Survey Templates Surveys Information Security Awareness in UK Production &

Information Security Awareness in UK Production &

Information Security Awareness in UK Production & Tooling Sector SMEs

use this free template

Preview this template

Please indicate the size of your organisation.Question Explanation

Micro firm (up to 10 employees)

Small firm (11 to 50 employees)

Medium firm (51 to 250 employees)

Large firm (more than 250 employees)

Please indicate the nature of your organisation below.

Production & Tooling Sector Engineering Firm

Other Engineering Firm

Service Firm

Other

Please briefly describe your principal business activity.

Which of the following best describes your role?Question Explanation

Owner or Director

Senior Manager

Production Specialist

IT Specialist

Office / Clerical

Consultant

Other (please list)

3. Computer Asset Classification and Control

Does your organisation keep records on the hardware and software that it uses? Please tick those items which apply.

Question Explanation

	Actually Done
An inventory of software is kept	Actually Done

An inventory of hardware is kept	Actually Done

Unlicensed or illegal software tracked and deleted	Actually Done

Access control records (who is allowed access to what) are kept	Actually Done

We conduct formal risk managementQuestion Explanation

Yes

Do Not Know

If you conduct formal information security risk management process please tick those items which apply.

Question Explanation

	Actually Done
Have vulnerable assets been identified?	Actually Done

Have threats to vulnerable assets been identified?	Actually Done

Are information security risks quantified?	Actually Done

We have an information security policyQuestion Explanation

Yes

Do Not Know

Who helped to develop your information security policy?Question Explanation

Security specialists

Technical staff

Management

Bought the policy in

Other (please list)

Will your organisation get an information security policy?

Question Explanation

	Yes	No	Do Not Know
Do you intend to develop an information security policy?	Yes	No	Do Not Know

Do you intend to purchase an information security policy?	Yes	No	Do Not Know

Are you aware of ISO/IEC 17799?	Yes	No	Do Not Know

Nominated individual(s) with responsibility for information securityQuestion Explanation

Yes

Do Not Know

6. Personnel Security

Please indicate how strongly you agree or disagree with the following statements.

Question Explanation

	Strongly Agree	Slightly Agree	Slightly Disagree	Strongly Disagree
Written job descriptions must include responsibility for information security	Strongly Agree	Slightly Agree	Slightly Disagree	Strongly Disagree

It is necessary for the organisation to conduct background checks on staff	Strongly Agree	Slightly Agree	Slightly Disagree	Strongly Disagree

Staff must sign a confidentiality agreement	Strongly Agree	Slightly Agree	Slightly Disagree	Strongly Disagree

It is essential to provide staff training on information security policies and procedures	Strongly Agree	Slightly Agree	Slightly Disagree	Strongly Disagree

There must be formal procedures for reporting information security incidents	Strongly Agree	Slightly Agree	Slightly Disagree	Strongly Disagree

There must be a formal disciplinary process for staff who violate information security policies and procedures	Strongly Agree	Slightly Agree	Slightly Disagree	Strongly Disagree

Employees must be involved in the formulation of information security policies in order to encourage a sense of ownership	Strongly Agree	Slightly Agree	Slightly Disagree	Strongly Disagree

7. Physical and Environmental Security

Please indicate how well or badly your organisation tackles the following aspects of physical security.

Question Explanation

	Very Well	Satisfactorily	Very Badly
Is your computer equipment physically secured?	Very Well	Satisfactorily	Very Badly

Is physical access to computer equipment controlled?	Very Well	Satisfactorily	Very Badly

Are visitors and contractors supervised?	Very Well	Satisfactorily	Very Badly

Does authorisation and checking occur on equipment entering or leaving your site?	Very Well	Satisfactorily	Very Badly

Which of the following physical or environmental security controls does your organisation a) Have in Place or b) Aspire To? Please tick all that apply.

Question Explanation

	Have in Place	Aspire To
Equipment sited or protected to reduce environmental threats or hazards.	Have in Place	Aspire To

Equipment sited or protected to reduce opportunities for unauthorised access.	Have in Place	Aspire To

Equipment protected from power failures and surges.	Have in Place	Aspire To

Equipment correctly maintained to ensure continued availability and integrity.	Have in Place	Aspire To

Fully compliant with insurance policy requirements.	Have in Place	Aspire To

Security risks are considered for off-site working.	Have in Place	Aspire To

Sensitive data and licensed software removed from data-storage equipment prior to disposal.	Have in Place	Aspire To

Documented Operating Procedures

Do you have documented operating procedures that address:
Question Explanation

Contacts for when outages and faults occur

System start-up and close-down procedures

Emergency contacts

Operational Change Control

Do you have change control procedures that address:

Authorisation for significant data changes

Network, firewall and intrusion detection functions documented

Network, firewall and intrusion detection functions tested

Incident Management Procedures

Do you have documented incident management procedures that address:

Web site failure

Denial of service attacks

Hacking or intrusion detection

Firewall log ambiguities

Other Documented Procedures

Do you have other documented procedures:

Additional documented security procedures (please list below)

We develop systems or write programsQuestion Explanation

Yes

Do Not Know

Requirements Capture

When capturing requirements for systems:
Question Explanation

Are security requirements documented?

Are security requirements derived from a business risk assessment?

Design Issues

When designing systems/programs:

Are security components (e.g. authentication, encryption and firewalls) taken into account?

Are the limitations of security components considered?

Are the security aspects of the deployment environment considered?

Build Issues

When building systems/writing programs:

Are systems built taking account of known patches or solutions to known vulnerabilities?

Security Testing

When testing systems/programs:

Are systems/programs subject to a security assessment?

Are systems/programs subject to penetration testing?

Deployment

When deploying systems/programs:

Are systems subject to a security assessment and/or penetration testing in the deployed environment?

Maintenance

When maintaining systems:

Are ongoing risk reviews conducted?

Other Secure Systems Development Procedures

In your overall development process:

Are there additional secure systems development procedures (please list below)

Business Rules

In your organisation:
Question Explanation

Are access control rules and rights for each user or user group clearly documented?

Is a strong password (e.g. 8-characters, mixed alpha-numeric, no names, etc) policy enforced?

Are non-essential services disabled on servers?

Is encryption used between servers and administrative staff?

Are secure login methods used on firewalls and intrusion detection systems?

Monitoring

In your organisation:

Are users access attempts logged?

Are firewall logs pro-actively monitored and logged?

Are intrusion detection logs proactively logged?

Is web site usage monitored??

Managing User Access

In your organisation:

Is there a formal user registration procedure

Is there a formal user deregistration procedure

Are 'least-privilege' user access policies enforced?

Are users informed of their responsibility to keep passwords secure??

Other Access Control Procedures

In your organisation:

Are there additional access control procedures? (please list below)

11. Encryption and Authentication Technologies

Which of the following encryption or authentication technologies are used by your organisation?

Question Explanation

	Used	Not Used	Do Not Know
Message authentication. This establishes the message says what it is supposed to say and comes from where it purports to come from.	Used	Not Used	Do Not Know

User authentication. This establishes that system users are who they say they are.	Used	Not Used	Do Not Know

Encryption. This protects data by converting it into an unreadable form, except by those who have decryption keys.	Used	Not Used	Do Not Know

Question Explanation

I would be interested in participating further in this researchQuestion Explanation

Yes

Perhaps

use this free template

Information Security Awareness in UK Production &

3. Computer Asset Classification and Control

6. Personnel Security

7. Physical and Environmental Security

11. Encryption and Authentication Technologies

Related templates and questionnaires

QuestionPro in your language

Awards & certificates

The Experience Journal