When brainstorming, try to envision an ideal culture that holds sacred proprietary information. For the measurable actions, consider measurable job behaviors that can be rewarded for protecting the theft of personal information.
Step 2. Organize and Match Measurable Actions (i.e., job behaviors) with job preview criteria. That is, first use the fishbone framework to organize the measurable actions for each of the four M’s. The task statement for the flip chart arrowhead is: “Measurable Actions for Honesty and Security.” Next, review the job preview document (Chapter 15) for its security-required policies, procedures, and practices. Through group discussion, assign each criterion—a policy, procedure, or practice—to one of the four M’s in the form of a measurable action.
Exercise 2. Prepare a Written Agenda for the Security Orientation Program
Estimated Time: Three Hours
Using the measurable actions from exercise 1, create an agenda for a two-hour Security Orientation Program that describes and illustrates “the way things are done around here.” This agenda will be followed in exercise 3, when presenting the program to current employees for their feedback and suggestions.
Orientation programs come in many sizes and shapes and can include elaborate videos and expensively bound handbooks that oftentimes go unread. Consider for the present program a simple design that nonetheless must be formally presented. For example, a very effective agenda is one that from time to time involves and alternates different groups of employees, utilizing an inexpensive and easy-to-create PowerPoint presentation that clearly describes to new hires the many measurable actions employees perform to help to promote your company’s honest work environment.
Interspersed within the presentation may be one or more brief panel discussions in which three or four employees describe how they perform specific measurable actions that safeguard personal and business identities and thereby promote security in the workplace. Include in the orientation a review of the handout—the Realistic Job Preview document. The sample agenda is shown in Exhibit 16.1.
EXHIBIT 16.1 The Security Orientation Program of the Information Security Research Institute
• Introduction to Identity Theft: Safeguarding Business, Customer, and Employee Identities
• Federal Statutes Requiring Standards for Information Security: A Brief Overview
• Measurable Actions: A Description of This Company’s Standards for Honesty and Security
• Employee Panel Discussion: “How We Perform Measurable Actions to Protect Information”
• Concluding Statements: “The Way Things Are Done Around Here”
Exercise 3. Present the Security Orientation Program to Current Employees
Estimated Time: Three–Four Hours
Current employees informally socialize new employees during day-to-day interactions, but by involving current employees in the development of an orientation program, even that aspect of socialization becomes formalized. Current employees, from their on-the-job experiences, may also have ideas that would contribute to the Security Orientation Program. Further, applied research in organizations shows that employees involved in a process tend to take responsibility for the outcomes, which is why these employees also tend to promote and perpetuate the practices or policies they propose. For all of these reasons, it is important to include as many employees as possible in company initiatives, including the development of the Security Orientation Program.
Therefore, prior to inaugurating this Standard:
Present the program to current employees, soliciting their suggestions for possible modifications.
Make feasible changes.
After approval from upper management and using in-house memos, distribute to all employees a brief outline of the revised Security Orientation Program.
When presenting the program to current employees, include in the agenda a last bullet point for discussion. During this discussion, participants can ask questions to clarify points and make contributions. Also ask employees for written, anonymous comments and suggestions.
The Security Orientation Program alone will make no difference in an organization’s culture, nor will any of the preceding exercises in isolation. Taken altogether, however, each building block chapter reinforces the objectives for protecting the company’s most valued assets through standards that also comply with federal laws requiring information security. The next equally important standard is the appraisal, feedback, and reward system.
CHAPTER 17
THE PEOPLE FRONT: APPRAISAL AND FEEDBACK FOR PERFORMANCE AND SECURITY
On-the-job performance is always appraised, either informally through observation or formally as part of regularly scheduled reviews. Informal appraisals are subjective impressions and do not meet federal laws for fairness in personnel practices; informal appraisals, therefore, may be error prone, and so may any personnel decisions made using such appraisals. Employees deserve to be appraised using formal systems that measure the performance of job competencies identified in the job analysis and nothing more.
The Business Information Security Program (BISP) Standard for appraisal is an all-inclusive, formal organizational system because it appraises job competencies from four perspectives:
From the perspective of an employee’s manager
From team members (departmental employees collectively)
Via a self-appraisal
From an appraisal by the employees of their department—its environment, or culture
Each of these four appraisals is conducted using independent instruments and formal appraisal documents. In addition, a fifth system component is a document describing the feedback and reward procedures, which uses the information collected through the four appraisals. Although the exercises in this chapter are the last for the people front, the appraisal and feedback system is no less important than the others. And, although the feedback procedure is the last component of the appraisal system, feedback communication, as will become evident, is first in importance when it comes to quality organizational performance.
STANDARD 11. THE ORGANIZATIONAL APPRAISAL AND FEEDBACK SYSTEM
Goals: Develop four appraisal instruments that will be used to assess organizational performance based on job information obtained from four independently conducted appraisals: (1) employee, (2) group, (3) self, and (4) department. In addition, develop the feedback and reward procedures. The feedback procedure uses the aggregate of results from the four appraisals for discussions on ways to improve on organizational performance and to recognize and reward employees.
Specific Objectives: Develop four appraisal instruments to collect a comprehensive body of information describing the overall performance of the organization in terms of specific job tasks and information security. Next, develop a feedback protocol, or procedure, to guide discussions by employees and their managers on options for improvements, if necessary, and on the reward preferences and ways to administer them.
The specific objective is the creation of a feedback mechanism using the appraisal outcome measures to identify and intercept faulty work or job problems that impede organizational performance. Unlike financial outcome measures of organizational performance that depend in great part on external factors, such as the economy, the BISP appraisal and feedback system measures factors that are largely controllable by the company: the job tasks and the means to perform them. Routinely scheduled feedback meetings using inclusive appraisal details are essential for the BISP appraisal system and are required to comply with Standard 11.
Orientation
The primary purposes of the BISP appraisal system are to generate outcomes for communication and feedback and to recognize and reward employees for performing their security-sensitive job tasks. For employees in job positions at all levels—entry, supervisory, managerial, and any other—on-the-job performance is assumed to meet or exceed management expectations, or these employees would not be retained by the company. For new employees, excellent performance is guarantee
d because the legally compliant BISP Standards were used in selection.
Most workers want to succeed on the job. Few want to fail or be viewed by others as a failure. When job performance falls short, the problem is most often due to the job and not the person performing the job. For example, although the job tasks for a particular job may remain the same, the technology used to perform those tasks changes rapidly. In fact, technology is often outdated before it can be implemented. As technology and techniques evolve, job performance follows a learning curve for which peak performance cannot be expected without training, either formally or self-taught while on the job.
Additionally, there are many conditions under which high performance is impossible, despite the worker’s best effort. For example, employees have little or no control over job outcomes when materials are lacking or machines are malfunctioning. However, these and other root causes of poor on-the-job performance can be corrected quickly through regularly conducted feedback sessions using performance appraisal outcomes. The direct impact is on an organization’s fiscal performance. Ideally, therefore, this appraisal and the feedback system is administered quarterly to intercept and immediately correct faulty workplace or job factors likely to negatively impact the company’s financial outcomes.
In addition to organizational performance, the BISP appraisal system serves other purposes. For progressive companies that continuously aim for improvement, the BISP appraisal results are to be used for feedback and communication meetings to discuss ways to develop employees’ skills, determine the progression of career paths, and otherwise identify issues of equal importance to the employee and the company. Further, it is human nature for individuals to want to know how they may be perceived by others and to receive the recognition they deserve for hard work and jobs well done. These innate qualities are satisfied through the BISP organizational appraisal and feedback system.
The exercises that develop this system are the last tasks to complete the standards for the people front and also the last tasks to be performed by this first project team. At the end of this chapter, the team’s concluding exercise will be to help elect, select, or otherwise ensure that a new project team is in place to complete the remaining Standards in Parts II and III.
INDIVIDUAL APPRAISAL
Exercise 1. Develop the Individual Appraisal Instrument
Estimated Time: Four Hours
The appraisal instrument is a formal document enumerating the job competencies required for job positions. The items in the appraisal instrument can be used to appraise all jobs within a job set as well as specific competencies required for some job positions. (These items will be replicated below in exercises 2 and 3.) Conduct exercise 1 in two steps.
Prepare a list of job competencies for each job set within the department. The team’s task has already been partly completed, because these competencies are the items identified in Chapter 9 in the job analysis. For each job competency identified in the job analysis, create a statement using as its subject a specific job task. For consistency, the example in Exhibit 17.1 uses the job competency items shown in Exhibit 9.1. EXHIBIT 17.1 Job Competency Appraisal Instrument
Notes: This instrument has been developed based on the job competencies identified in the Security Job Analysis. The ratings of job competencies must be made by supervisors or managers who are in positions to regularly observe the on-the-job performance of the employee or who otherwise have direct evidence that the job outcomes were performed by the employee. Overall ratings range from 13 (fails to meet expectations) to 39 (meets expectations) to 65 (greatly exceeds expectations). Ratings of 26 or lower (those less than “meets expectations”) must be accompanied by tangible evidence for such ratings.
All ratings are to remain confidential with this rater or with the rater’s supervisor or manager who also oversees the job performance for the above employee.
For each job set, include both general and technical job competencies. For example, if honesty is a required competency for that job set, include honesty on the list of items to be appraised. Or if the job competencies required for managerial positions concern feedback of appraisal outcomes, a job analysis would likely have identified as competencies items such as feedback, timeliness, and communication. Recognition is no less important for managers who devote the time and effort to mentor employees using the appraisal and feedback system.
After compiling the list of job competencies, create a rating scale for each statement. Use the five-point range depicted in Exhibit 17.1.
When completed, this set of job competency statements comprises the first of four independent appraisal instruments of the BISP Organizational Appraisal and Feedback System. When formulated based on the results of the Security Job Analysis conducted according to the instructions in Chapter 9, this (first) appraisal instrument meets Equal Economic Opportunity Commission (EEOC) compliance standards and can be used to evaluate employees individually and as the basis for job- and work-related decisions. However, most jobs today require team efforts for successful performance, which is why today’s companies also must appraise performance at the group level of analysis. The second instrument required for Standard 11, therefore, is the group appraisal document.
GROUP APPRAISAL
Exercise 2. Develop the Group Appraisal Instrument
Estimated Time: Three Hours
Employees should have the opportunity to be rated on their performance by others who are in positions to observe the job behaviors frequently. Employees whose jobs can be objectively rated by a number of people in different positions, such as managers, other employees, and customers, can benefit from a broader range of feedback, which, recall from the earlier discussion, is the primary purpose of the appraisal and feedback system. At the very least, employees should be provided the benefits of appraisals from members of their work group and other employees in the course of performing job tasks. This group appraisal instrument serves those purposes.
Use the identical list of job competencies (created for individuals in exercise 1). Only the instructions at the top of the appraisal instrument differ: In this exercise, the directions are for group (versus individual) level of analysis, and the appraisals are to be conducted anonymously. With these exceptions, follow the same three steps as in exercise 1 to create this second instrument of the appraisal and feedback system:
Use the list of job competencies for each job set within the department.
Also use the rating scale for each statement using the same five-point range (depicted in Exhibit 17.2) to measure performance expectations.
Include a comment section at the bottom of the instrument. See Exhibit 17.2 for an example of the instructions for the work group appraisals instrument.
An inclusive appraisal and feedback system provides perspectives from multiple observation points. Therefore, in addition to appraisals conducted at the individual and group levels of analysis, a third instrument provides opportunities for self-appraisals.
SELF-APPRAISAL
Exercise 3. Develop the Self-Appraisal Instrument
Estimated Time: Two Hours
Employees should be provided the opportunity to appraise their own job competencies. Employees are closest to the job and can best determine deficiencies in procedures, practices, equipment, materials, or other factors impacting their own on-the-job performance. Indeed, often only the person holding a specific job position has insight into problems or options for performance improvements. Such firsthand information on how to improve services and productivity is valuable for organizational performance, which is why self-appraisal is essential.
EXHIBIT 17.2 Work Group Appraisal Instrument
Notes: This instrument was developed based on the job competencies identified in the Security Job Analysis. The ratings are to be conducted anonymously by each memeber of the work group (or department). Overall ratings range from 13 (fails to meet expectations) to 39 (meets expectations) to 65 (greatly exceeds expectations). Ratings of 26 or lower (
those less than “meets expectations”) must be accompanied by tangible evidence for such ratings.
Follow the procedures described in exercise 2 (developing the group appraisal instrument): (1) duplicate the job competency list, (2) create the rating scale, and (3) redefine the instructions for conducting self-appraisals. Include a section at the bottom of this instrument for comments. When completed, move on to exercise 4.
DEPARTMENTAL ASSESSMENT
Exercise 4. Develop the Departmental Appraisal Instrument
Estimated Time: Three Hours
In Chapter 15 (Standard 9), the team generated items to describe the company’s honest culture. These items were then used to formulate the Realistic Job Preview.
Use this list of items to create a departmental appraisal instrument. Follow the same format as previous exercises for the other appraisal instruments. That is, use the items to create statements, and include the same five-point rating scale. This instrument, which is to be designed as an anonymous appraisal, will measure employee perceptions of their department’s work culture. The results from such appraisals are to be used together with the results from the preceding three appraisals (individual, group, and self) for discussion for improvements and departmental recognition and rewards.
Preventing Identity Theft in Your Business Page 14