Lab
Developing a Security Policy Framework Implementation Plan (3e)
LAB GUIDE
0%
0%
· Introduction
· Guided Exercises
· Part 1: Research Organizational Structures
· Part 2: Create a Policy Framework Implementation Plan
· Challenge Exercise
Part 1: Research Organizational Structures (0/1 completed)
Note: In this part of the lab, you will conduct research on organizational structures in order to understand their relationship to policy frameworks and implementation plans. Understanding the reasoning behind a policy framework is key to understanding the component policies and procedures.
1. Review the following information about executive management, IT security policy enforcement monitoring, and human resources, all of which must have a unified front regarding disciplinary treatment of policy violations:
· Executive Management: Policy commitment and implementation must come from the chief executive officer (CEO) and the president’s executive order for the entire organization with policy monitoring and disciplinary action taken for policy violations.
· IT Security Policy Enforcement Monitoring: Policy monitoring can be conducted via system logging, content filtering logging, and e-mail filtering logging with automated reporting to IT security personnel for monthly or quarterly policy compliance reviews.
· Human Resources: Employees, contractors, and consultants must conform to all organization-wide policies. Violations of policies are considered to be an employer-employee issue upon which proper disciplinary actions must be taken. Repeat or continued violations of organization-wide policies might be grounds for termination of employment, depending on the violation’s severity. Nonemployees should be provided with limited access and connectivity as per policy definition.
2. Review the following information about the organizational structure inherent in flat and hierarchical organizations and how people behave in these structures:
· Compared to hierarchical organizational structures, flat organizational structures are characterized by the following:
· The management structure is cross-functional and more open to employee input.
· Dialogue and communications between employees can occur across organizational functions.
· Employees tend to be more open and communicative.
· Employees tend to be more creative and involved in business decisions.
· Employees are not as constrained within their role or function and can see and interact across the organization more freely.
· Compared to flat organizational structures, hierarchical organizational structures are characterized by the following:
· Departments are separated by function, creating multiple functional silos.
· Business decision making is performed at the executive management level.
· Dialogue and communications are more “top-down.”
· Employees tend to be less communicative and more isolated within their business functions.
· Employees find it difficult to offer additional creativity or input to business decisions.
· Employees are constrained within their roles and cannot interact outside of their business functions without going through a chain of command.
Note: Organizational structures exist on a spectrum, where many organizations may exist as a hybrid of the two. Hierarchical organizations may also be further classified as functional (where the hierarchy is defined according to functions) or divisional (where the hierarchy is defined according to divisions).
3. In your browser, navigate to https://bizfluent.com/info-11369248-employees-behave-differently-flat-vs-hierarchical-organizational-structure.html .
4. Read this article about how employees behave differently in contrasting organizations.
5. Discuss how employee behavior changes depending on the organizational structure in which the employee works.
Note: The success of a policy framework implementation will also be heavily determined by the classification or specialization of the organization. For example, healthcare organizations and educational institutions present unique challenges compared to both one another and more conventional business enterprises.
Developing a Security Policy Framework Implementation Plan (3e)
LAB GUIDE
0%
0%
· Introduction
· Guided Exercises
· Part 1: Research Organizational Structures
· Part 2: Create a Policy Framework Implementation Plan
· Challenge Exercise
Part 2: Create a Policy Framework Implementation Plan (0/8 completed)
Note: To highlight something briefly mentioned in the article from the previous part, a prominent difference between companies with hierarchical and flat structures is size. A company’s size can affect employee behavior as much as the structure or other factors can, especially an employee’s sense of job security, purpose, and potential to contribute to the company’s overall success. These factors can make an employee feel dissatisfied or even apathetic. In this part of the lab, you will apply what you learned in Part 1 to design an organization-wide policy framework implementation plan.
1. Review the following scenario for the fictional Specialty Medical Clinic:
The Specialty Medical Clinic is a fictional medical clinic that is currently being acquired by a larger organization, United Medical Services. United Medical Services follows a hierarchical structure with multiple departments and clinics. The Specialty Medical Clinic is a flat organization. You are a policy analyst working for United Medical Services and have been tasked with extending the parent organization's security policy framework to the newly acquired clinic.
2. Create a policy framework implementation plan for the fictional Specialty Medical Clinic.
United Medical Services Acquires Speciality Medical Clinic
Publish Your Policies for the New Clinic Explain your strategy
Communicate Your Policies to the New Clinic Employees How are you going communicate policies to employees?
Note: Special all-hands meetings, called “town hall meetings,” can be held between team or departmental leads. Team leaders might then share the information they’ve gained from town hall meetings with employees.
Involve Human Resources and Executive Management How would you smoothly involve HR and executive management?
Incorporate Security Awareness and Training for the New Clinic How do you make the training fun and engaging?
Note: Like any mandatory training, employees often dread mandatory security awareness training. It can be dry, not relevant to their positions, and a distraction from what they’re paid to do. But it doesn’t have to be that way. As with any training, security awareness training can become more effective by employing unconventional or interactive delivery mechanisms. For example, rather than requiring employees to read a policy and take an assessment quiz, the employees could participate in a role-playing exercise with teams of “good guys” and “bad guys.” This type of training takes considerably more planning, but, once it’s designed for a small group, the exercise is easily repeatable. The training will likely be talked about and remembered for much longer.
User behavior will also more likely be changed if the training is tailored to the employees and their specific department. An employee in shipping may be more receptive if security topics are presented in the context of freight docks rather than a cubicle setting. Relevance goes a long way toward fostering real learning.
Finally, the rationale behind the security training must be explained. Without presenting the why, or the consequences, the employees have little reason to internalize the valuable training.
Release a Monthly Organization-Wide Newsletter How can you make this newsletter succinct and informative?
Implement Security Reminders on System Log-in Screens Which critical systems would you deploy these to?
Incorporate Ongoing Security Policy Maintenance for All How will you review and obtain feedback from employees and policy-compliance monitoring?
Note: Be mindful that a new policy or procedure doesn’t negatively impact a business process or create unintended challenges in a particular department. When users find that a policy is going to make their jobs harder, they’re much more likely to try to circumvent that policy.
Employee feedback may be the only method for revealing how a policy might impose unintended challenges on an employee. Be certain to clearly communicate, to leaders and employees alike, that feedback must be open and honest and may be given without fear of adverse repercussions.
Obtain Employee Questions or Feedback for Policy Board How will you review and incorporate employee questions and feedback into policy edits and changes as needed?
Challenge Exercise (0/2 completed)
Note: The following exercise is provided to allow independent, unguided work using the skills you learned earlier in this lab - similar to what you would encounter in a real-world situation.
Security awareness training is a key component of any policy implementation plan. Videos often provide a balance between engagement and simplicity of delivery for a security awareness training program. In this exercise, you will review security awareness videos and use them to create a simple security awareness training program.
Navigate to the Center for Development of Security Excellence website ( https://www.cdse.edu/index.html ) and review the training videos in the “Security Training Videos” section.
Compile a list of videos that would provide a total of 30 to 45 minutes of content, organizing the videos in an order that you believe would best supply the appropriate security awareness training.
Explain your security awareness training program and its purpose.