Laboratory #2

Lab #2: Develop an Organization-Wide Policy Framework Implementation Plan

Lab #2 – Organization-Wide Policy Framework Implementation Plan Worksheet
Course Name: __________IAP301________________________________________________
Student Name: ___________Huỳnh Ngọc Cường____________________________________
Instructor Name: _______________NguyenPHT______________________________________
Lab Due Date: ____________ Friday, 1 March 2024, 12:00______________________________

Overview
In this lab, you are to create an organization-wide policy framework implementation plan for
two organizations that are merging. The parent organization is a medical clinic under HIPAA
compliance law.
They recently acquired a remote medical clinic that provides a specialty service. This clinic is
organized in a flat structure, but the parent organization is organized in a hierarchical structure
with many departments and medical clinics.

Instructions
Using Microsoft Word, create a Policy Framework Implementation Plan according to the
following policy implementation plan outline:
• Publish Your Policies for the Acquired Clinic – {Explain your strategy}
• Communicate Your Policies to the Acquired Clinic Employees – {How are you going to do
 this?}
• Involve Human Resources & Executive Management - {How do you do this smoothly?}
• Incorporate Security Awareness and Training for the New Clinic – {How can you make
this
 fun and engaging?}
• Release a Monthly Organization-Wide Newsletter for All – {How can you make this short
 and to the point?}
• Implement Security Reminders on System Login Screens for All – {For access to sensitive
 systems only}
• Incorporate On-Going Security Policy Maintenance for All – {Review and obtain feedback
 from employees and policy compliance monitoring}
• Obtain Employee Questions or Feedback for Policy Board – {Review and incorporate into
 policy edits and changes as needed}
 Parent Medical Clinic
Acquires Specialty Medical Clinic

Publish Your Policies for the New Clinic

{Explain your strategy}

For every new medical clinic, the new

policies for the clinic will be organized
by the parent organization.
Parent organization is responsible for all
the rules and regulations for developing
the clinic. The parent
organization consists group of people
who were responsible for setup of new
policies for the clinic.
There will be two groups in these
organization that are parent group and
child group which are having
their own policies to set up a new
medical clinic. . Child group gives some
ideas to the parent group.
Parent group is responsible for
introducing the new policies where it
will combine the running polices
and new polices of both child and
parent group. Now the new policies
which are established are given to
the employees and organization
documents should be updated.
For every new medical clinic, the new
policies for the clinic will be organized
by the parent organization.
Parent organization is responsible for all
the rules and regulations for developing
the clinic. The parent
organization consists group of people
who were responsible for setup of new
policies for the clinic.
There will be two groups in these
organization that are parent group and
child group which are having
their own policies to set up a new
medical clinic. . Child group gives some
ideas to the parent group.
Parent group is responsible for
introducing the new policies where it
will combine the running polices
and new polices of both child and
parent group. Now the new policies
which are established are given to
the employees and organization
documents should be updated.
For every new medical clinic, the new policies for the clinic will be organized by the parent
organization. Parent organization is responsible for all the rules and regulations for developing
the clinic. The parent organization consists group of people who were responsible for setup of
new policies for the clinic. There will be two groups in these organization that are parent group
and child group which are having their own policies to set up a new medical clinic. . Child group
gives some ideas to the parent group. Parent group is responsible for introducing the new
policies where it will combine the running polices and new polices of both child and parent
group. Now the new policies which are established are given to the employees and
organization documents should be updated.
Communicate Your Policies to the New Clinic Employees
{How are you going to do this?}

mplement a business web server for the

clinic system to support management
and communication.
Provide a local email domain for each
employee. Hold weekly meeting to
collect and review weekly
report from child group, monthly or
other meetings to review the progress,
update policies or for
importance announcement.
Implement a business web server for the clinic system to support management and
communication. Provide a local email domain for each employee. Hold weekly meeting to
collect and review weekly report from child group, monthly or other meetings to review the
progress, update policies or for importance announcement.
Involve Human Resources & Executive Management
{How do you do this smoothly?}
With Executive Management, policy commitment and implementation must come from the
CEO and the president’s executive order for the entire organization with policy monitoring and
disciplinary action taken for policy violations. With Human Resources, employees or
contractors/consultants must conform to all organization wide policies. Violations of policies
are considered to be an employer – employee issue upon which proper disciplinary actions
must be taken. Repeat or continued violations of organization-wide policies may be grounds
for termination of employment depending upon the severity of the violation. Non-employees
should be provided with limited access and connectivity as per policy definition. Parent
organization will have Human Resources & Executive Management departments and there will
be the best team who will seriously implement and manage these policies accurately.

Incorporate Security Awareness and Training for the New Clinic

{How can you make this fun and engaging?}
Perform and keep up security awareness training for all employees. Persuade employees about
the importance of security awareness and show them how risky problems can be. Training to
improve problem solving and make sure there will be good compliance. Update training
flexibly.
Release a Monthly Organization Wide Newsletter for All
{How can you make this newsletter succinct?}
Announce about the progress, updates, events, future plan truthfully and motivate all.
Implement Security Reminders on System Login Screens for All
{For access to sensitive systems only}
Organize the hierarchical network system to classify privileged users and non-privileged users
to restrict and improve security system.
Incorporate On-Going Security Policy Maintenance for All
{Review and obtain feedback from employees and policy compliance monitoring}
Review and obtain feedback from employees. Then analyze, maintenance, update and monitor
security policies suitably and flexibly. Seriously restrict and terminate security policy violations.
On the other hand, good compliance and good performance will have the reward.
Obtain Employee Questions or Feedback for Policy Board
{Review and incorporate into policy edits and changes as needed}
All questions and feedback are welcomed to obtain. They will be reviewed and incorporated
into policy edits and changes as needed. Moreover, all the questions will have good suitable
answers from HR department as soon as possible.
Note: Your policy framework implementation plan should be no more than three pages long.
Student Lab Manual

Lab #2 – Assessment Worksheet

Develop an Organization-Wide Policy Framework Implementation Plan
Course Name: __________IAP301________________________________________________
Student Name: ___________Huỳnh Ngọc Cường____________________________________
Instructor Name: _______________NguyenPHT______________________________________
Lab Due Date: ____________ Friday, 1 March 2024, 12:00______________________________

Overview
In this lab, you participated in classroom discussions on information systems security policy
implementation issues. These issues and questions included the following topics: !
• How to deal with people and human nature
• What motivates people
• Understanding different personality types of employees
• Identifying the characteristics of a flat organizational structure
• Identifying the characteristics of a hierarchical organizational structure
• What makes an IT security policy “stick”?
• How do you monitor organizational compliance?
• What is the ongoing role of executive management?
 • What is the ongoing role of human resources?
• Why is conducting an annual audit and security assessment for policy compliance
important?

Lab Assessment Questions & Answers

1. What are the differences between a Flat and Hierarchical organizations?
Flat Organizations:
- Pros:
+ Easier decision making
+ Higher sense of employee responsibility
+ Lower budget costs
+ Faster communication

- Cons:
+ Difficulty maintaining structure throughout business growth
+ Confusion without a chain of command
+ Work-life balance being hard to maintain Hierarchical Organizations:
- Pros:
+ Better levels of responsibility and employee requirements
+ A clear picture of accountability
+ Specialized positions and responsibilities
+ Less pressure on employees, especially new employees
- Cons:
+ Complexity in cross-department communication
+ Increased business costs
+ Less collaboration between departments
+ A rigid structure limits innovation
2. Do employees behave differently in a flat versus hierarchical organizational structure?
A hierarchical organizational model has clearly defined roles and positions. An employee in
such an organization knows whom he has to report and who reports to him. Models such as
these tend to fulfill company goals rather than individual ones. Employees accept orders and
directives and expect to be “managed” by those in higher ranks than them, and they, in turn,
assign tasks and directions and overlook the activities of those who report to them. Such
employees tend to have a more traditional outlook towards duties, expectations, work, and
accountability. In a flat organization, there is more emphasis on creativity, individuality, self-
motivation, and personal accountability. Each one is expected to take ownership over his own
projects and tasks and expected to hold themselves to high standards and to deliver results to
satisfy their own levels of excellence and not because they have to report to another person.
An employee in such an organization behaves with more personal freedom, creativity, and
generally work and deliver on their own terms, without adhering to traditional ideas of
leadership and management.
3. Do employee personality types differ between these organizations?
- Commander - Being “demanding and domineering” they would need to give orders to thrive,
and clearly fit better in a hierarchical organization.
- Drifter - Billed to be “free-spirited, disorganized and impulsive”, drifters would feel stifled in a
hierarchical organization and would fit better in a flat one.
- Attacker – Being “angry, hostile, and cynical” they would find of targets to “attack” in a
hierarchical model, and perhaps being in a flat model may help them be more positive towards
work as they are answerable only themselves.
- Pleaser – As “thoughtful, pleasant and helpful” people they would do well in a hierarchical
organization. They may not do so great in a flat one, and they are probably more used to taking
orders and pleasing others than being self-motivated and directed.
- Performers – Their main source of motivation is said to be “recognition”, so they would
probably do well in either kind of organization as look as they get the lion’s share of
recognition.
- Avoiders – They are said to be “quiet and reserved and prefer to work alone”. They would do
well in the lower ranks of the hierarchical model and may even thrive in a flat organization as
they can work on their own accord.
- Analyst – They are said to be “cautious, precise, and diligent” and would do well in both types
of organizations, as long their role and project demand clinical analysis and logical application.
- Achievers – “Content, peaceful, and pleasant” are the words used to describe achievers. They
would thrive in of types of organization structures as they can be good leaders, as well as self-
motivated.
4. What makes it difficult for implementation in flat organizations?
A flat organization has minimal rules and monitoring – it works by hiring self-motivated people
who set the bar high for themselves and work for personal satisfaction rather than the
fulfillment of a role. Such organizations pride themselves on being organic, easy-going, and
individualistic. Implementing policies may be challenging as no one may seem to realize the
need for one, and even if they do its acceptance may be challenged and not adopted as it
could be viewed as the curbing of creativity and as the introduction of bureaucracy and
external regulation
5. What makes it difficult for implementation in hierarchical organizations?

6. In a hierarchical organization,
policies are the backbone. Yet,
introducing and implementing new
7. policies can be a huge challenge,
as there needs to be “managerial
buy-in” at various levels. More
8. often than not the importance and
need for a new policy may get lost in
translation through the
9. various strata of hierarchy and the
process and protocol involved, and
the policy may never see the
10. light of day. However, once
approved by all levels of
management, implementing the
policy is not
11. much of a challenge as orders that
come from upper management are
taken seriously and adhered
12. to.
13. In a hierarchical organization,
policies are the backbone. Yet,
introducing and implementing new
14. policies can be a huge challenge,
as there needs to be “managerial
buy-in” at various levels. More
15. often than not the importance and
need for a new policy may get lost in
translation through the
 16. various strata of hierarchy and the
process and protocol involved, and
the policy may never see the
17. light of day. However, once
approved by all levels of
management, implementing the
policy is not
18. much of a challenge as orders that
come from upper management are
taken seriously and adhered
19. to.
In a hierarchical organization, policies are the backbone. Yet, introducing and implementing
new policies can be a huge challenge, as there needs to be “managerial buy-in” at various
levels. More often than not the importance and need for a new policy may get lost in
translation through the various strata of hierarchy and the process and protocol involved, and
the policy may never see the light of day. However, once approved by all levels of
management, implementing the policy is not much of a challenge as orders that come from
upper management are taken seriously and adhered to.
6. How do you overcome employee apathy towards policy compliance?
- Employee apathy is an indication of
an organization that doesn’t treat its
employees as
stakeholders. While much is written and
discussed regarding “managerial buy-
in”, employee
involvement is often overlooked. It is
crucial for an organization to get its
employees know and
understand their policies, accept them,
and abide by them in order for the
organization to grow
in accordance with the vision that
directed the creation of the policies.
- Some of the ways to overcome
employee apathy are:
+ Making policies user-friendly – While
legal verbiage is necessary, a policy can
also be
creatively and interactively presented.
+ Communication – Communication
about existing policies is vital. More
often than not
ignorance of policies can cause
violations.
+ Highlight what is at stake – Employees
should be alerted to what is at stake. It
could
be fines and lawsuits for the company
or personal repercussions for the
violator of the policy.
+ Mandatory policy review –Reviewing
policies and taking a short “quiz” at the
end of it
can help employees understand the
importance of policies and exactly what
is expected of
them.
- Employee apathy is an indication of an organization that doesn’t treat its employees as
stakeholders. While much is written and discussed regarding “managerial buy-in”, employee
involvement is often overlooked. It is crucial for an organization to get its employees know and
understand their policies, accept them, and abide by them in order for the organization to
grow in accordance with the vision that directed the creation of the policies.
- Some of the ways to overcome employee apathy are:
+ Making policies user-friendly – While legal verbiage is necessary, a policy can also be
creatively and interactively presented.
+ Communication – Communication about existing policies is vital. More often than not
ignorance of policies can cause violations.
+ Highlight what is at stake – Employees should be alerted to what is at stake. It could be
fines and lawsuits for the company or personal repercussions for the violator of the policy.
+ Mandatory policy review –Reviewing policies and taking a short “quiz” at the end of it
can help employees understand the importance of policies and exactly what is expected of
them.
+ Streamline policies – Policies overwhelm is a genuine fatigue. The organization should
be very clear on which policies are absolutely essential, retire legacy ones, and keep policies
simple, accessible, and minimal as possible.
+ Seek feedback – Seeking employee feedback helps generate involvement,
participation, and communication, breaking apathy.
 + Streamline policies – Policies overwhelm is a genuine fatigue. The organization should
be very clear on which policies are absolutely essential, retire legacy ones, and keep policies
simple, accessible, and minimal as possible.
+ Seek feedback – Seeking employee feedback helps generate involvement,
participation, and communication, breaking apathy.
7. What solution makes sense for the merging of policy frameworks from both a flat and
hierarchical organizational structure?
Implement a hybrid flat-hierarchical policy framework defining mandatory policies as dictated
by law or other mandate and other organizational specific policies that foster communication
and business process-sharing. Allowing free and open communication within an organization
that still has structure is the key to hybrid policy frame work definition.
8. What type of disciplinary action should organizations take for information systems security
violations?
Disciplinary actions for non-compliance may be as simple as employee reprimands, employee
performance reviews, performance demerits, or compensation adjustments. For repeat
offenders, this may lead to termination of employment. If privacy data or confidential data are
lost or stolen, criminal charges may be put in effect, not to mention termination of
employment.
9. What is the most important element to have in policy implementation?
Executive management support from the CEO and president of the organization.
10. What is the most important element to have in policy enforcement?
Human resources must be involved with the disciplinary actions taken when employees violate
information system security policies. The policy must be defined in the employee handbook
and the organization’s code of conduct as part of the acceptance of employment by the
employee. The separation of duties between employer and employee is critical to have as part
of the overall policy enforcement.
11. Which domain of the 7-Domains of a Typical IT Infrastructure would an Acceptable Use
Policy (AUP) reside? How does an AUP help mitigate the risks commonly found with employees
and authorized users of an organization’s IT infrastructure?

- User domain
- These risks can be mitigated by
strong security controls and policies as
well as comprehensive
security and awareness training for all
employees. Policies that control
employee’s behavior and
- User domain
- These risks can be mitigated by strong security controls and policies as well as comprehensive
security and awareness training for all employees. Policies that control employee’s behavior
and produce a clear legal separation between the employee and the employer, such as an
Acceptable Use Policy (AUP), are definitely needed.
12. In addition to the AUP to define what is acceptable use, what can an organization
implement within the LAN-to-WAN Domain to help monitor and prevent employees and
authorized users in complying with acceptable use of the organization’s Internet link?
A best practice in security is “defense in depth”. This means securing resources through a
variety of controls so that if one control fails, there are other defenses in place that can provide
security and act as backups to an organization's defense. A firewall should exist between the
WAN (Internet) and the LAN, and another should exist between the DMZ and the LAN. Access
to the DMZ should never come from the LAN because a breach of the DMZ would allow
hackers an internal position to launch further attacks inside the network. Proper network
perimeter design including multiple firewalls coupled with a strong defense in depth strategy,
would help mitigate these threats.
13. What can you do in the Workstation Domain to help mitigate the risks, threats, and
vulnerabilities commonly found in this domain? Remember the Workstation Domain is the
point of entry for users into the organization’s IT infrastructure.
To mitigate these risks, you should have a comprehensive workstation policy. A control system
to check that the policy is being followed. You should also have a password policy that ensures
strong passwords are used and in the case of the DoD and CAC card for access to workstations,
for remote devices you should have a secure VPN network that his high restrictive and
controlled.
14. What can you do in the LAN Domain to help mitigate the risks, threats, and vulnerabilities
commonly found in this domain? Remember the LAN Domain is the point of entry into the
organization’s servers, applications, folders, and data.

Proper training of individuals, and the

proper amount of them, in conjunction
with strong security
policies, will help to mitigate these
risks.
Proper training of individuals, and the proper amount of them, in conjunction with strong
security policies, will help to mitigate these risks.
15. What do you recommend for properly communicating the recommendations you made in
Question #13 and Question #14 above for both a flat organization and a hierarchical
organization?
To sum up, both organizations should have good executive management department, suitable
policies and keep up security skills and awareness training for all users. Moreover, they should
have flexibility in problem solving to be more effective.