Lab #2 – Organization-Wide Policy Framework

Implementation Plan Worksheet

Course Name: IAP301

Student Name: Quanndse151007
Instructor Name: DinhMH
Lab Due Date: 17/5/2023

Overview
In this lab, you are to create an organization-wide policy framework implementation plan for two
organizations that are merging. The parent organization is a medical clinic under HIPAA compliance
law. They recently acquired a remote medical clinic that provides a specialty service. This clinic is
organized in a flat structure, but the parent organization is organized in a hierarchical structure with
many departments and medical clinics.

Instructions
Using Microsoft Word, create a Policy Framework Implementation Plan according to the following
policy implementation plan outline:
• Publish Your Policies for the Acquired Clinic – {Explain your strategy}
• Communicate Your Policies to the Acquired Clinic Employees – {How are you going to do this?}
• Involve Human Resources & Executive Management - {How do you do this smoothly?}
• Incorporate Security Awareness and Training for the New Clinic – {How can you make this fun and
engaging?}
• Release a Monthly Organization-Wide Newsletter for All – {How can you make this short and to
the point?}
• Implement Security Reminders on System Login Screens for All – {For access to sensitive systems
only}
• Incorporate On-Going Security Policy Maintenance for All – {Review and obtain feedback from
employees and policy compliance monitoring}
• Obtain Employee Questions or Feedback for Policy Board – {Review and incorporate into policy
edits and changes as needed}
 Parent Medical Clinic
Acquires Specialty Medical Clinic
1. Publish Your Policies for the Acquired Clinic
Our strategy for publishing the policies for the acquired clinic will involve creating a
centralized online portal where all policies can be easily accessed and reviewed by employees. We
will also make sure to provide physical copies of the policies in a location that is easily accessible
to all employees.
2. Communicate Your Policies to the Acquired Clinic Employees
To effectively communicate our policies to the acquired clinic employees, we will hold
an all-staff meeting where the policies will be reviewed and discussed. We will also
provide each employee with a copy of the policies and make sure to provide ample time
for employees to review and ask questions.
3. Involve Human Resources & Executive Management
To involve human resources and executive management in the policy implementation
process, we will establish a cross-functional team made up of representatives from both HR
and executive management. This team will be responsible for developing and implementing
the policies, as well as monitoring compliance.
4. Incorporate Security Awareness and Training for the New Clinic
To make security awareness and training fun and engaging, we will use interactive methods
such as quizzes, games, and simulations to deliver the training. Additionally, we will provide
interactive workshops and offer incentives for employees who complete the training.
5. Release a Monthly Organization-Wide Newsletter for All
To make our monthly organization-wide newsletter short and to the point, we will focus on
highlighting key updates, policy reminders, and upcoming events. We will also make sure to
include a section for employee feedback and questions.
6. Implement Security Reminders on System Login Screens for All
To remind employees of security policies, we will implement security reminders on the
login screens of all sensitive systems. This will help ensure that employees are aware of and follow
the appropriate security protocols.
7. Incorporate On-Going Security Policy Maintenance for All
To ensure that our security policies are up to date and effective, we will conduct regular
reviews and obtain feedback from employees. We will also monitor compliance with the policies and
make any necessary adjustments.
8. Obtain Employee Questions or Feedback for Policy Board
To ensure that our policies are responsive to the needs of our employees, we will
establish a policy board that will review and incorporate employee questions and feedback into
policy edits and changes as needed.
 Develop an Organization-Wide Policy Framework Implementation Plan
Overview
In this lab, the main focus was on understanding the various issues and challenges that can
arise when implementing information systems security policies within an organization. The
discussions covered topics such as how to deal with human nature and what motivates people, as
well as identifying the characteristics of flat and hierarchical organizational structures.
One key point that was emphasized is the importance of understanding the different
personality types of employees and how they may impact compliance with security policies. It
was also discussed that having a clear and well-communicated policy that is consistently
enforced is essential for getting employees to comply.
Another important aspect of the lab was discussing the role of executive management and
human resources in maintaining policy compliance. It was emphasized that both groups play a
critical ongoing role in monitoring compliance and making necessary adjustments to the policy.
Finally, the importance of conducting regular audits and security assessments to ensure
policy compliance was also discussed. This helps organizations identify any areas where
compliance is lacking and make necessary changes to improve overall security.

Lab Assessment Questions & Answers

1. What are the differences between a Flat and Hierarchical organizations?
In a flat organization, there are fewer levels of management and employees have
more autonomy and decision-making power. In a hierarchical organization, there are more
levels of management and a clear chain of command.
2. Do employees behave differently in a flat versus hierarchical organizational structure?
In a flat organization, employees may have more autonomy and may be less reliant on
management for direction, whereas in a hierarchical organization, employees may be more reliant
on management for direction and may have less autonomy.
3. Do employee personality types differ between these organizations?
Employee personality types may not differ significantly between flat and hierarchical
organizations, but certain personality types may be better suited to one organizational structure over
the other.

4.What makes it difficult for implementation in flat organizations?

Implementation may be more difficult in flat organizations due to a lack of clear lines
of authority and decision-making power.
5. What makes it difficult for implementation in hierarchical organizations?
Implementation may be more difficult in hierarchical organizations due to a slow decision-
making process and a lack of communication between levels of management.
6. How do you overcome employee apathy towards policy compliance?
To overcome employee apathy towards policy compliance, organizations can provide regular
training and education, make sure employees understand the importance of compliance, and provide
incentives for compliance.
7. What solution makes sense for the merging of policy frameworks from both a flat and
hierarchical organizational structure?
When merging policy frameworks from a flat and hierarchical organizational structure, it
may be beneficial to adopt a hybrid approach that incorporates elements of both structures.
8. What type of disciplinary action should organizations take for information systems
security violations?
Organizations should take disciplinary action for information systems security
violations based on the severity of the violation and the offender's past conduct. This could
include verbal or written warnings, suspension, or termination.
9. What is the most important element to have in policy implementation?

The most important element to have in policy implementation is clear communication

and buy-in from all employees.
10. What is the most important element to have in policy enforcement?
The most important element to have in policy enforcement is consistent and fair
enforcement of policies.
11. Which domain of the 7-Domains of a Typical IT Infrastructure would an Acceptable Use
Policy (AUP) reside? How does an AUP help mitigate the risks commonly found with
employees and authorized users of an organization’s IT infrastructure?
Acceptable Use Policy (AUP) would reside in the Security Domain. An AUP helps
mitigate risks commonly found with employees and authorized users of an organization’s IT
infrastructure by defining what is considered acceptable use and outlining consequences for
non-compliance.
12. In addition to the AUP to define what is acceptable use, what can an organization
implement within the LAN-to-WAN Domain to help monitor and prevent employees and
authorized users in complying with acceptable use of the organization’s Internet link?
In addition to the AUP, an organization can implement internet filtering, URL filtering, and
content filtering within the LAN-to-WAN Domain to help monitor and prevent employees and
authorized users from engaging in non-compliant use of the organization’s Internet link.
13.What can you do in the Workstation Domain to help mitigate the risks, threats, and
vulnerabilities commonly found in this domain? Remember the Workstation Domain is
the point of entry for users into the organization’s IT infrastructure.
In the Workstation Domain, organizations can implement endpoint security software and
regular security updates, as well as conduct regular security awareness training for employees to help
mitigate risks, threats, and vulnerabilities commonly found in this domain.
14 . What can you do in the LAN Domain to help mitigate the risks, threats, and
vulnerabilities commonly found in this domain? Remember the LAN Domain is the point of
entry into the organization’s servers, applications, folders, and data.
In the LAN Domain, organizations can implement network segmentation, intrusion
detection/prevention systems, and regular security updates to help mitigate risks, threats, and
vulnerabilities commonly found in this domain.
15. What do you recommend for properly communicating the recommendations you made
in Question #13 and Question #14 above for both a flat organization and a hierarchical
organization?
For proper communication, it is important to clearly outline the recommendations and the
reasoning behind them, and to provide regular reminders and updates on their implementation. This
can be done through company-wide meetings, email or intranet communication, and employee
training sessions. It is also important to ensure that employees at all levels understand the
recommendations and their importance.