Lab #2 – Organization-Wide Policy Framework Implementation Plan Worksheet

Đào Quốc Trung

SE151141
Parent Medical Clinic
Acquires Specialty Medical Clinic
1.Publish Your Policies for the Acquired Clinic
Our strategy for publishing the policies for the acquired clinic will involve creating a
centralized online portal where all policies can be easily accessed and reviewed by employees. We
will also make sure to provide physical copies of the policies in a location that is easily accessible to
all employees.
2.Communicate Your Policies to the Acquired Clinic Employees
To effectively communicate our policies to the acquired clinic employees, we will hold an
all-staff meeting where the policies will be reviewed and discussed. We will also provide each
employee with a copy of the policies and make sure to provide ample time for employees to review
and ask questions.
3.Involve Human Resources & Executive Management
To involve human resources and executive management in the policy implementation
process, we will establish a cross-functional team made up of representatives from both HR and
executive management. This team will be responsible for developing and implementing the policies,
as well as monitoring compliance.
4.Incorporate Security Awareness and Training for the New Clinic
To make security awareness and training fun and engaging, we will use interactive methods
such as quizzes, games, and simulations to deliver the training. Additionally, we will provide
interactive workshops and offer incentives for employees who complete the training.
5.Release a Monthly Organization-Wide Newsletter for All
To make our monthly organization-wide newsletter short and to the point, we will focus on
highlighting key updates, policy reminders, and upcoming events. We will also make sure to include a
section for employee feedback and questions.
6.Implement Security Reminders on System Login Screens for All
To remind employees of security policies, we will implement security reminders on the login
screens of all sensitive systems. This will help ensure that employees are aware of and follow the
appropriate security protocols.
7.Incorporate On-Going Security Policy Maintenance for All
To ensure that our security policies are up to date and effective, we will conduct regular
reviews and obtain feedback from employees. We will also monitor compliance with the policies and
make any necessary adjustments.
8.Obtain Employee Questions or Feedback for Policy Board
 To ensure that our policies are responsive to the needs of our employees, we will establish a
policy board that will review and incorporate employee questions and feedback into policy edits and
changes as needed.

Develop an Organization-Wide Policy Framework Implementation Plan

Overview
In this lab, the main focus was on understanding the various issues and challenges that can
arise when implementing information systems security policies within an organization. The
discussions covered topics such as how to deal with human nature and what motivates people, as well
as identifying the characteristics of flat and hierarchical organizational structures.
One key point that was emphasized is the importance of understanding the different
personality types of employees and how they may impact compliance with security policies. It was
also discussed that having a clear and well-communicated policy that is consistently enforced is
essential for getting employees to comply.
Another important aspect of the lab was discussing the role of executive management and
human resources in maintaining policy compliance. It was emphasized that both groups play a critical
ongoing role in monitoring compliance and making necessary adjustments to the policy.
Finally, the importance of conducting regular audits and security assessments to ensure policy
compliance was also discussed. This helps organizations identify any areas where compliance is
lacking and make necessary changes to improve overall security.
Lab Assessment Questions & Answers
1. What are the differences between a Flat and Hierarchical organizations?
In a flat organization, there are fewer levels of management and employees have more
autonomy and decision-making power. In a hierarchical organization, there are more levels of
management and a clear chain of command.
2. Do employees behave differently in a flat versus hierarchical organizational structure?
In a flat organization, employees may have more autonomy and may be less reliant on
management for direction, whereas in a hierarchical organization, employees may be more reliant on
management for direction and may have less autonomy.
3. Do employee personality types differ between these organizations?
Employee personality types may not differ significantly between flat and hierarchical
organizations, but certain personality types may be better suited to one organizational structure over
the other.
4. What makes it difficult for implementation in flat organizations?
Implementation may be more difficult in flat organizations due to a lack of clear lines of
authority and decision-making power.
5. What makes it difficult for implementation in hierarchical organizations?
Implementation may be more difficult in hierarchical organizations due to a slow decision-
making process and a lack of communication between levels of management.
6. How do you overcome employee apathy towards policy compliance?
 To overcome employee apathy towards policy compliance, organizations can provide regular
training and education, make sure employees understand the importance of compliance, and provide
incentives for compliance.
7. What solution makes sense for the merging of policy frameworks from both a flat and
hierarchical organizational structure?
When merging policy frameworks from a flat and hierarchical organizational structure, it may
be beneficial to adopt a hybrid approach that incorporates elements of both structures.
8. What type of disciplinary action should organizations take for information systems security
violations?
Organizations should take disciplinary action for information systems security violations
based on the severity of the violation and the offender's past conduct. This could include verbal or
written warnings, suspension, or termination.
9. What is the most important element to have in policy implementation?
The most important element to have in policy implementation is clear communication and
buy-in from all employees.
10. What is the most important element to have in policy enforcement?
The most important element to have in policy enforcement is consistent and fair enforcement
of policies.
11. Which domain of the 7-Domains of a Typical IT Infrastructure would an Acceptable Use
Policy (AUP) reside? How does an AUP help mitigate the risks commonly found with employees
and authorized users of an organization’s IT infrastructure?
Acceptable Use Policy (AUP) would reside in the Security Domain. An AUP helps mitigate
risks commonly found with employees and authorized users of an organization’s IT infrastructure by
defining what is considered acceptable use and outlining consequences for non-compliance.
12. In addition to the AUP to define what is acceptable use, what can an organization implement
within the LAN-to-WAN Domain to help monitor and prevent employees and authorized users
in complying with acceptable use of the organization’s Internet link?
In addition to the AUP, an organization can implement internet filtering, URL filtering, and
content filtering within the LAN-to-WAN Domain to help monitor and prevent employees and
authorized users from engaging in non-compliant use of the organization’s Internet link.
13. What can you do in the Workstation Domain to help mitigate the risks, threats, and
vulnerabilities commonly found in this domain? Remember the Workstation Domain is the
point of entry for users into the organization’s IT infrastructure.
In the Workstation Domain, organizations can implement endpoint security software and
regular security updates, as well as conduct regular security awareness training for employees to help
mitigate risks, threats, and vulnerabilities commonly found in this domain.
14. What can you do in the LAN Domain to help mitigate the risks, threats, and vulnerabilities
commonly found in this domain? Remember the LAN Domain is the point of entry into the
organization’s servers, applications, folders, and data.
 In the LAN Domain, organizations can implement network segmentation, intrusion
detection/prevention systems, and regular security updates to help mitigate risks, threats, and
vulnerabilities commonly found in this domain.
15. What do you recommend for properly communicating the recommendations you made in
Question #13 and Question #14 above for both a flat organization and a hierarchical
organization?
For proper communication, it is important to clearly outline the recommendations and the
reasoning behind them, and to provide regular reminders and updates on their implementation. This
can be done through company-wide meetings, email or intranet communication, and employee
training sessions. It is also important to ensure that employees at all levels understand the
recommendations and their importance.