Lab #2 – Organization-Wide Policy Framework Implementation Plan Worksheet

Course Name: IAP301

Student Name: Nguyen Anh Kiet

Instructor Name: DinhMH

Lab Due Date: 19/01/2025

Parent Medical Clinic

Acquires Specialty Medical Clinic

- Publish Your Policies for the New Clinic

Publish policies via the company intranet and provide a "Policy Manual" for easy access. Distribute during
onboarding and town hall meetings.
- -Communicate Your Policies to the New Clinic Employees
Use all-hands meetings, explainer videos, FAQs, and team-level Q&A sessions to ensure clear
understanding and compliance.
- Involve Human Resources & Executive Management
Partner with HR to integrate policies into onboarding and have executives announce and endorse them
to demonstrate leadership commitment.
 - Incorporate Security Awareness and Training for the New Clinic
Use gamification, scenario-based training videos, workshops, and rewards to make security training
engaging and fun.
- Release a Monthly Organization Wide Newsletter for All

Keep newsletters concise (one page), with visuals, tips, updates, and an engaging "Did You Know?"
section.

- Implement Security Reminders on System Login Screens for All

Add concise, rotating security tips on login screens for sensitive systems, with links to resources for more
details.
- Incorporate On-Going Security Policy Maintenance for All
Schedule quarterly policy reviews, gather employee feedback via anonymous forms, and monitor
compliance metrics to keep policies relevant.
- Obtain Employee Questions or Feedback for Policy Board
Create an online suggestion box and host quarterly town halls to address employee questions and
incorporate feedback into policy updates.

Lab #2 – Assessment Worksheet

Develop an Organization-Wide Policy Framework Implementation Plan

Course Name: IAP301

Student Name: Nguyen Anh Kiet

Instructor Name: DinhMH

Lab Due Date: 19/01/2025

 Overview

In this lab, you participated in classroom discussions on information systems security policy

implementation issues. These issues and questions included the following topics:

• How to deal with people and human nature

• What motivates people

• Understanding different personality types of employees

• Identifying the characteristics of a flat organizational structure

• Identifying the characteristics of a hierarchical organizational structure

• What makes an IT security policy “stick”?

• How do you monitor organizational compliance?

• What is the ongoing role of executive management?

• What is the ongoing role of human resources?

• Why is conducting an annual audit and security assessment for policy compliance important?

Lab Assessment Questions & Answers

1. What are the differences between a Flat and Hierarchical organizations?

• Structure:
- Flat: Few or no management layers; direct reporting to leadership.
- Hierarchical: Multiple levels of management with clear chains of command.
• Decision-Making:
- Flat: Decentralized; employees have more input.
- Hierarchical: Centralized; decisions made at the top.
• Communication:
- Flat: Open, informal, fast.
- Hierarchical: Formal, structured, slower.
• Roles:
- Flat: Broad, flexible roles with more autonomy.
- Hierarchical: Specialized, clearly defined roles.
• Adaptability:
- Flat: Highly adaptable, fosters innovation.
- Hierarchical: Rigid, focused on efficiency.
• Employee Engagement:
- Flat: High autonomy and empowerment.
- Hierarchical: Stability, but may lead to disengagement.
• Scalability:
- Flat: Hard to scale as the organization grows.
- Hierarchical: Easier to scale but can become bureaucratic.
 2. Do employees behave differently in a flat versus hierarchical organizational structure?
• Autonomy:
- Flat: Employees are self-directed and make decisions independently, fostering ownership and
initiative.
- Hierarchical: Employees rely on managers for guidance, with limited independence.
• Communication:
- Flat: Open and informal, encouraging collaboration and idea-sharing.
- Hierarchical: Formal and structured, often slower with top-down or bottom-up flow.
• Motivation:
- Flat: Driven by freedom, collaboration, and innovation, though unclear career paths may
demotivate.
- Hierarchical: Motivated by clear roles, structure, and career progression, though rigid systems
may reduce engagement.
• Innovation:
- Flat: Encourages creativity and risk-taking due to flexibility and openness.
- Hierarchical: Innovation is limited to management, with employees focused on following
processes.
• Accountability:
- Flat: Employees are self-accountable, but inconsistent performance may occur without
supervision.
- Hierarchical: Managers enforce accountability, creating consistency but sometimes
micromanagement.
• Adaptability:
- Flat: Highly adaptable and quick to embrace change.
- Hierarchical: Resistant to change due to rigid structures, preferring stability.

3. Do employee personality types differ between these organizations?

Yes, personality types differ based on organizational structure:

Flat Organizations:
- Traits: Self-motivated, creative, collaborative, adaptable, risk-tolerant, and entrepreneurial.
- Personality Types: ENTP, ENFP, INTP, INFP (innovative, independent, big-picture thinkers).
- Best Fit: Employees who thrive in flexible, unstructured environments and value autonomy.
Hierarchical Organizations:
- Traits: Disciplined, detail-oriented, risk-averse, authority-respecting, stability-seeking, and focused on
specialization.
- Personality Types: ISTJ, ISFJ, ESTJ, ESFJ (organized, rule-following, task-focused).
- Best Fit: Employees who prefer structured roles, clear rules, and defined career paths.

4. What makes it difficult for implementation in flat organizations?

Implementing changes in flat organizations is challenging due to their decentralized and non-hierarchical
structure. Key difficulties include a lack of clear decision-making authority, slow consensus-based decision-
making, resistance to bureaucracy, coordination challenges across teams, role ambiguity, scaling issues,
limited oversight, informal communication, cultural resistance to change, and resource allocation
problems.
 5. What makes it difficult for implementation in hierarchical organizations?
Implementing changes in hierarchical organizations is challenging due to their rigid structure, bureaucracy,
and top-down approach. Key difficulties include resistance to change, slow decision-making,
communication gaps, siloed departments, lack of employee ownership, overreliance on leadership,
cultural inertia, competing priorities, and complexity in scaling across multiple levels.

6. How do you overcome employee apathy towards policy compliance?

To overcome employee apathy towards policy compliance, organizations should focus on engagement, clear
communication, and fostering accountability. Key strategies include:

Communicate the "Why": Explain how policies protect the organization and employees, and connect them to real-
world examples and goals.
Simplify Policies: Use plain language, visual aids, and tailor policies to employees’ roles.
Make It Engaging: Incorporate gamification, competitions, and rewards to make compliance fun.
Lead by Example: Ensure leaders and managers model compliant behavior and emphasize its importance.
Provide Training: Offer interactive, relatable, and ongoing training programs with regular reminders.
Gather Feedback: Create open channels for employees to share concerns and show their input matters.
Highlight Benefits and Consequences: Clearly outline the risks of non-compliance and the benefits of adherence.
Foster a Compliance Culture: Encourage accountability, teamwork, and recognize employees for compliance.
Track and Follow-Up: Monitor compliance, address gaps constructively, and provide feedback.
Incentivize Compliance: Offer recognition, rewards, and career development tied to compliance efforts.

7. What solution makes sense for the merging of policy frameworks from both a flat and
hierarchical organizational structure?
- Conduct a Gap Analysis: Identify overlaps, conflicts, and missing policies to align with shared
goals and compliance needs.
- Form an Integration Team: Involve representatives from both organizations, including leadership
and employees, to ensure inclusivity and buy-in.
- Design a Hybrid Framework: Standardize critical policies (e.g., compliance, security) while
allowing flexibility for operational guidelines and autonomy.
- Communicate Clearly: Explain the purpose of the merger, tailor communication styles to both
cultures, and encourage feedback.
- Preserve Cultural Strengths: Balance autonomy from the flat structure with oversight from the
hierarchical one, avoiding unnecessary bureaucracy.
- Leverage Technology: Use centralized platforms and automation tools for policy management,
communication, and compliance tracking.
- Provide Training: Develop unified, scenario-based training programs that cater to both cultures.
- Foster Collaboration: Promote joint ownership, celebrate milestones, and encourage ongoing
feedback.
- Pilot Test and Rollout Gradually: Start with a pilot to test the framework, refine it, and then scale
it across the organization.
- Monitor and Improve: Continuously track compliance, gather feedback, and adjust policies to
meet evolving needs.

8. What type of disciplinary action should organizations take for information systems security
violations?
- Investigate Thoroughly: Determine if the violation was accidental, negligent, or intentional, and
assess its impact.
 - Disciplinary Actions by Severity:

Minor Violations (Accidental, Low Impact): Verbal warning, mandatory training, and documentation.
Moderate Violations (Negligence or Repeat Offenses): Written warning, access restrictions, or probation.
Severe Violations (Intentional, High Impact): Suspension, termination, legal action, or law enforcement
involvement.
Corrective Measures: Require retraining, monitor behavior, or revoke access privileges temporarily.

Clear Policy Framework: Establish a policy that defines violations, consequences, and employee
accountability, ensuring employees are aware of expectations.

- Prevention Over Punishment: Focus on training, communication, and fostering a supportive

culture to reduce violations.

9. What is the most important element to have in policy implementation?

Executive management support from the CEO and president of the organization

10. What is the most important element to have in policy enforcement?

- The most important element in policy enforcement is consistency, as it ensures fairness,
credibility, and trust in the policy framework.
11. Which domain of the 7-Domains of a Typical IT Infrastructure would an Acceptable Use Policy
(AUP) reside? How does an AUP help mitigate the risks commonly found with employees and
authorized users of an organization’s IT infrastructure?

An Acceptable Use Policy (AUP) resides in the User Domain of the 7-Domains of a Typical IT Infrastructure,
as it governs how employees and authorized users interact with IT resources.

How an AUP Mitigates Risks:

Prevents Misuse: Defines acceptable behaviors to prevent misuse of IT resources, such as accessing
prohibited websites or installing unauthorized software.
Enhances Security: Reduces risks of phishing, malware, and weak password practices by establishing clear
security rules.
Protects Sensitive Data: Enforces proper handling of confidential information to prevent data breaches.
Ensures Regulatory Compliance: Educates users on their responsibilities to comply with industry standards
like HIPAA or GDPR.
Deters Insider Threats: Holds users accountable, reducing malicious or negligent behavior.
Maintains Productivity: Limits personal use of IT systems to avoid wasted bandwidth and time.
Facilitates Incident Response: Requires prompt reporting of security incidents, enabling faster resolution.

12. In addition to the AUP to define what is acceptable use, what can an organization implement
within the LAN-to-WAN Domain to help monitor and prevent employees and authorized users
in complying with acceptable use of the organization’s Internet link?
Web Content Filtering: Blocks access to inappropriate or high-risk websites.
Next-Generation Firewalls (NGFW): Controls traffic and enforces rules for allowed applications and websites.
Secure Web Gateways (SWG): Filters web traffic for compliance, malware, and data exfiltration.
Data Loss Prevention (DLP): Prevents unauthorized sharing of sensitive data.
User Behavior Analytics (UBA): Detects unusual user activities, such as excessive data downloads.
DNS Filtering: Blocks access to malicious or non-compliant domains.
SIEM Systems: Logs and analyzes internet activity for policy violations.
Bandwidth Management: Restricts non-business activities like video streaming to maintain productivity.

13. What can you do in the Workstation Domain to help mitigate the risks, threats, and
vulnerabilities commonly found in this domain? Remember the Workstation Domain is the
point of entry for users into the organization’s IT infrastructure.
To mitigate risks in the Workstation Domain, organizations must secure endpoints and ensure users follow
security best practices.

- Endpoint Protection: Use antivirus, anti-malware, and EDR tools to detect and block threats.
- Access Controls: Enforce strong passwords, multi-factor authentication (MFA), and least privilege
access.
- Patching: Regularly update operating systems and applications to address vulnerabilities.
- Software Restrictions: Implement application whitelisting and restrict unauthorized software
installations.
- Firewalls and Encryption: Enable local firewalls and use full disk encryption to secure workstation
data.
- USB and Device Control: Restrict USB usage and monitor data transfers to prevent malware and
data leaks.
- Backups: Regularly back up workstation data to enable recovery from ransomware or system
failures.
- User Training: Educate users on phishing, secure passwords, and safe online behavior.
- Monitoring: Use tools to track workstation activity, detect anomalies, and log user actions.
- Screen Locking: Enforce auto-lock and logout policies to prevent unauthorized access.

14. What can you do in the LAN Domain to help mitigate the risks, threats, and vulnerabilities
commonly found in this domain? Remember the LAN Domain is the point of entry into the
organization’s servers, applications, folders, and data.
To mitigate risks in the LAN Domain, organizations must secure network access, monitor activity, and
enforce robust controls.

- Network Segmentation: Use VLANs and micro-segmentation to isolate sensitive systems and limit
threat propagation.
- Access Controls: Enforce Role-Based Access Control (RBAC), Network Access Control (NAC), and
Multi-Factor Authentication (MFA) to prevent unauthorized access.
- Intrusion Detection and Prevention (IDPS): Monitor LAN traffic for malicious activity and block
unauthorized actions.
- Patching and Updates: Regularly update network devices (routers, switches) to address
vulnerabilities.
- Device Security: Require endpoint protection and verify device compliance before granting LAN
access.
- Encrypt Traffic: Use SSL/TLS, VPNs, and HTTPS to secure data transmission within the LAN.
- Monitoring and Logging: Deploy network monitoring tools and SIEM systems to detect anomalies
and suspicious activities.
- Control Device Access: Restrict rogue devices using MAC filtering and NAC tools.
- Backup and Recovery: Regularly back up LAN-hosted data and implement a disaster recovery
plan.
- User Training: Educate employees on phishing, secure passwords, and safe handling of sensitive
data.
15. What do you recommend for properly communicating the recommendations you made in
Question #13 and Question #14 above for both a flat organization and a hierarchical
organization?

For Flat Organizations:

Use collaborative and informal methods like team meetings, visual aids, and open feedback channels.
Focus on shared accountability and empowerment.

For Hierarchical Organizations:

Use a formal, structured approach with top-down communication, clear documentation, role-specific
directives, and accountability at all levels.