Week 2

Part 1

1. In your browser, navigate to  https://bizfluent.com/info-11369248-employees-behave-differently-flat-vs-hierarchical-organizational-structure.html .

2 Read this article about how employees behave differently in contrasting organizations.

3 Discuss how employee behavior changes depending on the organizational structure in which the employee works. 1 Page Answer

Part: 2

Review the following scenario for the fictional Specialty Medical Clinic: The Specialty Medical Clinic is a fictional medical clinic that is currently being acquired by a larger organization, United Medical Services. United Medical Services follows a hierarchical structure with multiple departments and clinics. The Specialty Medical Clinic is a flat organization. You are a policy analyst working for United Medical Services and have been tasked with extending the parent organization's security policy framework to the newly acquired clinic.

Create a policy framework implementation plan for the fictional Specialty Medical Clinic.

United Medical Services Acquires Specialty Medical Clinic

1. Publish Your Policies for the New Clinic Explain your strategy ½ page

2. Communicate Your Policies to the New Clinic Employees How are you going communicate policies to employees? ½ page

Note: Special all-hands meetings, called “town hall meetings,” can be held between team or departmental leads. Team leaders might then share the information they’ve gained from town hall meetings with employees.

Involve Human Resources and Executive Management How would you smoothly involve HR and executive management? ½ page Answer

Incorporate Security Awareness and Training for the New Clinic How do you make the training fun and engaging? ½ page Answer

Note: Like any mandatory training, employees often dread mandatory security awareness training. It can be dry, not relevant to their positions, and a distraction from what they’re paid to do. But it doesn’t have to be that way. As with any training, security awareness training can become more effective by employing unconventional or interactive delivery mechanisms. For example, rather than requiring employees to read a policy and take an assessment quiz, the employees could participate in a role-playing exercise with teams of “good guys” and “bad guys.” This type of training takes considerably more planning, but, once it’s designed for a small group, the exercise is easily repeatable. The training will likely be talked about and remembered for much longer.

User behavior will also more likely be changed if the training is tailored to the employees and their specific department. An employee in shipping may be more receptive if security topics are presented in the context of freight docks rather than a cubicle setting. Relevance goes a long way toward fostering real learning.

Finally, the rationale behind the security training must be explained. Without presenting the why, or the consequences, the employees have little reason to internalize the valuable training.

Release a Monthly Organization-Wide Newsletter How can you make this newsletter succinct and informative? ½ page answer

Implement Security Reminders on System Log-in Screens Which critical systems would you deploy these to? ½ page answer

Incorporate Ongoing Security Policy Maintenance for All How will you review and obtain feedback from employees and policy-compliance monitoring? ½ page answer

Note: Be mindful that a new policy or procedure doesn’t negatively impact a business process or create unintended challenges in a particular department. When users find that a policy is going to make their jobs harder, they’re much more likely to try to circumvent that policy.

Employee feedback may be the only method for revealing how a policy might impose unintended challenges on an employee. Be certain to clearly communicate, to leaders and employees alike, that feedback must be open and honest and may be given without fear of adverse repercussions.

Obtain Employee Questions or Feedback for Policy Board How will you review and incorporate employee questions and feedback into policy edits and changes as needed? ½ page answer

Part 3

Note: The following exercise is provided to allow independent, unguided work using the skills you learned earlier in this lab - like what you would encounter in a real-world situation.

 

Security awareness training is a key component of any policy implementation plan. Videos often provide a balance between engagement and simplicity of delivery for a security awareness training program. In this exercise, you will review security awareness videos and use them to create a simple security awareness training program.

 

Navigate to the Center for Development of Security Excellence website (https://www.cdse.edu/index.html) and review the training videos in the “Security Training Videos” section.

 

Compile a list of videos that would provide a total of 30 to 45 minutes of content, organizing the videos in an order that you believe would best supply the appropriate security awareness training.

 

Explain your security awareness training program and its purpose.