Company X has decided to implement a new security plan. This plan includes changes to the information systems architecture and will impact the day-to-day work activities of many employees. Additionally, many operational procedures will be changed to reflect a more defensive security stance. It is not uncommon for organizations undergoing significant change to encounter resistance from employees. Therefore, it is imperative that all managers be aware of the changes that are coming and prepare themselves and their staffs.
Local Network Changes
At the headquarters building, Company X has their primary data center housing the company's servers, in addition to user workstations. Three Virtual Local Area Networks (VLANs) will be created to separate computers into three classes: externally available servers, all other servers, and workstations. The purpose of this division is to keep all attack vectors segmented from each other. Since servers that are accessible from the Internet are extremely susceptible to various attacks, those servers will be replaced with proxy servers and moved into the higher security server network. Proxy servers have the benefit of being both expendable and adept at weeding out inappropriate accesses. Internal users will also be expected to access the servers through these proxy servers. This ensures that any infected workstations cannot inadvertently attack the servers. Finally, all workstation access to the Internet will go through the company's content filters. The intention is not to hamper employee access to the Internet, but protect the network from malicious code delivered by various websites (Whitman & Mattord, 2009).
Wide Area Network Changes
The warehouse is currently connected directly into the headquarters network via a private line circuit. That circuit will be replaced with a direct Internet connection and a new IPSec tunnel to create a Virtual Private Network (VPN). A new combination firewall and content filter device will be installed at the warehouse to protect the network from external and internal attacks. The new VPN will offer the warehouse improved connectivity at a lower cost. Additionally, all communication between the two facilities will be encrypted, meaning data communication is no longer left up to the carrier (Whitman & Mattord, 2009).
In order to help the network recover from a successful attack, an intrusion detection system will be installed to watch the network for suspicious activity. The IDS will alert system administrators when malicious activity is detected. This will allow systems administrators to respond more quickly to an incident and reduce the total impact. In the case of long term disasters affecting the primary data center, a contract has been signed with a remote facility to provide a backup data center. Should the primary data center be subject to a long term outage, service can be restored at the backup data center by followed a predefined procedure. Additionally, server backups are being stored offsite in case of a true catastrophe at the primary data center (Whitman & Mattord, 2009).
The new procedures will be the most difficult part of the information security system for employees to accept. Day-to-day changes such as minimum password requirements and frequent password changes are an inconvenience that must be tolerated for the sake of improved security. Additionally, restricted Internet access may hamper non-business-related activities. Hiring procedures will also be modified to ensure unnecessary information is not revealed to job candidates. This prevents would-be attackers from gaining sensitive system information simply by filling out a job application. On the other end of the employment life cycle, termination procedures will be defined to guarantee no loose ends are left behind for potential attackers to exploit (Whitman & Mattord, 2009).
Company X currently has no security related personnel on staff. The new security plan includes hiring a high-level security manager and two security professionals to implement and maintain the security plan. The security manager will be responsible for maintaining the security policies as changes are necessary. The security manager will not make these changes alone, but will instead convene a group of affected parties to help develop the changes for these policies. Additionally, the security manager will work with the Chief Information Officer (CIO) to ensure that upcoming IT projects adhere to the company's security policies. The security professionals will be responsible for maintaining the configurations of security devices implemented on the network. Additionally, they will work with the IT department to develop and implement testing procedures to ensure the security of new and existing systems (Whitman & Mattord, 2009).
Resistance to Change
Individuals resist organizational change for various reasons. When change comes, employees often fear the change will result in a negative impact on them. It is only human nature to focus on the individual impact of change rather than the positive result for the organization. Managers can use various methods to reduce individual resistance. Education is one of the most effective methods. The more employees understand about the benefits of the security plan, the less likely they are to resent the procedural impacts. Similarly, by making employees a part of the security implementation, they feel empowered and part of the company's ongoing success. Together education and empowerment can help employees overcome their natural fears and improve the chances of a successful implementation (George & Jones, 2008).
In order to educate all employees regarding the upcoming changes, several different training programs will need to be developed. A general training will educate all employees on the changes that be implemented in the security plan. This training will be very general and focus on changes that impact all employees. Specialized trainings will be developed for departments that have more involvement in the changes. The system administration team will be trained on how the changes will impact them and what they can do to facilitate the change. The Human Resource department will be trained on the new procedures they will use in their hiring and termination processes.
George, J. M., & Jones, G. R. (2008). Understanding and managing organizational behavior (5th ed.). Upper Saddle River, NJ: Pearson.
Whitman, M. E. & Mattord, H. J. (2009). Principles of information security (3rd ed.). Boston: Thomson Course Technology.