NoticeBored information security awareness

Social engineering policy

Information security policy

Social engineering

Policy summary
Employees must be alert and respond appropriately to the signs of possible social engineering attacks on them, and are forbidden from using social engineering techniques inappropriately.

Applicability
This policy applies throughout the organization as part of the corporate governance framework. It is particularly relevant to front-line workers such as receptionists, security guards and call-centre operatives who frequently come into contact with strangers. This policy also applies to third parties acting in a similar capacity to our employees whether they are explicitly bound ( e.g. by contractual terms and conditions) or implicitly bound (e.g. by generally held standards of ethics and acceptable behavior) to comply with our information security policies.

Policy detail
Background Social engineers are fraudsters, tricksters, scammer and con-artists who seek to mislead employees typically into revealing or granting unauthorized access to sensitive corporate or personal information, bypassing physical and/or technical security controls. Sensitive information in this context includes valuable items such as trade secrets, business plans, financial reports, descriptions of production processes, passwords/PIN codes and encryption keys, customer and personnel records, bank account and credit card numbers etc. Social engineers use techniques such as pretexting (using an invented scenario - the pretext - to persuade someone to release information or do something that facilitates unauthorized access) and impersonation (pretending to be someone who has authority to access the information). They operate mostly using emails, telephone calls and websites but may also turn up on site, perhaps posing as a visitor, employee, auditor or maintenance worker, and some still use letters, FAXes and even official-looking notes on the windshield to perpetrate their scams. Policy axioms (guiding principles) A. B. Employees must be alert to possible social engineering attacks and respond appropriately. Employees must not use social engineering techniques to gain unauthorized access to information assets.

Detailed policy requirements 1. All employees must learn to recognize the warning signs that they may be dealing with a social engineer, fraudster or scammer. Security awareness information on how to do this is available from Information Security. Front line or front desk workers such as receptionists, telephone operators, secretaries and Personal Assistants, IT Help/Service Desk and other call center workers and security guards, who routinely deal with visitors and callers seeking information, are to be given Page 1 of 3

2.

Copyright 2011 IsecT Ltd.

NoticeBored information security awareness

Social engineering policy

specific training and additional guidance on recognizing and dealing with possible social engineering attacks. 3. Employees recognizing that a social engineering-type attack may be in progress must: Avoid disclosing any (further) information to the suspected social engineer; Refer the suspected social engineer to front-line employees who will, in turn, try to gather further information in order to authenticate the suspected social engineers identity (e.g. their name, telephone number, employers name etc.); Report the suspected attack as soon as possible to IT Help/Service Desk (for attacks not involving physical security) or Site Security (for physical security incidents). 4. In addition to the specific controls noted above, employees must: Be careful about revealing sensitive information to anyone, particularly strangers; Avoid revealing sensitive information online, for example on social networking sites such as FaceBook, MySpace, Twitter and LinkedIn, on blogs and blog comments, in chatrooms and the like, or via email; Avoid interfering with, disabling or bypassing physical and logical access controls and other corporate security controls, such as antivirus and logical access controls; Report unauthorized visitors or anyone behaving suspiciously in or near corporate facilities as soon as possible to Site Security. 5. Wherever possible, employees should avoid putting another person in a potentially difficult position by insisting they release sensitive information. In particular, employees must never ask for anyone elses password, PIN code or encryption key, whether verbally (e.g. over the phone or in person) or in writing (e.g. in an email). The inappropriate use of social engineering techniques by employees to mislead others into revealing sensitive business or personal information is classed as misconduct and may result in disciplinary action, dismissal and/or prosecution.

6.

Responsibilities
Information Security Management is responsible for maintaining this policy and advising generally on information security controls. Working in conjunction with other corporate functions, it is also responsible for running educational activities to raise awareness and understanding of the responsibilities identified in this policy. It is further responsible for investigating and resolving suspected or confirmed social engineering attacks; Front-line or front desk employees are responsible for (a) assisting their colleagues to identify and evaluate possible social engineers, making use of their special training, (b) blocking suspected social engineers and (c) reporting actual or suspected social engineering incidents to IT Help/Service Desk and/or Site Security; All employees are responsible for (a) being alert to the possibility of social engineering attacks, (b) responding accordingly if their suspicions are raised (for details, see above), (c) not revealing or disclosing sensitive information inappropriately, (d) reporting suspected or confirmed social engineering attacks to the IT Help/Service Desk, and (e) not interfering with, disabling or bypassing corporate security controls; Managers are responsible for (a) ensuring that staff are familiar and comply with their responsibilities under this policy, (b) releasing front line/front desk employees for training on social engineering, and (c) working with Information Security, Site Security etc. to investigate and resolve any social engineering incidents within their remit, and to improve controls where necessary to prevent recurrence; Page 2 of 3

Copyright 2011 IsecT Ltd.

NoticeBored information security awareness

Social engineering policy

Internal Audit is authorized to assess compliance with this and other corporate policies at any time.

Related policies, standards, procedures and guidelines

Item
Information security policy manual Policy on social engineering Antivirus policy Physical security policy Procedure for identifying and repelling social engineers Briefings and guidelines on social engineering and related matters

Relevance
Defines the overarching set of information security controls reflecting ISO/IEC 27002, the international standard code of practice for information security management. Policy relating to the use of MySpace, FaceBook, LinkedIn, Friends Reunited and other so-called social networking or social media. Describes controls against malware infections, including Trojan horse programs that might be introduced by social engineers. Describes physical access controls against unauthorized physical access to corporate buildings, offices and other facilities.

Explains how to identify and deal with suspected social engineers

Further security awareness materials are available on this topic.

Contacts
For further information about this policy or general advice on social engineering and other aspects of information security, contact the IT Help/Service Desk or front-line workers in your area. Security standards, procedures, guidelines and other materials supporting and expanding upon this and other information security policies are available on the intranet Security Zone. The Information Security Manager can advise on more specific issues.

Important note from IsecT Ltd.

This policy is unlikely to be entirely sufficient or suitable for you without customization . This is a generic model or template policy incorporating a selection of common controls in this area derived from our knowledge of good security practices and international standards. It does not necessarily reflect your organizations specific requirements. We are not familiar with your particular circumstances and cannot offer tailored guidance. It is not legal advice. It is meant to be considered by management as part of the security awareness program, ideally as part of the regular review and update of your information security policies.
Copyright 2011 IsecT Ltd.

Page 3 of 3