Question

11. The last step on Kotter’s Eight-Step Change Model is to anchor the changes in corporate culture; to make anything stick, it must become habit and part of the culture. Therefore, it is important to find opportunities to integrate security controls into day-to-day routines. Do you believe this to be true or false? Why? 

12. In general, implementing security policies occurs in isolation from the business perspectives and organizational values that define the organization’s culture. Is this correct or incorrect? Why?

Answer 1

Do you believe this to be true or false? - True, because,

In order to Minimize future security threats by creating company-wide security policies and educating employees on daily risk prevention in their work routines. In your operational risk controls, also implement vigilant monitoring of employees to confirm policies are followed and to deter insider threats from developing.

The key with operational risk controls is to flex and evolve policies as resources and priorities change.

Implementing these risk controls in your organizational security is not a one-time practice. Instead, it’s a regular discipline that the best organizations continue to hone and refine.

Proactively integrate physical, information and personnel security while keeping these risk controls in mind, and your organization is better prepared to mitigate security threats and adapt to evolving organizational security needs.

Need to tighten your internal organizational security on a limited budget? Click the button below to download our free guide to tactical resource allocation for tighter, leaner insider threat management

12. In general, implementing security policies occurs in isolation from the business perspectives and organizational values that define the organization’s culture - False,

Security policies are designed keeping in mind the business perspectives and the organizational values that define the organization’s culture.

Reason - An information security and risk management (ISRM) strategy provides an organization with a road map for information and information infrastructure protection with goals and objectives that ensure capabilities provided are aligned to business goals and the organization’s risk profile. Traditionally, ISRM has been treated as an IT function and included in an organization’s IT strategic planning. As ISRM has evolved into a more critical element of business support activities, it now requires its own independent strategy to ensure its ability to appropriately support business goals and to mature and evolve effectively. Hence, we see that both Business Perspective and Organisational goals are taken into consideration while designing Security policies.