Lab Assignment
Defining an Information Systems Security Policy Framework for an IT Infrastructure
In this assessment, you will review many of the issues and problems, faced when implementing security policies. The chapter 5 gives pointers on how to overcome these challenges and how to deal with human nature in the workplace. The chapter also gives guidance on how to manage security policy changes in your organization.
Lab Assessment Questions & Answers
1. Successful security policy implementation in the workplace depends on people understanding key concepts and embracing the material. Thus, people need to be motivated to succeed if they are going to implement such policies. There are three basic elements of motivation. Identify and discuss each element.
2. Which of the following statements captures an example of a manager tapping into pride as a source of motivation? Answer and Explain your choice.
A. "It's really important that you complete this task because it is one of your roles and responsibilities."
B. "The supervisor is requiring that I inform you that you need to complete this task because the person originally assigned is not available."
C. "It is necessary that you complete this task because not doing so would result in disciplinary action."
D. "It is really important that you complete this task because the team values your contributions and would benefit from your input."
3. In order to gain a deeper understanding of how employees interact in the workplace, it is useful to learn about the eight classic personality types that have been identified by HR Magazine. One of these is the achievers. Which of the following descriptions best captures this personality type? Answer and Explain your choice.
4. For leaders, implementing security policies is all about working through others to gain their support and adhere to the policies. Of the widely accepted leadership rules that apply to security policies, which of the following is not among these rules? Answer and explain your choice.
A. productivity
B. values
C. support
D. training
5. Implementing security policy means continuous communication with and ensuring transparency about what's working and what's not working. Answer and explain your choice.
A. control partners
B. stakeholders
C. executives
D. data custodians
6. To be thoughtful about the implementation of security policies and controls, leaders must balance the need to reduce with the impact to the business operations. Doing so could mean phasing security controls in over time or be as simple as aligning security implementation with the business's training events. Answer and explain your choice.
7. Although an organization's list of stakeholders will vary depending on the policy being implemented, there are stakeholders who can be seen commonly across organizations. What is the key focus of stakeholders in information security? Answer and explain your choice.
A. timely delivery of high-quality products and services at competitive prices
B. compliance with laws and regulations
C. keeping operations within risk tolerances
D. protection of the company and the customer
8. In a large organization, the complexity required to keep operations running effectively requires a hierarchy of specialties. Thus, which of following organizational structures is preferred? Answer and explain your choice.
A. flat organizational structure
B. matrix relationship structure
C. hierarchical organizational structure
D. change agent structure
9. It is important that an effective roll out of information security policies prioritizes good communications. Which of the following is not among the points to be included in a good communication approach? Answer and please explain your choice.
A. Be clear-avoid technical jargon when possible.
B. use many channels-reinforce the message as many times as possible.
C. Say "thank you"-acknowledge the efforts both to create and to implement the security policies.
D. Be withholding-it is important to keep the main impact of the policy confidential.
10. One of the well-documented reasons for why projects fail is insufficient support from leadership. This occurs when value is only derived from policies when they are enforced. An organization must have the will and process to reward adherence. Do agree or disagree? Why?
11. The last step on Kotter's Eight-Step Change Model is to anchor the changes in corporate culture; to make anything stick, it must become habit and part of the culture. Therefore, it is important to find opportunities to integrate security controls into day-to-day routines. Do you believe this to be true or false? Why?
12. In general, implementing security policies occurs in isolation from the business perspectives and organizational values that define the organization's culture. Is this correct or incorrect? Why?
13. When going through the steps to create a vision for change, it is valuable to find a leader in your organization who can be an agent of change; someone who doesn't follow the pack, who can think outside the box, and can steer the organization through the politics of creating change. Do agree or disagree? Why?
14. Because it takes time to change an organization's culture, the ISO must continually monitor security policy compliance. The ISO reports to leadership on the current effectiveness of the security policies and will also have to ask the business to accept any residual risk or come up with a way to reduce it. Is this true or false? Why?
15. In general, matrix relationships are created with control partners. Is this true or false? Why?
16. Data owners ensure that only the access that is needed to perform day-to-day operations is granted and that duties are separated adequately to mitigate the risk of errors and fraud. Is this true or false? Why?
17. When discussing security policies and implementation tasks, one should follow a checklist with three items: 1) things to do; 2) things to pay attention to; and 3) things to report. Is this true or false? Explain.
18. It is advised to always have discretion with leaders. Explain in general terms what information security policies can and cannot achieve. It is equally important to be conservative in your estimates regarding the impact on the business; otherwise you risk losing credibility. Is this true or false? Explain.
19. One should focus on measuring risk to the business as opposed to implementation of policies and control when tying policy adherence to performance measurement. Is this to be true or false? Explain.
20. One of the basic measurements for assessing whether or not individuals are being held accountable for adherence to security policies is the reported number of security violations by employees. You should investigate any unexplained increases in reported violations to determine why an abnormal number is occurring. Is this to be true or false? Explain.