One of the most common experiences faced by Champions is that of not having policies or more commonly, having policies but failing to be able to implement them correctly. This chapter addresses some of the common failings and uses the experiences of peers to help find methods that participants can use to help ensure useful policies are created and actually implemented effectively.
- Understand and identify different examples of policies that may be needed within their organisation
- Discuss and share problems experienced when attempting to implement change within their organisations (managing-up etc.) and methods to resolve these issues
- Add relevant templates to the assessment that are missing from the organization
- List the main likely obstacles to implementation within their organization and their corresponding potential solutions
Identify relevant template policies that the participant group is likely to need (information security, social media, etc) and have some copies printed off so that they can critique them during the session.
30 Minutes
Elevator Pitch
Participants are to be split into pairs. Each person is given five minutes to prepare a two-minute "elevator pitch" about a new information security policy that they believe they wish to implement in their own organisations.
Participants can choose from any range of topics, for example, social media, password / two-factor, information classification, clean-desk policies etc.
The must then pitch the policy to the other person in their pair. That person is playing the role of a sceptical colleague or boss of theirs.
The objective of this exercise is to help participants practice taking a simple policy and having to communicate it within their own organisations in a way that balances their perceptions with the reality of how many individuals view security.
- Following on from the "Elevator Pitch"
- What did we learn from this process?
- How can we effectively engage people in such a circumstance?
Other discussion topics:
- What policies do we currently use?
- How effective are these policies?
- How we create effective policies?
- How do we ensure that we can help an organisation implement these policies?
- What human elements can hinder implementation? (e.g. reluctance, fear, etc.)
- How do we need to change depending on who we are interacting with? (Colleague, boss, donor, field vs. HQ staff, family etc.)
- What tools and techniques can help us with implementation?
N/A
N/A
Participants should turn to their assessment documentation and consider how their organisation deals with the subject matter covered in this module. Where necessary they should ask questions and work with other participants to identify any:
- Issues they have found that affect their organisations
- Possible solutions they have learned
- Possible difficulties they may face in implementation (ideally using the time and experience of trainers and other participants)
- Things would need to overcome these difficulties
- Connections to other organisations or individuals that would help them
- Timeline, resources and costs for implementation
This should be noted in their assessment, for future use.
In line with keeping this curriculum as an updated community tool, we would also ask that participants provide comments, feedback and new ideas for this module on the project website and/or Github!
- Guide for System Administrators in At‐Risk Organizations: Policies
- Information Ecology: Readiness Assessment
-NIST Small Business -Policy Generator