NOTE For Question 1: Submit 4 filled checklists (1 from each member). Ensure cho

NOTE
For Question 1:
Submit 4 filled checklists (1 from each member).
Ensure chosen companies exist in real life.
Thanks
..
Information Security capability maturity (ISCMM) levels
For this project, you will use the following levels of the information security capability maturity model (ISCMM) as guiding principles for your journey to assess the maturity of the chosen company/organization regarding information security.
Enhanced: Security capability adapts to a dynamic high-risk operating environment. Security posture is in-line with
stakeholder expectations.
Managed: Rsk-based, fit-for-purpose security measures are in place. understood. and consistently followed. Ongoing investment is required to sustain measures at this level.
Basic: Foundation polices. capabilities and practice are inplace. but are manly reactive and Inconsistent.
Informal: Security is ad-hoc. unmanaged. and unpredictable:
success relies on individuals rather than processes.
Question One
Use the following checklist to fill out during the meeting with the chosen company/organization cybersecurity representative. Provide the filled checklists for each team member.
ISCMM Levels
Indicators
Tick the applicable indicators

Enhanced
You actively explore opportunities to enhance information security as part of your continuous improvement program for security
Information security measures are responsive, adaptable, efficient, robust, and benefit fromstrategic intent.

Managed
You have mechanisms to assess and managerequirements for protecting, sharing, and assuring information. These mechanisms are well understood and updated as required.
You have proportionate measures in place to prevent, detect,and respond to unauthorized or inappropriate access to information and ICT systems, including during systems development and throughout the information lifecycle.
You clearly understand where and how information and data assets are shared withservice providers.
You appropriately archive or otherwise dispose of information holdings when they are no longer required.
Mobile devices and remote working solutions aremanaged securely.
Information or other assetsyou hold are consistently classified, marked, accessed, and handled in line with the Saudi Government Security Classification System.
Your systems ensure access controls are updated when your people change roles or leave your organization.
You ensure changes made to information management measures are consistent with your security risk profile and wider protective security policies. Changesare promptly communicated
You periodically conduct both scheduled and unannounced tests and audits of information security.
When appropriate, your access controls enforce segregation of duties to reduce opportunities for unauthorized or unintentional accessto or misuse of information assets.

Basic
People most directly responsible for protective security understand the information security lifecycle.
You have a certification and accreditation program in place for new and existing ICT systems; however, it is inconsistently followed.
You have simple information security measures in place for areas holding physical records, ICT equipment, and basic ICT system access controls.
You have pockets of good information security awareness and practice, but standards aren’t applied consistently across your information holdings, and your overall compliance is poorly understood. Thismay be particularly true when external suppliers hold or manage your information.
You havesome security mechanisms in place forICT systems development.
You have a limited understanding of where and how information or data assets are shared with service providers.
You understand emerging cyber intrusions and threats and have put in place simple information security measures to mitigate targeted cyber intrusions.

Informal
You have limited understanding of your information assets and don’t proactively assess the information assets you most need to protect
You have limited information security measures in placeto protect your information assetsand ICT system development
You do not have a certification and accreditation program in place for new or existing ICT systems.
You can’t be confident you would detect unauthorized access to, or the compromise of, electronic or physical information holdings
You don’t usually assess whether information or other assets require a national security classification. You also can’t be confident that classified resources are managed correctly
You can’t be confident you implement measures for information assets that are proportional to their value, importance, and sensitivity
You have limited information security measures in place for targeted cyber intrusions and have a reactive approach to emerging cyber intrusions and threats
You do not understand where and how your information or data assets are shared with service providers.

Question Two
Summarize the key findings of your participating companies/organizations in light of ISCMM levels. (Maximum 250 words).
Question Three
From your point of view, what are the main recommendations for participating companies/organizations to upgrade their level in ISCMM.

Note: all information and questions are provided in the file.