions regarding this survey.
Survey Software Powered by QuestionPro Survey Software