CHAPTER SUMMARY
This chapter discussed complex relationships and personality types in the workplace and how they can affect how you implement security policies. It’s important to understand different personality types in the workplace to better motivate and influence workers to embrace security policies. Proper motivation can overcome user apathy. Executive support is important to get resources and to drive the security message and visibility needed for the implementation to be successful. The chapter also discussed the importance of pulling stakeholders and control partners into the policy implementation process. This chapter also discussed the Kotter model and a minor variation of it.
Postimplementation activities are just as important as those leading to policy implementation. Success is measured by the value the security policies bring in alignment with the company’s risk tolerance. The chapter also examined how security policies are effective only if they are used. This means they must be enforced. The core values and ways to look at risk within security policies can be applied to a wide array of business situations and new technologies. Successful security policy implementations can change mindsets and an organization’s culture. They can further reduce risks as individuals are better equipped to deal with the unexpected threats.
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
- Which of the following is a basic element of motivation?
- Pride
- Self-interest
- Success
- B and C
- All of the above
- Which personality type often breaks through barriers that previously prevented success?
- Attackers
- Commanders
- Analyticals
- Pleasers
- Avoiders like to ________ and will do _______ but not much more.
- As the number of specialties increases, so does ________.
- In hierarchical organizations, the leaders are close to the workers that deliver products and services.
- True
- False
- User apathy often results in an employee just going through the motions.
- True
- False
- Which of the following is a method for overcoming apathy?
- Avoiding redundancy
- Issuing company directives
- Engaging in communication
- Requiring obedience to policies
- Why is HR policy language often intentionally vague?
- To avoid being interpreted as an unintended promise
- To start lawsuits
- To avoid being too severe for new hires
- To provide flexibility for interpretation
- In the case of policies, it is important to demonstrate to business how policies will reduce risk and will be derived in a way that keeps costs low.
- True
- False
- An ideal time to refresh security policies is during a reduction in force.
- True
- False
- Kotter’s Eight-Step Change Model can help an organization gain support for _______ changes.
- When a catastrophic security breach occurs, who is ultimately held accountable by regulators and the public?
- Company officers
- The CIO
- The ISO
- The data owner
- Which of the following are attributes of entrepreneurs?
- Innovators
- Well educated in business management
- More likely to take risks
- A and C
- B and C
- A control partner’s role includes analysis of proposed policy changes and providing an opinion on their viability.
- True
- False
- Which of the following is the best measure of success for a security policy?
- The number of security controls developed as a result
- The number of people aware of the policy
- Reduction in risk
- The rank of the highest executive who approved it
- A change agent typically will:
- Ensure current processes are working
- Ensure application code changes are well understood
- Challenge whether a company’s existing processes represent the best approach
ENDNOTES
1. Leapfrog, “What Percentage of Your Company’s Budget Should Be Allocated for IT Operations,” July 30, 2019, https://leapfrogservices.com/percentage-companys-budget-allocated/, accessed April 14, 2020.