AN INSTRUMENT TO ASSESS CYBER-SECURITY
7.2. THE METROPOLITAN MUNICIPALITY CYBER-SECURITY ASSESSMENT TOOL
7.2.1. The design of the questionnaire
The statements for the questionnaire were developed from the cyber-security framework developed from ConGTM. The questionnaire was designed with the intention to be completed anonymously by the participants. The study employed a Likert-type scale structured questionnaire with closed-ended questions with five option answers to each question. The participants needed to choose the option that best described the situation of the question asked.
Metropolitan Municipality Cyber-security Assessment Survey Questionnaire
Legend: SA = Strongly Agree, A = Agree, DK = Don’t Know, D = Disagree, SD = Strongly Disagree
INTEGRATED DEVELOPMENT CYBER-SECURITY DOMAIN Please choose the statement that best describes your
view
YES
1
NO 0
DON’T KNOW 2
1. My organisation has a written cyber-security policy
2. My organisation has an overarching supply chain management policy that guides the acquisition of information infrastructure
3. My organisation has a documented cyber-security strategy
4. My organisation has an inventory of critical informa t io n infrastructure
5. My organisation has information infrastruct ures contingency plans
SA 5
A 4
DK 3
D 2
SD 1 6. The cyber-security policy is constantly reviewed to
incorporate emerging trends in the protection of information infrastructures
7. The cyber-security policy contains sections that are relevant to my job
8. The cyber-security policy is aligned to the munic ipa l Integrated Development Plan (IDP)
9. I believe our cyber-security strategy is aligned to the municipal IDP
10. There is a structure or unit within my organisation that is responsible to implement the cyber-security strategy
11. I know what to do if I want to report breaches or violations of the cyber-security policy
12. I know who the custodian of the cyber-security policy is
13. My organisation conducts research and development with the aim to enhance protection of the informa t io n infrastructure
14. Protection of the information infrastructure in my organisation is guided by the industry best practices CYBER-SECURITY GOVERNANCE DOMAIN
YES
1
NO 0
DON’T KNOW 2
15. My organisational strategic risk register contains cyber- security risk
SA 5
A 4
DK 3
D 2
SD 1 16. Management has allocated adequate budget to imple me nt
a cyber-security policy
17. Risk management processes guide the implementation of cyber-security controls in my organisation
18. Management has provided guidance on the regulator y requirements pertaining to the information infrastruc t ure that I work with
19. Management has allocated adequate people to protect the information infrastructures
20. Management enforces compliance to cyber-security
21. In my organisation there are oversight structures/committees that hold management to account for the protection of information infrastructure
22. Internal audit operational plans incorporate audits or reviews on information infrastructures on an annual basis
23. Management has input in the internal audit operational plan before the plan is implemented
24. Audit committee approves the internal audit operational plan before the plan is implemented
25. Management has implemented clear asset manage me nt practices
26. Management understands the possible impact of cyber- security threats to municipal service delivery
CYBER-SECURITY TECHNICAL OPERATIONS DOMAIN
YES
1
NO 0
DON’T KNOW 2
27. There are service level agreements between my municipality and the service providers working on information infrastructures
SA 5
A 4
DK 3
D 2
SD 1 28. Management is monitoring the services provided by the
service providers/consultants against the service level agreements
29. My organisation has deployed technologies to protect information infrastructures against cyber-threats
30. Access to information infrastructures is controlled through identification and authentication
31. Management has adopted industry best practices to protect information infrastructure against cyber-threats
32. Anti-virus software is installed on our laptops, desktops, and other devices
33. Audits are conducted to provide assurance on the adequacy and effectiveness of controls that have been implemented to protect information infrastructure
34. The incident management procedures are adequate to resolve cyber-security incidents
35. The building that I work in is adequately protected to secure the information infrastructure
MANAGE HUMAN ISSUES IN CYBER-SECURITY DOMAIN
SA
5
A 4
DK 3
D 2
SD 1 36. Employees’ activities in information infrastructure are
monitored
37. In my organisation, action is taken against employees who violate the cyber-security policy
38. Employees are made aware of the cyber-security policy contents
39. Employees know where to report suspicious illicit cyber- security activities
40. Employees receive adequate training in the informa t io n infrastructure they operate
41. I am aware of cyber-security threats affecting the information assets I work with
42. I am aware that organisational internet and e-mail systems should be used for business purposes
43. Employees accept responsibility for informa t io n infrastructure protection
44. My organisation constantly conducts cyber-security assessments to determine how employees are complying with the cyber-security policy
BIOGRAPHICAL INFORMATION
45. I have been in the employ of the municipality for
Less than 3 years = 1
3 years but less than 5 years = 2
5 years but less than 7 years = 3
7 years but less than 10 years = 4
10 years and over = 5
46. I belong to Information and Communication Technolo gy Category = 1
Operating Technology = 2
Administration Category = 3
47. My position is at Management level = 1
Specialist level = 2
Clerical level = 3
The statements in the assessment instrument are based on the cyber-security framework, specifically the processes that describe the four domains. All controls that are impleme nted to mitigate aspects of cyber-security must be evaluated to obtain assurance that they functio n the way they were intended to. The controls implemented include processes, procedures, technology and personnel. Assessments can be technical as well as non-technical.